From owner-freebsd-questions@freebsd.org Tue Apr 18 18:26:55 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B19D6D44C18 for ; Tue, 18 Apr 2017 18:26:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wm0-x234.google.com (mail-wm0-x234.google.com [IPv6:2a00:1450:400c:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3F0C619ED for ; Tue, 18 Apr 2017 18:26:55 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wm0-x234.google.com with SMTP id u2so4172585wmu.0 for ; Tue, 18 Apr 2017 11:26:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=6L/zKPHI6I9/ZDKF7YqPWhExWEPwth7Mok5KvNAUNN4=; b=DEdQgdvao1SdhEfJIbvDp8ew0MFvI8+Fq5xQaYSWXBxwaeqONWeiDUtJ74gv/PNPyV /rZ0A685BMMyVgsvMdhkvdBJUkmkuhJZY0PIOlcEVrvmMajiuldnvEGWbh4iWXNeVlhV z1VxYcRsh1iC+dZJe4fzcC7TmEw0ZPG3t2TsgbxkSLxyTWLEm2/c/Qm3pQDkgUADwkl6 uRwBlOamC9bWg65BX2cM+prq4zVYqTkh7yrRBEUrjwQABuZ98ZbsZbEe6OmQL3spmTVC c5r9uJt01qF9Q/lTpoyX1zCWWXdK+yzA0rDXkxYSt9H+ybMZXnaeRMw+KYOT2d8XFVyd emSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-transfer-encoding; bh=6L/zKPHI6I9/ZDKF7YqPWhExWEPwth7Mok5KvNAUNN4=; b=IUJqX7YsYc4CNI6evGTZg8dgAM/xxaLjL7UoREn8TGKb8LV1n6t8ELKjc9s8qegWxR SR4liRAsNagj3Fryj0Uh9F/dL8dhzGyB/HD+45rRtjsJ9Fh7nH8UYDNmk9EIkIc1bcFk Cn6lWM2+77+WMjjhcaS7fOrFzO62ZVONU+A57W9BjXj4X1O5A+we3MuF0O4JPl19HVxx g4ZdfBwiviYGAWmpA1MDuuXp/hu3lyQLpXCaEAyWcF2jqCrKzP/UbSuUSudk41a0l4qm vFrczU3PSVzUqH8x0tI1/K4jB0EB7m8vpNnAsySHjaOYnc/DQhupvrA3FYgvdqrxzYlw hnNA== X-Gm-Message-State: AN3rC/7Q9eDtzuAfmHZFfqYulEp2/e9EhF21sbXz6Stl09gkmbBKng2a lQl86A8y/ycN4LvYlfu68oczrYVNlg== X-Received: by 10.28.150.213 with SMTP id y204mr12316062wmd.138.1492540012864; Tue, 18 Apr 2017 11:26:52 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.182.175 with HTTP; Tue, 18 Apr 2017 11:26:52 -0700 (PDT) From: David Mehler Date: Tue, 18 Apr 2017 14:26:52 -0400 Message-ID: Subject: freebsd 10.3, pf, and openvpn To: freebsd-questions Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Apr 2017 18:26:55 -0000 Hello, I'm running FreeBSD 10.3 with jails and now an openvpn using pf as the firewall. I'm having an issue connecting to openvpn from off site and I have determined it's a firewall issue, when pf is disabled the connection works. I'm wondering if anyone can spot the error? My interfaces and networks are as follows, vtnet0 external interface, lo1 jails 10.0.0.0/8 and tun0 the openvpn interface for routed vpn traffic, 10.8.0.0/8. Here's my config: # # Required order: macros, options, normalization, queueing, # translation, filtering. # Note: translation rules are first match while filter rules are last match= . # Macros ext_if=3D"vtnet0" int_if =3D "lo1" vpn_if =3D "tun0" jailnet =3D "10.0.0.0/8" vpnnet=3D"10.8.0.0/8" icmp_types=3D"{echoreq, unreach}" #IPV6 ICMP types: # packet to big and echo request type ping # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)" tcpstate =3D"flags S/SA modulate state" udpstate =3D"keep state" voipports =3D "{5060, 5061, 10000:10500}" # allowed traffic tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, imap, https, submission, imaps, 2703}" udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500, 500, 50, 51}" # Name and IP of jails webmail=3D"10.0.0.15" # Name and IP of jailed ssh servers jssh1=3D"10.0.0.15" jssh2=3D"10.0.0.16" jssh3=3D"10.0.0.17" jssh4=3D"10.0.0.18" # The Asterisk Server asterisk=3D"10.0.0.17" # The vpn server vpn=3D"10.8.0.1" # Options # block-policy can be either drop or return set block-policy drop set optimization conservative #set skip on tun0 # Normalization # normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi= nd # firewall. Set random-id to help same. # Set mss to ATM network frame size for easy splitting upstream. scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # NAT nat on $ext_if from $jailnet to any -> ($ext_if) static-port nat on $ext_if from $vpnnet to any -> ($ext_if) # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to jailed ssh servers # External redirect rdr on $ext_if inet proto tcp from any to any port 2220 -> $jssh1 port 2220 # reflect for internal hosts rdr on $int_if inet proto tcp from any to any port 2220 -> $jssh1 port 2220 # External redirect rdr on $ext_if inet proto tcp from any to any port 2221 -> $jssh2 port 2221 # reflect for internal hosts rdr on $int_if inet proto tcp from any to any port 2221 -> $jssh2 port 2221 # External redirect rdr on $ext_if inet proto tcp from any to any port 2222 -> $jssh3 port 2222 # reflect for internal hosts rdr on $int_if inet proto tcp from any to any port 2222 -> $jssh3 port 2222 # External redirect rdr on $ext_if inet proto tcp from any to any port 2223 -> $jssh4 port 2223 # reflect for internal hosts rdr on $int_if inet proto tcp from any to any port 2223 -> $jssh4 port 2223 # Redirect traffic to the vpn server # External redirect rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port 1194 rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port 1194 # reflect for internal hosts rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port 1194 rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port 1194 # Redirect traffic to the asterisk server # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. rdr on $ext_if inet proto udp from any to any port 5060 -> $asterisk port 5= 060 rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk port 5= 060 rdr on $ext_if inet proto tcp from any to any port 5061 -> $asterisk port 5= 061 # RTSP ports 10000 to 10500 rdr on $ext_if inet proto udp from any to any port 10000:10500 -> $asterisk port 10000:10500 # Tables table persist file "/etc/pf/bruteforce" table persist file "/etc/pf/pf.drop.lasso.conf" table persist file "/etc/pf/fail2ban" table persist file "/etc/pf/martians" # The ZeuS blocklist of c&c servers table persist file "/etc/pf/ZeuS" # The malwaredomain ip block list table persist file "/etc/pf/malwaredomain" # Table of selected country IP addresses table persist file "/etc/pf/blocked_countries" # Table of apache mod_evasive blocks table persist file "/etc/pf/evasive" antispoof for $ext_if antispoof for $int_if # Start by blocking by default block all # Block anything in the blocked_countries table first block in quick from # Block nmap scans block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP # Explicitly block unroutable addresses block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to # Explicitly block anything in the bruteforce table block in quick from # Explicitly block anything in the fail2ban table block in quick from # Explicitly block anything in the droplasso table block in quick from # Explicitly block anything in the ZeuS table block in quick from # Explicitly block anything in the malwaredomain table block in quick from # Block anything in the evasive table block in quick from # pass everything on the loopback interface pass quick on lo0 all # allow ping and host unreach pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # Pass out only the desired ports from host and jails pass inet proto tcp from {self, $jailnet, $vpnnet} to any port $tcp_services $tcpstate pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services $udpstate # Allow ssh connections in from the internet pass in inet proto tcp from any to $ext_if port ssh flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in ssh traffic to the jails # pass rules for nat redirect pass in inet proto tcp from any to $jssh1 port 2220 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass inet proto tcp from any to $jssh1 port 2220 flags S/SA keep state pass in inet proto tcp from any to $jssh2 port 2221 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass inet proto tcp from any to $jssh2 port 2221 flags S/SA keep state pass in inet proto tcp from any to $jssh3 port 2222 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass inet proto tcp from any to $jssh3 port 2222 flags S/SA keep state pass in inet proto tcp from any to $jssh4 port 2223 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass inet proto tcp from any to $jssh4 port 2223 flags S/SA keep state # Pass traffic to the vpn pass in inet proto udp from any to $vpn port 1194 $udpstate pass in inet proto tcp from any to $vpn port 1194 $udpstate pass inet proto udp from any to $vpn port 1194 $udpstate pass inet proto tcp from any to $vpn port 1194 $udpstate pass quick on tun0 all keep state # Pass in http traffic from the internet pass in inet proto tcp to $ext_if port 80 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in https traffic from the internet pass in inet proto tcp to $ext_if port 443 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in smtp traffic from the internet pass in inet proto tcp to $ext_if port 25 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in submission traffic from the internet pass in inet proto tcp to $ext_if port 587 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in imaps traffic from the internet pass in inet proto tcp to $ext_if port 993 flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # pass traffic from the asterisk server pass inet proto {udp, tcp} from any to $asterisk port $voipports keep state I've tried enabling the set skip on tun0 no good, changing my nat vpnnet line to vpn_if no good, and commenting out the pass rules and doing rdr pass on the 1194 rdr lines, all have not worked. Any help appreciated. Thanks. Dave.