From owner-freebsd-pf@FreeBSD.ORG Mon May 12 19:25:05 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8C6CE1065670 for ; Mon, 12 May 2008 19:25:05 +0000 (UTC) (envelope-from max@love2party.net) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.187]) by mx1.freebsd.org (Postfix) with ESMTP id 189928FC17 for ; Mon, 12 May 2008 19:25:04 +0000 (UTC) (envelope-from max@love2party.net) Received: from vampire.homelinux.org (dslb-088-066-005-247.pools.arcor-ip.net [88.66.5.247]) by mrelayeu.kundenserver.de (node=mrelayeu6) with ESMTP (Nemesis) id 0ML29c-1Jvddr0sFv-000504; Mon, 12 May 2008 21:25:03 +0200 Received: (qmail 94870 invoked from network); 12 May 2008 19:23:19 -0000 Received: from myhost.laiers.local (192.168.4.151) by router.laiers.local with SMTP; 12 May 2008 19:23:19 -0000 From: Max Laier Organization: FreeBSD To: freebsd-pf@freebsd.org Date: Mon, 12 May 2008 21:20:14 +0200 User-Agent: KMail/1.9.9 References: In-Reply-To: MIME-Version: 1.0 Content-Type: Multipart/Mixed; boundary="Boundary-00=_vhJKICminVAc+d1" Message-Id: <200805122120.15088.max@love2party.net> X-Provags-ID: V01U2FsdGVkX1/THG2Q4vOMQJeCX0bAXYV+tOtifAJ/842eFB/ Aaq6rgmL+AOkp/19BxSBNCUXyUMLg5y5K2fWXl7fl7DZz5GRS4 V1vW/G+RgW+ewd3hqOHxQ== Cc: mcbride@openbsd.org, dhartmei@openbsd.org Subject: Re: do not work nested unnamed anchor X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 May 2008 19:25:05 -0000 --Boundary-00=_vhJKICminVAc+d1 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello Igor, it seems this is a general problem and I can't figure out the cause of it, ATM. It seems that it is the same in OpenBSD (and has been for quite some time, too). Daniel, Ryan, any ideas? Attached is a transcript from OpenBSD 4.3 inside of qemu trying the verbatim pf.conf(5) example. The nested anchor doesn't seem to match for some reason. While here I also discovered that it is obviously impossible to destroy/clean up after nested anchors completely. On Friday 09 May 2008 14:54:43 Igor A. Valcov wrote: > For example: > > ==== pf.conf ==== > > ext_if="xl0" > ip_world="nn.nn.nn.nn" > > # Filter rules > block log all > > anchor in on $ext_if { > pass quick proto tcp to $ip_world port 22 keep state > # SSH > pass quick proto tcp to $ip_world port 25 keep state > # SMTP > pass quick proto tcp to $ip_world port 110 keep state > # POP3 > anchor { > pass quick proto tcp to $ip_world port 995 keep state > # POP3S > } > } > > ============ > > nmap results: > > PORT STATE SERVICE VERSION > 22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0) > 25/tcp open smtp? > 110/tcp open pop3 Openwall popa3d > > > I can not understand what the problem... > > FreeBSD-7.0-RELEASE-p1 > i386 -- /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --Boundary-00=_vhJKICminVAc+d1 Content-Type: text/plain; charset="iso-8859-1"; name="anchors" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="anchors" Script started on Mon May 12 20:44:12 2008 # cat pf.conf anchor "external" on egress { block anchor out { pass proto tcp from any to port { 25, 80, 443 } } pass in proto tcp to any port 22 } # ifconfig ne3 ne3: flags=8863 mtu 1500 lladdr 52:54:00:12:34:56 groups: egress media: Ethernet 10baseT full-duplex inet6 fe80::5054:ff:fe12:3456%ne3 prefixlen 64 scopeid 0x1 inet 10.0.2.15 netmask 0xffffff00 broadcast 10.0.2.255 # pfctl -vef pf.conf anchor "external" on egress all { block drop all anchor out all { pass proto tcp from any to any port = smtp flags S/SA keep state pass proto tcp from any to any port = www flags S/SA keep state pass proto tcp from any to any port = https flags S/SA keep state } pass in proto tcp from any to any port = ssh flags S/SA keep state } pf enabled # telnet 10.0.2.2 80 Trying 10.0.2.2... telnet: connect to address 10.0.2.2: No route to host # pfctl -vvvgsr @0 anchor "external" on egress all [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 1 Bytes: 64 States: 0 ] # pfctl -vvvgsr -a external @0 block drop all [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 1 Bytes: 64 States: 0 ] @1 anchor out all { [ Skip steps: i=end f=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] @0 pass proto tcp from any to any port = smtp flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @1 pass proto tcp from any to any port = www flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @2 pass proto tcp from any to any port = https flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] } @2 pass in proto tcp from any to any port = ssh flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] # telnet 10.0.2.2 25 Trying 10.0.2.2... telnet: connect to address 10.0.2.2: No route to host # pfctl -vvvgsr -a external @0 block drop all [ Skip steps: i=end f=end p=2 sa=end sp=end da=end dp=2 ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 2 Bytes: 128 States: 0 ] @1 anchor out all { [ Skip steps: i=end f=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] @0 pass proto tcp from any to any port = smtp flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @1 pass proto tcp from any to any port = www flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] @2 pass proto tcp from any to any port = https flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] } @2 pass in proto tcp from any to any port = ssh flags S/SA keep state [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ] [ queue: qname= qid=0 pqname= pqid=0 ] [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] # uname -a OpenBSD foo.laiers.local 4.3 GENERIC#698 i386 # ^D Script done on Mon May 12 20:45:55 2008 Script started on Mon May 12 21:03:04 2008 # pfctl -vvvsA # pfctl -vef pf.conf anchor "external" on egress all { block drop all anchor out all { pass proto tcp from any to any port = smtp flags S/SA keep state pass proto tcp from any to any port = www flags S/SA keep state pass proto tcp from any to any port = https flags S/SA keep state } pass in proto tcp from any to any port = ssh flags S/SA keep state pass out proto tcp from any to any port = smtp flags S/SA keep state } pf enabled # pfctl -vsA external external/_2 external/external external/external/_2 # pfctl -Fa rules cleared nat cleared 0 tables deleted. altq cleared 0 states cleared source tracking entries cleared pf: statistics cleared pf: interface flags reset # pfctl -vsA external external/_2 external/external external/external/_2 # pfctl -Fa -a external rules cleared nat cleared 0 tables deleted. # pfctl -vsA external external/_2 # ^D Script done on Mon May 12 21:03:51 2008 --Boundary-00=_vhJKICminVAc+d1--