Date: Thu, 14 Feb 2013 15:04:38 -0500 From: Gary Palmer <gpalmer@freebsd.org> To: Lisa Muir <34.24.34@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Releasing all outgoing ports for a particular IP. Message-ID: <20130214200438.GA85777@in-addr.com> In-Reply-To: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com> References: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Feb 14, 2013 at 06:06:22PM +0000, Lisa Muir wrote:
> Hi Guys,
>
> Hope you might be able to help me with a query. Am a little past the
> newbie stage with pf, and moderately comfortable with it, but by no
> means a guru yet, finding my way.
>
> Have one firewall which has a public interface with multiple ip's and
> 5 private lans with the usual private lan space ip's. The machine has
> been running fine for a year and a bit, and I have various port
> forwarding things going, internal redirection for dmz hosts being
> accessed from the lan, port forwarding for public ip aliases's on the
> external interface. Two things have left me with questions, one is
> about UDP port forwarding which I got working but am not 100% happy
> with, and I'll come back to that in another thread, and today's one
> which is releasing all tcp ports for a particular IP which is in the
> "DMZ" vlan. In this case, the vlans are implemented at the switches,
> and a seperate interface on the pf firewall links into each vlan, no
> kernel based vlan in operation.
>
> As a rule, we restrict outgoing ports, we only allow out what we know
> about and approve, but we're putting in a CCTV transmitter into the
> DMZ which requires access to every tcp port for outgoing. Here is a
> cut down version of my pf.conf with the relevant data, starting with
> the definitions for interfaces, the host in question that I am testing
> with, and the ports:
>
> #####################
> # Definitions
> #
> # interfaces
>
> # Vlan1 is the switch management vlan
> vlan1_if = "em1"
>
> # Vlan2 is the business vlan
> vlan2_if = "em2"
>
> # Vlan3 is the topsec secretary vlan
> vlan3_if = "em3"
>
> # Vlan4 is the "dmz"
> vlan4_if = "em4"
>
> # Vlan5 is the domestic house vlan
> vlan5_if = "em5"
>
> # Wlan is the wireless lan in the building
> wlan_if = "msk0"
>
> # The em0 vlan is a direct cat-5 cable link to wireless broadband kit
> for public internet
> ext_if = "em0"
>
> # The em0_alias0 is a virtual interface for additional public ip
> stc_dvr_ext_if = "173.47.184.4"
>
> tunnel_if = "gif0"
> vpn_if = "tun0"
>
> # Host that we are testing our rules with
> emailserver = "10.168.3.99"
>
> # Ports that we want to open for this host, all tcp going out
> all_ports = "{ 1:65535 }"
>
>
>
> The lans, 1, 2, 3, wireless and are restricted to only trafficing on
> ports such as 80, 443, 25, 587, 143 etc.
>
> But I want my email server to go out on any port, so the following
> lines were added, which work:
>
>
> pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports
> pass out on $ext_if proto tcp from $ext_if to any port $all_ports
>
>
>
> The first line of that is suitably restrictive, it only allows that
> one single host in the DMZ to traffic out on all tcp ports.
>
> its the next pass rule that bothers me. Because all lans nat through
> to the ext_if, this next line effectively opens up all ports to get
> out into the wild if any of them are accidently opened to get into the
> gateway. I'd like to be able to restrict that particular pass rule to
> a single host.
>
> Is that possible? or do I just have to live with the fact that I have
> it restricted at the pass in stage?
>
> When i get more info, I may be able to restrict the outgoing
> destination to a list of ip's rather than passing out to any, which
> will help tighten the rule up, but it seems a little unrestricted for
> my liking as is.
Hi Lisa,
I believe you should look at PF tags. If you tag the traffic coming in with
the
pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports
rule, you should then be able to use that in our ext_if rule to ensure
only those packets are let out
e.g.
pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports tag MAILSERVER
pass out quick on $ext_if tagged MAILSERVER
Regards,
Gary
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130214200438.GA85777>