From owner-freebsd-questions@freebsd.org Fri Dec 9 12:57:57 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A4F28C6B4EB for ; Fri, 9 Dec 2016 12:57:57 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.117.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B2AF1F9 for ; Fri, 9 Dec 2016 12:57:57 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from liminal.local (unknown [IPv6:2001:8b0:151:1:1c1d:86a1:a200:b700]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id C6D1072B5 for ; Fri, 9 Dec 2016 12:57:49 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/C6D1072B5; dkim=none; dkim-atps=neutral Subject: Re: FreeBSD Firewalls To: freebsd-questions@freebsd.org References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca> <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> From: Matthew Seaman Message-ID: Date: Fri, 9 Dec 2016 12:57:43 +0000 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1 MIME-Version: 1.0 In-Reply-To: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Dec 2016 12:57:57 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh Content-Type: multipart/mixed; boundary="Sl7sWMTwTLBm9LonWx53gku8GDftw64tv"; protected-headers="v1" From: Matthew Seaman To: freebsd-questions@freebsd.org Message-ID: Subject: Re: FreeBSD Firewalls References: <5bed7716cd0c9f56e7fe73e86d0cde45.squirrel@webmail.harte-lyne.ca> <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> In-Reply-To: <0a48b8819c28d211b5ec390007bc81a7.squirrel@webmail.harte-lyne.ca> --Sl7sWMTwTLBm9LonWx53gku8GDftw64tv Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 08/12/2016 21:44, James B. Byrne via freebsd-questions wrote: > I am experimenting with PF. I have a basic configuration working. At > least I have not cut myself off from the system, yet. >=20 > I connect to the experimental host via ssh -X. On that host I > have these PF rules: >=20 > . . . > # If you cannot trust yourself then who can you trust? > set skip on lo0 >=20 > # scrub incoming packets > match in all scrub (no-df) >=20 > # Block everything but recall that last match applies > block all >=20 > # activate spoofing protection for all interfaces > block in quick from urpf-failed >=20 > # Block untrusted ips on control channels > block return in quick on $int_if proto tcp from ! $trust_clients to > $int_if port $tcp_control >=20 > . . >=20 > # diagnostics > pass inet proto icmp from $localnet to any keep state > pass inet proto icmp from any to $ext_if keep state >=20 > # allow out the default range for traceroute(8): > pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 > keep state >=20 > # system admin channels - keep these at the end > pass in proto tcp from $localnet to any port $tcp_control keep state > pass out proto tcp to any port $tcp_control keep state >=20 >=20 > With these rules in effect when I run gvim from the sh -X session on > the FreeBSD host I get this error: >=20 > gvim /etc/pf.conf > backupdir=3D~/.vim/tmp >=20 > E233: cannot open display > Press ENTER or type command to continue >=20 > If the firewall is not enabled then the gvim X-window opens on my > remote desktop (gnome2) without error. >=20 > What ports, besides 22, is gvim trying to open? Why is this traffic > not passed (tunnelled) along the established ssh connection? >=20 > Thanks, A useful trick with pf is to log all of the packets you block, eg: block log in quick from urpf-failed You can read the blocked packets from /dev/pflog as if it was a network interface -- so tcpdump -i pflog will work, but it is more usual to enable the pflog service which will record the dropped packets to /var/log/pflog. This is a pcap file that you can read with tools like tcpdump or wireshark. Cheers, Matthew --Sl7sWMTwTLBm9LonWx53gku8GDftw64tv-- --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iQJ8BAEBCgBmBQJYSqpNXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2NTNBNjhCOTEzQTRFNkNGM0UxRTEzMjZC QjIzQUY1MThFMUE0MDEzAAoJELsjr1GOGkAT7dIQAJOB0mBxw5K/8EjRItqNqbUP Y/2KmzMgg4qOVc5k6pIyt+uCjIrQsdORmRJRKEnu8knjhF7NUYzSRwMrApIBbvO+ 2LbsdT3NX0rOlgpKrUV2KYOMQ37mDCx634LO5RbYbcPNR3M0Mq6NoM9RFMrgKr0p HqhJMHMOgh0yTFXM++ZGH238LJwzK8gE2fYE5Od7P7Ig6/2n5rgJ5cZptzQPTYF4 sJWu/mI4228GQEwfmo6qcN9q9v3QO1J6eCUvTnAYyBM2y48WwKVjiNSavYFPKTfu fmT+eiP/zZ6ZlT+mT8s84TGX/rVID3hbBOYih9kEKRvNq4gqlh+UM5eWMt4LexZy GSrRqKmXxUEBQCG2kQkGiQ31JPcCpCff17vFxgdZRbFTYK5DzxOickoHBHvZOc5Z t4iZp7HMTnz7zel6aqJwosJtiClu/o61BrZjFxj0HULbVlqBlJDGMDAItn+vZSkY g+pXpEQHpVFB5MjnLvMmOsSczjbmQHlfJfaGrGv7gfqLVRC7seAILpHF9BkSw+TI FWLw8eDXVFu3WuqH1Y2XWjeTDCfmOVMwX1v/PiirIeohLfJMf24yDblZYfz+aNF+ z1DKUD/GAT6MJ/ReaH/JYoTev47OTQsF8ejgcK+Pg7gXD2G8OoHzpyJk5Pfi/vFU TpUVVFuK+hZGfyOR7Koq =w2+3 -----END PGP SIGNATURE----- --uKpt33Li9qBAHTNMS8drnfBFKd4S9pfsh--