From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 10:18:20 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF21D1065676 for ; Fri, 22 Jan 2010 10:18:20 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3C93A8FC16 for ; Fri, 22 Jan 2010 10:18:20 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id o0MAI9Jg005086; Fri, 22 Jan 2010 10:18:10 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o0MAI9Jg005086 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1264155490; bh=twppwhr/MCRcfbJAlDWJunxRw213enOyI0qxMNc1Oq4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B597B5B.6030802@infracaninophile.co.uk>|Date:=20F ri,=2022=20Jan=202010=2010:18:03=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20100114)|MIME-Vers ion:=201.0|To:=20kalin=20m=20|CC:=20freebsd-security @freebsd.org|Subject:=20Re:=20pf=20rules|References:=20<4B5958E2.9 010509@el.net>|In-Reply-To:=20<4B5958E2.9010509@el.net>|X-Enigmail -Version:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3D pgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D =0A=20boundary=3D"------------enig90A062888294AAA1D5DD4010"; b=Pki7S61Fdt74zZ2YJbhn3SG4OxWqipK6yRPRoV5g7T3Wb6Up1rUL9TxKD6pVjQzJY ZnGbZMiiRfggfw/Gpz/iy3pWql0JexHHU7Lk+NyiMue7b4oknmQuyDm21miHTmACeM 3Hqf4kxAQBPyfm3+E7elZe4tDzCNaiyL+B7PAtL0= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B597B5B.6030802@infracaninophile.co.uk> Date: Fri, 22 Jan 2010 10:18:03 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20100114) MIME-Version: 1.0 To: kalin m References: <4B5958E2.9010509@el.net> In-Reply-To: <4B5958E2.9010509@el.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig90A062888294AAA1D5DD4010" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS,URIBL_BLACK autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 10:18:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig90A062888294AAA1D5DD4010 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable kalin m wrote: >=20 >=20 > hi all... >=20 > doing testing with pf... >=20 > how is it possible that if i have these rules below in pf.conf if i do:= > telnet that.host.org 25 >=20 > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... >=20 >=20 > pf.conf contetns: >=20 > tcp_in =3D "{ www, https }" > ftp_in =3D "{ ftp }" > udp =3D "{ domain, ntp }" > ping =3D "echoreq" >=20 > set skip on lo > scrub in >=20 > antispoof for eth0 inet >=20 > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh Did your ruleset actually load into pf? If you run: # pfctl -nf pf.conf then any output indicates a problem with your pf.conf. Also, you can examine the loaded rule set by: # pfctl -sr This is generated from the pf.conf, but with all the list structures expanded into separate rules. You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me: 'eth0' is a linuxism. There's no such network interface driver under FreeBSD, and you should probably replace that with the actual name of the interface out of the list returned by 'ifconfig -l' You don't rea= lly need the 'inet' bit either -- that will be added automatically, as well a= s matching 'inet6' rules if your system is IPv6 capable. Also, your=20 antispoof rules should come /after/ your generic 'block all' rule. Handy hint: it's good practice when writing pf.conf to define a macro with the interface name: $ext_if =3D "em0" and then use that macro liberally in your rules. Hmmm... I suppose pf is actually enabled on your system? You'ld need to put: pf_enable=3D"YES" pflog_enable=3D"YES" into /etc/rc.conf to have it start automatically, or if you want to start= things manually, do: # kldload pf # pfctl -e (but be careful with that if you aren't logged into the console, as you can lock yourself out) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig90A062888294AAA1D5DD4010 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAktZe2EACgkQ8Mjk52CukIw/aACfSWoSKDZq4kowGkyeHucVJYJY qXMAoIE4cHa3VIbo8wHmrUlkzV+SOGoi =7QFW -----END PGP SIGNATURE----- --------------enig90A062888294AAA1D5DD4010--