Date: Fri, 9 Dec 2016 12:57:43 +0000 From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Subject: Re: FreeBSD Firewalls Message-ID: <fbf6edcc-3a90-96e3-7607-5d2bde408676@FreeBSD.org> In-Reply-To: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca> <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh Content-Type: multipart/mixed; boundary="Sl7sWMTwTLBm9LonWx53gku8GDftw64tv"; protected-headers="v1" From: Matthew Seaman <matthew@FreeBSD.org> To: freebsd-questions@freebsd.org Message-ID: <fbf6edcc-3a90-96e3-7607-5d2bde408676@FreeBSD.org> Subject: Re: FreeBSD Firewalls References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca> <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> In-Reply-To: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> --Sl7sWMTwTLBm9LonWx53gku8GDftw64tv Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 08/12/2016 21:44, James B. Byrne via freebsd-questions wrote: > I am experimenting with PF. I have a basic configuration working. At > least I have not cut myself off from the system, yet. >=20 > I connect to the experimental host via ssh -X. On that host I > have these PF rules: >=20 > . . . > # If you cannot trust yourself then who can you trust? > set skip on lo0 >=20 > # scrub incoming packets > match in all scrub (no-df) >=20 > # Block everything but recall that last match applies > block all >=20 > # activate spoofing protection for all interfaces > block in quick from urpf-failed >=20 > # Block untrusted ips on control channels > block return in quick on $int_if proto tcp from ! $trust_clients to > $int_if port $tcp_control >=20 > . . >=20 > # diagnostics > pass inet proto icmp from $localnet to any keep state > pass inet proto icmp from any to $ext_if keep state >=20 > # allow out the default range for traceroute(8): > pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 > keep state >=20 > # system admin channels - keep these at the end > pass in proto tcp from $localnet to any port $tcp_control keep state > pass out proto tcp to any port $tcp_control keep state >=20 >=20 > With these rules in effect when I run gvim from the sh -X session on > the FreeBSD host I get this error: >=20 > gvim /etc/pf.conf > backupdir=3D~/.vim/tmp >=20 > E233: cannot open display > Press ENTER or type command to continue >=20 > If the firewall is not enabled then the gvim X-window opens on my > remote desktop (gnome2) without error. >=20 > What ports, besides 22, is gvim trying to open? Why is this traffic > not passed (tunnelled) along the established ssh connection? >=20 > Thanks, A useful trick with pf is to log all of the packets you block, eg: block log in quick from urpf-failed You can read the blocked packets from /dev/pflog as if it was a network interface -- so tcpdump -i pflog will work, but it is more usual to enable the pflog service which will record the dropped packets to /var/log/pflog. This is a pcap file that you can read with tools like tcpdump or wireshark. Cheers, Matthew --Sl7sWMTwTLBm9LonWx53gku8GDftw64tv-- --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYSqpNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7dIQAJOB0mBxw5K/8EjRItqNqbUP Y/2KmzMgg4qOVc5k6pIyt+uCjIrQsdORmRJRKEnu8knjhF7NUYzSRwMrApIBbvO+ 2LbsdT3NX0rOlgpKrUV2KYOMQ37mDCx634LO5RbYbcPNR3M0Mq6NoM9RFMrgKr0p HqhJMHMOgh0yTFXM++ZGH238LJwzK8gE2fYE5Od7P7Ig6/2n5rgJ5cZptzQPTYF4 sJWu/mI4228GQEwfmo6qcN9q9v3QO1J6eCUvTnAYyBM2y48WwKVjiNSavYFPKTfu fmT+eiP/zZ6ZlT+mT8s84TGX/rVID3hbBOYih9kEKRvNq4gqlh+UM5eWMt4LexZy GSrRqKmXxUEBQCG2kQkGiQ31JPcCpCff17vFxgdZRbFTYK5DzxOickoHBHvZOc5Z t4iZp7HMTnz7zel6aqJwosJtiClu/o61BrZjFxj0HULbVlqBlJDGMDAItn+vZSkY g+pXpEQHpVFB5MjnLvMmOsSczjbmQHlfJfaGrGv7gfqLVRC7seAILpHF9BkSw+TI FWLw8eDXVFu3WuqH1Y2XWjeTDCfmOVMwX1v/PiirIeohLfJMf24yDblZYfz+aNF+ z1DKUD/GAT6MJ/ReaH/JYoTev47OTQsF8ejgcK+Pg7gXD2G8OoHzpyJk5Pfi/vFU TpUVVFuK+hZGfyOR7Koq =w2+3 -----END PGP SIGNATURE----- --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?fbf6edcc-3a90-96e3-7607-5d2bde408676>