Date: Tue, 15 Jan 2008 10:15:14 -0800 From: David Benfell <benfell@parts-unknown.org> To: freebsd-questions@freebsd.org Subject: trouble with authpf Message-ID: <20080115181514.GA2952@parts-unknown.org>
next in thread | raw e-mail | index | archive | help
--rS8CxjVDS/+yyDmU Content-Type: multipart/mixed; boundary="1yeeQ81UyVL57Vl7" Content-Disposition: inline --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello all, I had authpf working successfully with a much simpler pf setup. But with a hardware failure, I had to collapse the services I run onto a single system. And I haven't successfully gotten authpf running on this. Attached is my pf.conf in all its ugliness. I don't really know what I'm doing there and this has undoubtedly accumulated some cruft over the several years I've been using it (originally on OpenBSD before it was really working on FreeBSD). authpf itself seems to think it is working. When I ssh into that account, it prints the message of the day and the message I expect about how I'm authenticated from some IP address. And it sits there waiting for me to decide I'm going elsewhere -- all entirely what I've come to expect. What I haven't come to expect is that the access I'm attempting is being blocked. And I'm certain the problem is with my pf setup since a tcpdump of pflog shows the packets being blocked. So I haven't got this right. Any help would be much appreciated. --=20 David Benfell, LCP benfell@parts-unknown.org --- Resume available at http://www.parts-unknown.org/ NOTE: I sign all messages with GnuPG (0DD1D1E3). --1yeeQ81UyVL57Vl7 Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="pf.conf" Content-Transfer-Encoding: quoted-printable # $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $ # # See pf.conf(5) and /usr/share/pf for syntax and examples. # Required order: options, normalization, queueing, translation, filtering. # Macros and tables may be defined and used anywhere. # Note that translation rules are first match while filter rules are last m= atch. # Macros: define common values, so they can be referenced and changed easil= y. #ext_if=3D"ext0" # replace with actual external interface name i.e., dc0 ext_if=3D"sf0" #int_if=3D"int0" # replace with actual internal interface name i.e., dc1 int_if=3D"sf1" voip_cfg_if=3D"vr0" pub_if=3D"sf3" local_if=3D"lo0" #lupin_if=3D"sf1" #internal_net=3D"10.1.1.1/8" internal_net=3D"192.168.18.1/24" external_addr=3D"66.93.170.242" internal_addr=3D"192.168.18.1" routable_subnet=3D"66.93.170.241/28" voip_cfg=3D"192.168.102.1" voip_local=3D"192.168.102.2" mta_ad =3D "192.168.19.242" mta_pt =3D "25" dhcp_net=3D"192.168.20.0/24" #lupin_net=3D"192.168.100.0/24" public_admin_net=3D"192.168.17.0/24" starshine=3D"216.240.40.160/27" #allowed_nets=3D"{ $starshine, $internal_net }" trusted_external=3D"{ 12.22.55.0/24 64.0.0.0/4 134.154.0.0/16 216.240.40.16= 1/27 70.7.71.0/24 }" # Doubletree Local CSU Hayward starshine.org S= print earth_ext=3D"66.93.170.243" earth_int=3D"192.168.18.43" dnscache=3D"192.168.19.4" kindling_ext=3D"66.93.170.244" kindling_int=3D"192.168.19.244" home_ext=3D"66.93.170.245" home_int=3D"192.168.18.44" raven_ext=3D"66.93.170.246" raven_int=3D"192.168.18.45" lair_ext=3D"66.93.170.247" lair_int=3D"192.168.18.46" thunder_ext=3D"66.93.170.248" thunder_int=3D"192.168.18.47" voip_ext=3D"66.93.170.254" #lupin_ext=3D"66.93.170.254" non_routable=3D"{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16= }" macintoshes=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }" linux_pcs=3D"{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_in= t, $raven_ext, $raven_int }" auth_local=3D"{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \ $earth_ext, $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,= $raven_ext, $raven_int }" #lupin_router=3D"192.168.100.1" #lupin_net=3D"192.168.100.0/24" tcp_udp=3D"proto { tcp, udp }" in_out=3D"{ in, out }" # Tables: similar to macros, but more flexible for many addresses. #table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 } table <authpf_users> persist table <spamd-white> persist table <ssh-block> persist { 201.6.117.62, 125.88.102.22, 200.225.217.114, 6= 7.64.167.243, 212.203.9.64, 202.111.157.144, 217.64.100.162, 217.64.100.162= , 217.64.100.162 } # Options: tune the behavior of pf, default values are given. #set timeout { interval 30, frag 10 } #set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } #set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } #set timeout { udp.first 60, udp.single 30, udp.multiple 60 } #set timeout { icmp.first 20, icmp.error 10 } #set timeout { other.first 60, other.single 30, other.multiple 60 } #set limit { states 10000, frags 5000 } #set loginterface none #set optimization normal set block-policy drop #set block-policy return #set require-order yes # Normalization: reassemble fragments and resolve or reduce traffic ambigui= ties. #scrub in from any to any scrub in all # Queueing: rule-based bandwidth control. #altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing } #altq on $ext_if bandwidth 1.5Mb cbq queue { dflt, tor } #queue dflt bandwidth 5% cbq(default) #queue developers bandwidth 80% #queue marketing bandwidth 15% #queue dflt bandwidth 85% cbq(default) priority 3 #queue tor bandwidth 15% priority 1 # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $ext_if with source address $internal_net = will # get translated as coming from the address of $ext_if, a state is created = for # such packets, and incoming packets will be redirected to the internal add= ress. no rdr inet proto tcp from <spamd-white> to any port smtp no rdr inet proto tcp from $starshine to any port smtp rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 80= 25 # block SMTP from Hotmail and other spammer networks # hotmail.com rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8= 025 rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 80= 25 # prod-infinitum.com.mx rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 = port 8025 # voyager.net rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 = port 8025 rdr on $ext_if proto tcp from 71.6.163.0/24 to any port smtp -> 127.0.0.1 p= ort 8025 rdr on $ext_if proto tcp from 74.8.221.0/24 to any port smtp -> 127.0.0.1 p= ort 8025 rdr on $ext_if proto tcp from 172.16.0.0/8 to any port smtp -> 127.0.0.1 po= rt 8025 rdr on $ext_if proto tcp from 195.238.2.0/24 to any port smtp -> 127.0.0.1 = port 8025 #rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt # FTP #rdr on { $int_if,$pub_if } proto tcp from any to any port ftp -> 127.0.0.1 #binat-anchor "authpf/*" binat-anchor "authpf/*" #nat on $ext_if from $internal_net to any -> ($ext_if) #binat on $ext_if from $home_int to any -> $home_ext #binat on $ext_if from $raven_int to any -> $raven_ext #binat on $ext_if from $lair_int to any -> $lair_ext #binat on $ext_if from $thunder_int to any -> $thunder_ext #binat on $ext_if from $lupin_router to any -> 66.93.170.253 nat-anchor "authpf/*" nat on $ext_if from $internal_net to any -> $external_addr nat on $ext_if from $dhcp_net to any -> $external_addr nat on $voip_cfg_if from $internal_net to any -> 192.168.102.2 #nat on $ext_if from $lupin_net to any -> $lupin_ext # rdr: packets coming in on $ext_if with destination $external_addr:1234 wi= ll # be redirected to 10.1.1.1:5678. A state is created for such packets, and # outgoing packets will be translated as coming from the external address. #rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1= =2E1 port 5678 # rdr NTP for the GPS time source to the internal network. Hopefully, this= way, # the time source will answer. # rdr outgoing FTP requests to the ftp-proxy #rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021 # spamd-setup puts addresses to be redirected into table <spamd>. table <spamd> persist no rdr on { lo0, lo1 } from any to any rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025 # redirect connections from spammers to spamd, all legitimate # connections will not be redirected #rdr on $ext_if inet proto tcp \ #from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025 rdr-anchor "authpf/*" # block IPv6 block in log quick inet6 all antispoof log quick for { $ext_if, $pub_if } pass in log quick on lo0 from any to any # enable authpf rules anchor "authpf/*" # pass redirected connections to spamd listening on the local # loop interface (lo0) pass in log quick on lo0 inet proto tcp \ =66rom <spamd> to 127.0.0.1 port 8025 #allow SMTP, DNS, ICMP, HTTP #pass in log quick on $int_if inet proto tcp from any to any port { smtp, d= omain } flags S/SA synproxy state #pass in log quick on $int_if inet proto tcp from any to any port { smtp, d= omain } keep state pass in log quick inet proto tcp from any to any port { smtp, domain, http = } keep state pass in log quick inet proto udp from any to any port domain pass log quick proto icmp all #block the outside world unless... block in log on { $ext_if, $pub_if } all #allow access to the outside world unless... pass out log on { $ext_if, $pub_if } all # protect VOIP configuration #pass out log quick on $voip_cfg_if proto tcp from $internal_net to any fla= gs S/SA synproxy state pass out log quick on $voip_cfg_if proto tcp from $internal_net to any keep= state #allow ssh, printing from trusted networks #pass log quick on $ext_if proto tcp from $trusted_external to any port ssh= flags S/SA synproxy state #pass log quick on $ext_if proto tcp from $trusted_external to any port ssh= keep state block log quick on $ext_if proto tcp from <ssh-block> to any port ssh pass log quick on { $int_if, $pub_if } proto tcp from any to any port { ssh= , 515, 631 } keep state #pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.1= 8.20 port { 515, 631 } flags S/SA synproxy state pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.18= =2E20 port { 515, 631 } keep state #allow ssh from anywhere (trust sshguard to keep out the riff-raff) pass log quick on $ext_if proto tcp from any to any port ssh keep state #allow NFS within site #sunrpc 111/tcp rpcbind #SUN Remote Procedure Call #sunrpc 111/udp rpcbind #SUN Remote Procedure Call #nfsd-status 1110/tcp #Cluster status info #nfsd-keepalive 1110/udp #Client status info #nfsd 2049/tcp nfs # NFS server daemon #nfsd 2049/udp nfs # NFS server daemon block log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port = { rpcbind, nfsd-status, nfsd-keepalive, nfsd } pass log quick inet $tcp_udp from any to any port { rpcbind, nfsd-status, n= fsd-keepalive, nfsd } keep state #block ports used by W32.Blaster.Worm, per Speakeasy alert 12 Aug 2003 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 134 >< 140 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 445 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 593 #block ports recommended by CERT block in log quick on { $ext_if, $pub_if } inet proto udp from any to any p= ort 69 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 87 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 111 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 511 >< 516 block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any p= ort 540 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 2000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 2049 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 5999 >< 6064 #block ports recommended by Felix von Leitner block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 5000 block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt 1025 #LDAP stuff block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt ldap block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any po= rt ldaps #pass in log quick on $int_if inet $tcp_udp from any to any port ldap #pass in log quick on $int_if inet $tcp_udp from any to any port ldaps #allow non-privileged ports anywhere #pass log quick $tcp_udp from any to any port>1023 flags S/SA synproxy state pass log quick $tcp_udp from any to any port>1023 keep state #allow Tor services to router #pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 90= 01, 9030 } flags S/SA synproxy state pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 900= 1, 9030 } keep state #allow FTP to ftp-proxy #pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user pro= xy flags S/SA synproxy state #pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user pro= xy keep state #allow internal access to and from DMZ #allow Internet access here pass in log quick on { $int_if, $pub_if } $tcp_udp from { $internal_net, $d= hcp_net } to any keep state # pass incoming ports for ftp-proxy #pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep stat= e queue dflt # assign packets to a queue. #pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers= queue dflt #pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing = queue dflt --1yeeQ81UyVL57Vl7-- --rS8CxjVDS/+yyDmU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHjPgyUd+dMw3R0eMRAiHBAJ9+zWqaziNEDCurwafiUmuelAyzugCffbka p1SUO+W1MhW1kMOvw62ObOg= =oKg/ -----END PGP SIGNATURE----- --rS8CxjVDS/+yyDmU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080115181514.GA2952>