Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 15 Jan 2008 10:15:14 -0800
From:      David Benfell <benfell@parts-unknown.org>
To:        freebsd-questions@freebsd.org
Subject:   trouble with authpf
Message-ID:  <20080115181514.GA2952@parts-unknown.org>

next in thread | raw e-mail | index | archive | help

--rS8CxjVDS/+yyDmU
Content-Type: multipart/mixed; boundary="1yeeQ81UyVL57Vl7"
Content-Disposition: inline


--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hello all,

I had authpf working successfully with a much simpler pf setup.  But
with a hardware failure, I had to collapse the services I run onto a
single system.  And I haven't successfully gotten authpf running on
this.

Attached is my pf.conf in all its ugliness.  I don't really know what
I'm doing there and this has undoubtedly accumulated some cruft over
the several years I've been using it (originally on OpenBSD before it
was really working on FreeBSD).

authpf itself seems to think it is working.  When I ssh into that
account, it prints the message of the day and the message I expect
about how I'm authenticated from some IP address.  And it sits there
waiting for me to decide I'm going elsewhere -- all entirely what
I've come to expect.

What I haven't come to expect is that the access I'm attempting is
being blocked.  And I'm certain the problem is with my pf setup since
a tcpdump of pflog shows the packets being blocked.

So I haven't got this right.

Any help would be much appreciated.

--=20
David Benfell, LCP
benfell@parts-unknown.org
---
Resume available at http://www.parts-unknown.org/
NOTE: I sign all messages with GnuPG (0DD1D1E3).

--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="pf.conf"
Content-Transfer-Encoding: quoted-printable

#	$OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last m=
atch.

# Macros: define common values, so they can be referenced and changed easil=
y.
#ext_if=3D"ext0"	# replace with actual external interface name i.e., dc0
ext_if=3D"sf0"
#int_if=3D"int0"	# replace with actual internal interface name i.e., dc1
int_if=3D"sf1"
voip_cfg_if=3D"vr0"
pub_if=3D"sf3"
local_if=3D"lo0"
#lupin_if=3D"sf1"
#internal_net=3D"10.1.1.1/8"
internal_net=3D"192.168.18.1/24"
external_addr=3D"66.93.170.242"
internal_addr=3D"192.168.18.1"
routable_subnet=3D"66.93.170.241/28"
voip_cfg=3D"192.168.102.1"
voip_local=3D"192.168.102.2"
mta_ad =3D "192.168.19.242"
mta_pt =3D "25"
dhcp_net=3D"192.168.20.0/24"
#lupin_net=3D"192.168.100.0/24"
public_admin_net=3D"192.168.17.0/24"
starshine=3D"216.240.40.160/27"
#allowed_nets=3D"{ $starshine, $internal_net }"
trusted_external=3D"{ 12.22.55.0/24 64.0.0.0/4 134.154.0.0/16 216.240.40.16=
1/27 70.7.71.0/24 }"
#                   Doubletree    Local      CSU Hayward    starshine.org	S=
print
earth_ext=3D"66.93.170.243"
earth_int=3D"192.168.18.43"
dnscache=3D"192.168.19.4"
kindling_ext=3D"66.93.170.244"
kindling_int=3D"192.168.19.244"
home_ext=3D"66.93.170.245"
home_int=3D"192.168.18.44"
raven_ext=3D"66.93.170.246"
raven_int=3D"192.168.18.45"
lair_ext=3D"66.93.170.247"
lair_int=3D"192.168.18.46"
thunder_ext=3D"66.93.170.248"
thunder_int=3D"192.168.18.47"
voip_ext=3D"66.93.170.254"
#lupin_ext=3D"66.93.170.254"
non_routable=3D"{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16=
 }"
macintoshes=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }"
linux_pcs=3D"{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_in=
t, $raven_ext, $raven_int }"
auth_local=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \
	$earth_ext, $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,=
 $raven_ext, $raven_int }"
#lupin_router=3D"192.168.100.1"
#lupin_net=3D"192.168.100.0/24"
tcp_udp=3D"proto { tcp, udp }"
in_out=3D"{ in, out }"

# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
table <authpf_users> persist
table <spamd-white> persist
table <ssh-block> persist { 201.6.117.62, 125.88.102.22, 200.225.217.114, 6=
7.64.167.243, 212.203.9.64, 202.111.157.144, 217.64.100.162, 217.64.100.162=
, 217.64.100.162 }

# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
set block-policy drop
#set block-policy return
#set require-order yes

# Normalization: reassemble fragments and resolve or reduce traffic ambigui=
ties.
#scrub in from any to any
scrub in all

# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#altq on $ext_if bandwidth 1.5Mb cbq queue { dflt, tor }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing  bandwidth 15%
#queue dflt bandwidth 85% cbq(default) priority 3
#queue tor bandwidth 15% priority 1

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net =
will
# get translated as coming from the address of $ext_if, a state is created =
for
# such packets, and incoming packets will be redirected to the internal add=
ress.

no rdr inet proto tcp from <spamd-white> to any port smtp
no rdr inet proto tcp from $starshine to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd

rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 80=
25

# block SMTP from Hotmail and other spammer networks
# hotmail.com
rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8=
025
rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 80=
25
# prod-infinitum.com.mx
rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 =
port 8025
# voyager.net
rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 =
port 8025
rdr on $ext_if proto tcp from 71.6.163.0/24 to any port smtp -> 127.0.0.1 p=
ort 8025
rdr on $ext_if proto tcp from 74.8.221.0/24 to any port smtp -> 127.0.0.1 p=
ort 8025
rdr on $ext_if proto tcp from 172.16.0.0/8 to any port smtp -> 127.0.0.1 po=
rt 8025
rdr on $ext_if proto tcp from 195.238.2.0/24 to any port smtp -> 127.0.0.1 =
port 8025
#rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt

# FTP
#rdr on { $int_if,$pub_if } proto tcp from any to any port ftp -> 127.0.0.1

#binat-anchor "authpf/*"
binat-anchor "authpf/*"
#nat on $ext_if from $internal_net to any -> ($ext_if)
#binat on $ext_if from $home_int to any -> $home_ext
#binat on $ext_if from $raven_int to any -> $raven_ext
#binat on $ext_if from $lair_int to any -> $lair_ext
#binat on $ext_if from $thunder_int to any -> $thunder_ext
#binat on $ext_if from $lupin_router to any -> 66.93.170.253
nat-anchor "authpf/*"
nat on $ext_if from $internal_net to any -> $external_addr
nat on $ext_if from $dhcp_net to any -> $external_addr
nat on $voip_cfg_if from $internal_net to any -> 192.168.102.2
#nat on $ext_if from $lupin_net to any -> $lupin_ext

# rdr: packets coming in on $ext_if with destination $external_addr:1234 wi=
ll
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1=
=2E1 port 5678

# rdr NTP for the GPS time source to the internal network.  Hopefully, this=
 way,
# the time source will answer.

# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021

# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on { lo0, lo1 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025

# redirect connections from spammers to spamd, all legitimate
# connections will not be redirected
#rdr on $ext_if inet proto tcp \
#from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025
rdr-anchor "authpf/*"


# block IPv6
block in	log quick	inet6 all

antispoof	log quick	for { $ext_if, $pub_if }
pass  in	log quick	on lo0 from any to any

# enable authpf rules
anchor "authpf/*"

# pass redirected connections to spamd listening on the local
# loop interface (lo0)
pass in log quick on lo0 inet proto tcp \
=66rom <spamd> to 127.0.0.1 port 8025

#allow SMTP, DNS, ICMP, HTTP
#pass in log quick on $int_if inet proto tcp from any to any port { smtp, d=
omain } flags S/SA synproxy state
#pass in log quick on $int_if inet proto tcp from any to any port { smtp, d=
omain } keep state
pass in log quick inet proto tcp from any to any port { smtp, domain, http =
} keep state
pass in log quick inet proto udp from any to any port domain
pass log quick proto icmp all

#block the outside world unless...
block in log on { $ext_if, $pub_if } all

#allow access to the outside world unless...
pass out log on { $ext_if, $pub_if } all

# protect VOIP configuration
#pass out log quick on $voip_cfg_if proto tcp from $internal_net to any fla=
gs S/SA synproxy state
pass out log quick on $voip_cfg_if proto tcp from $internal_net to any keep=
 state

#allow ssh, printing from trusted networks
#pass log quick on $ext_if proto tcp from $trusted_external to any port ssh=
 flags S/SA synproxy state
#pass log quick on $ext_if proto tcp from $trusted_external to any port ssh=
 keep state
block log quick on $ext_if proto tcp from <ssh-block> to any port ssh
pass log quick on { $int_if, $pub_if } proto tcp from any to any port { ssh=
, 515, 631 } keep state
#pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.1=
8.20 port { 515, 631 } flags S/SA synproxy state
pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.18=
=2E20 port { 515, 631 } keep state

#allow ssh from anywhere (trust sshguard to keep out the riff-raff)
pass log quick on $ext_if proto tcp from any to any port ssh keep state
#allow NFS within site
#sunrpc		111/tcp	   rpcbind	#SUN Remote Procedure Call
#sunrpc		111/udp	   rpcbind	#SUN Remote Procedure Call
#nfsd-status	1110/tcp   #Cluster status info
#nfsd-keepalive	1110/udp   #Client status info
#nfsd		2049/tcp   nfs		# NFS server daemon
#nfsd		2049/udp   nfs		# NFS server daemon
block log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port =
{ rpcbind, nfsd-status, nfsd-keepalive, nfsd }
pass log quick inet $tcp_udp from any to any port { rpcbind, nfsd-status, n=
fsd-keepalive, nfsd } keep state

#block ports used by W32.Blaster.Worm, per Speakeasy alert 12 Aug 2003
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 134 >< 140
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 445
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 593
#block ports recommended by CERT
block in log quick on { $ext_if, $pub_if } inet proto udp from any to any p=
ort 69
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p=
ort 87
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 111
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p=
ort 511 >< 516
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p=
ort 540
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 2000
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 2049
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 5999 >< 6064
#block ports recommended by Felix von Leitner
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 5000
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt 1025

#LDAP stuff
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt ldap
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po=
rt ldaps
#pass in log quick on $int_if inet $tcp_udp from any to any port ldap
#pass in log quick on $int_if inet $tcp_udp from any to any port ldaps

#allow non-privileged ports anywhere
#pass log quick $tcp_udp from any to any port>1023 flags S/SA synproxy state
pass log quick $tcp_udp from any to any port>1023 keep state

#allow Tor services to router
#pass  in $tcp_udp from any to { $external_addr, $internal_addr } port { 90=
01, 9030 } flags S/SA synproxy state
pass  in $tcp_udp from any to { $external_addr, $internal_addr } port { 900=
1, 9030 } keep state

#allow FTP to ftp-proxy
#pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user pro=
xy flags S/SA synproxy state
#pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user pro=
xy keep state

#allow internal access to and from DMZ

#allow Internet access here
pass in log quick on { $int_if, $pub_if } $tcp_udp from { $internal_net, $d=
hcp_net } to any keep state

# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep stat=
e queue dflt

# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers=
 queue dflt
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing =
queue dflt

--1yeeQ81UyVL57Vl7--

--rS8CxjVDS/+yyDmU
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHjPgyUd+dMw3R0eMRAiHBAJ9+zWqaziNEDCurwafiUmuelAyzugCffbka
p1SUO+W1MhW1kMOvw62ObOg=
=oKg/
-----END PGP SIGNATURE-----

--rS8CxjVDS/+yyDmU--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080115181514.GA2952>