From owner-freebsd-pf@FreeBSD.ORG  Fri Nov  4 04:22:56 2005
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 26E9F16A41F
	for <freebsd-pf@freebsd.org>; Fri,  4 Nov 2005 04:22:56 +0000 (GMT)
	(envelope-from dmehler26@woh.rr.com)
Received: from ms-smtp-01-eri0.ohiordc.rr.com
	(ms-smtp-01-smtplb.ohiordc.rr.com [65.24.5.135])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B8D1A43D45
	for <freebsd-pf@freebsd.org>; Fri,  4 Nov 2005 04:22:55 +0000 (GMT)
	(envelope-from dmehler26@woh.rr.com)
Received: from satellite (cpe-65-31-43-91.woh.res.rr.com [65.31.43.91])
	by ms-smtp-01-eri0.ohiordc.rr.com (8.12.10/8.12.7) with SMTP id
	jA44MpWY028658
	for <freebsd-pf@freebsd.org>; Thu, 3 Nov 2005 23:22:52 -0500 (EST)
Message-ID: <003301c5e0f6$6ce6d150$0900a8c0@satellite>
From: "Dave" <dmehler26@woh.rr.com>
To: <freebsd-pf@freebsd.org>
Date: Thu, 3 Nov 2005 23:15:43 -0500
MIME-Version: 1.0
Content-Type: text/plain; format=flowed; charset="iso-8859-1";
	reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2670
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
X-Virus-Scanned: Symantec AntiVirus Scan Engine
Subject: pf and dhcp client or isp?
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Dave <dmehler26@woh.rr.com>
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Nov 2005 04:22:56 -0000

Hello,
    I've got an issue with dhcp, my pf firewall or my isp, not sure which. 
My ISP, roadrunner cable, does anyone else use it, has changed my IP twice 
today. Now i know they do this, but my box does not pick up on the new IP, 
for example it changed from
1.2.3.4
to 4.5.6.7
needless to say those are ficticious but my box hung on to 1.2.3.4, and i 
couldn't do a thing, from behind the firewall or from the router. I had to 
log in to the router then run:
dhclient -r
and then
dhclient xl0
which gave me 4.5.6.7
So, then i had to reload my pf rules with
pfctl -Rf /etc/pf.conf
which got me back up. I've got some output, it looks from my 
/var/log/messages as if some dhcp traffic is being blocked, but it should 
all be going through, and this has to do with my lan, echorequest icmp from 
my lan-facing nic, nothing on the internet-facing nic about dropped 
anything, dhclient shows that it was successful in obtaining the new IP, but 
didn't show any failed atempts or failed connections. Has anyone seen this? 
Am i dealing with a problem with my firewall, dhcp, or my isp? Here's my 
/var/log/messages relevant output just saying packet denied and my pf.conf 
file.
Some urgency!
Thanks.
Dave.

Oct 29 13:04:33 guardian dhcpd: icmp_echorequest 192.168.0.9: Operation not 
permitted

pf.conf
# pf.conf
# for use on gateway box

# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last 
match.

# define the two network interfaces
ext_if = "xl0"
int_if = "xl1"
rr_up = 700Kb
rr_down = 1.5Mb
int_bw = 100Mb
         tcp_state="flags S/SA modulate state"
         udp_state="keep state"
int_net = $int_if:network

# define some address macros
lan_server = "192.168.95.3"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 
8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, 
nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 
4000, 4661, 4662, 4711, 4821,
5000, 5001, 5190, cvsup, 6112, 6667, 8000, 8021, 8080, 8505, 8880, 9102 }"
lan_to_fw_services = "{ ssh }"
fw_to_lan_services = "{ ssh, 9101, 9102, 9103 }"
nameservers = "{ xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx }"
isp_dhcp_server = "xxx.xxx.xxx.xxx"
InICMP = "{ 3,11 }"
OutTracerouteUDP="{ 33434 >< 33525 }"

# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# normalize packets to prevent fragmentation attacks
scrub all fragment reassemble reassemble tcp no-df random-id max-mss 1400

# translate lan client addresses to that of the external interface
nat on gre inet from any to any -> ($ext_if)
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $ext_if inet proto tcp from any to any port $int_to_lan_services -> 
$lan_server
rdr on $ext_if inet proto udp from any to any port 1194 -> $lan_server port 
1194
# Redirect lan client FTP requests (to an FTP server's control port 21)
# to the ftp-proxy running on the firewall host (via inetd on port 8021)
rdr on $int_if inet proto tcp from $int_net to any port 21 -> 127.0.0.1 port 
8021
# redirect gre traffic
rdr on $ext_if inet proto gre from any to any -> $lan_server

# block by default
block all

# block badguy e-mail/web accesses
block in quick on $ext_if inet proto tcp from { 209.208.75.130 } to any

# pass all loopback traffic
pass quick on lo0 all

# gre passing
pass on gre all $udp_state

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all

# prevent lan originated spoofing from occurring
antispoof for $ext_if inet

# allow WAN requests from the internet to enter EXT
# in order to contact our web server (keep state on this connection)
pass in on $ext_if inet proto tcp from any to $lan_server port 
$int_to_lan_services $tcp_state
# Enable a synproxy
#pass in on $ext_if inet proto tcp from any to $lan_server port 
$int_to_lan_services flags S/SA synproxy state
# UDP 1194 for openvpn
pass in on $ext_if inet proto udp from any to $lan_server port 1194 
$udp_state
# Gre traffic for mpd
pass in on $ext_if inet proto gre from any to $lan_server $udp_state

# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 
255.255.255.255 port bootpc $udp_state

# Allow remote FTP servers (on data port 20) to respond to the proxy's
# active FTP requests by contacting it on the port range specified in 
inetd.conf
pass in quick on $ext_if inet proto tcp from any port 20 to 127.0.0.1 port 
55000 >< 57000 user proxy $tcp_state

# [traceroute to internal host 2nd stage: receiving error code of icmp-type 
3
# (destination unreachable) and icmp-type 11 (time exceeded)]
pass in quick on $ext_if inet proto icmp from any to any icmp-type $InICMP 
$udp_state

# block everything from exiting EXT
#block out log on $ext_if all

# allow UDP requests to port 53 from firewall to exit EXT
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 53 
$udp_state

# allow UDP requests to port 123 from firewall to exit ext_if_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto { tcp,udp } from $ext_if to any port 
123 $udp_state

# Allow UDP requests to port 67 from firewall to exit ext_if
# in order to contact internet dhcp servers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps 
$udp_state

# allow lan requests from lan clients to exit EXT
# (after natting is performed) in order to contact internet servers
# (keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port 
$lan_to_int_services $tcp_state
# for dcc servers
pass out quick on $ext_if inet proto udp from $ext_if to any port 6277 
$udp_state
# for razor servers
pass out quick on $ext_if inet proto tcp from $ext_if to any port { 7, 
2703 } $tcp_state

# [traceroute to outside world 1st stage: probing...man traceroute(8)]
pass out quick on $ext_if inet proto udp from any to any port 
$OutTracerouteUDP $udp_state

# allow ICMP requests from firewall to exit EXT (after natting is performed)
# in order to ping/traceroute internet hosts on the behalf of lan clients
pass out quick on $ext_if inet proto icmp from $ext_if to any icmp-type 8 
code 0 $udp_state

# Allow ftp-proxy packets destined to port 20 to exit $ext_if
# in order to maintain communications with the ftp server
pass out quick on $ext_if inet proto tcp from $ext_if to any port 20 
$tcp_state

# Allow firewall to contact ftp server on behalf of passive ftp client
pass out quick on $ext_if inet proto tcp from $ext_if  port 55000:57000 to 
any user proxy $tcp_state

# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall (keep state on this 
connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if 
port 53 $udp_state

# allow UDP requests to ports 67, 68, and 123 from int_if clients to enter 
int_if
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto { tcp,udp } from $int_net to $int_if 
port { 67, 68, 123 } $udp_state

# allow LAN requests from lan clients to enter LAN
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $int_net to any port 
$lan_to_int_services $tcp_state
# for allowing mail transmissions to dcc servers
pass in quick on $int_if inet proto udp from 192.168.0.3 to any port 6277 
$udp_state
# for allowing mail transmissions to razor servers
pass in quick on $int_if inet proto tcp from 192.168.0.3 to any port { 7, 
2703 } $tcp_state

# lan admin connects to firewall via ssh for administrative purposes
pass in quick on $int_if inet proto tcp from $int_net to $int_if port 
$lan_to_fw_services $tcp_state

# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet 
hosts)
pass in quick on $int_if inet proto icmp from $int_net to any icmp-type 8 
code 0 $udp_state

# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $int_net to 
$int_if:broadcast $udp_state

# allow squid connections from lan to proxy
pass in quick on $int_if inet proto tcp from any to 127.0.0.1 port 8080 
$tcp_state

# allow ftp connections from lan to proxy
pass in quick on $int_if inet proto tcp from $int_net to lo0 port 8021 
$tcp_state
pass in quick on $int_if inet proto tcp from $int_net to $ext_if port 
55000:57000 $tcp_state

# block everything from exiting LAN
#block out log on $int_if all

# allow WAN requests from the internet to exit LAN
# in order to contact our lan server (keep state on this connection)
pass out quick on $int_if inet proto tcp from any to $lan_server port 
$int_to_lan_services $tcp_state
# add in synproxy
#pass out quick on $int_if inet proto tcp from $lan_server to any port 
$int_to_lan_services flags S/SA synproxy state
# UDP 1194
pass out quick on $int_if inet proto udp from any to $lan_server port 1194 
$udp_state
# GRE traffic out
pass out quick on $int_if inet proto gre from any to $lan_server $udp_state

# firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 
$fw_to_lan_services $tcp_state