Date: Tue, 21 Mar 2017 08:52:42 -0400 From: David Mehler <dave.mehler@gmail.com> To: freebsd-pf <freebsd-pf@freebsd.org> Subject: FreeBSD 10.3, pf, and rtp, definite firewall issue Message-ID: <CAPORhP5XQGnh%2BDJ2uOSLYPuK1CbzgViUzXKwMBV=4e%2BSXi2Eeg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I've included my firewall rules below. Can someone take a look at
them and give me an assessment? They are working for the most part
except with asterisk in a jail and rtp.
I've got a single server a vps and one public IP. On the server
(Freebsd 10.3 trying to decide whether to go 11 opinions?), it has two jai=
ls
running services one of which is Asterisk.
I get to the point where I can connect a soft phone app zoiper it
works, but I hear no audio from the Asterisk. I finally got the
debugging going and determined that Asterisk is working fine. So what
I did was take the line in the attached ruleset
block all
and changed it to
pass all
and removed all other rules.
That worked, telling me I've got a firewall issue. I've been working
on that for the last day and getting nowhere, rtp is definitely not
working in my configuration, kind of like ftp thank god I don't have
to do that.
Anyway I was wondering if you could take a look? The pf.conf1 file is
the modified file that does work, while the pf.conf file is my ruleset
that i'd like to use.
Thanks.
Dave.
non-working pf.conf:
#
#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match=
.
# 12/27/15: added in ipv6 firewall rules
################ Macros ###################################
### Interfaces ###
ext_if=3D"vtnet0"
int_if =3D "lo1"
jailnet =3D $int_if:network
icmp_types=3D"{echoreq, unreach}"
icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
# Router Solicitation (RS), Router Advertisement (RA)
# Neighbor Solicitation (NS), Neighbor Advertisement (NA)
# Route Redirection
icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }"
synstate =3D"flags S/SA synproxy state"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"
# Name and IP of jails
webmail=3D"10.0.0.15"
webmail2=3D"10.0.0.16"
# Name and IP of jailed ssh server
jssh1=3D"10.0.0.15"
jssh2=3D"10.0.0.16"
jssh3=3D"10.0.0.17"
# The Asterisk Server
asterisk=3D"10.0.0.17"
voipports =3D "{ 5060, 5061, 10000:20000 }"
# allowed traffic
tcp_services=3D"{7, bootpc, bootps, ftp-data, ftp, ssh, smtp, domain,
http, imap, https, imaps, 2703, 587, 43}"
tcp6_services=3D"{ssh, smtp, domain, http, imap, https, imaps, 43}"
udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}"
udp6_services=3D"{domain, ntp, 546}"
# Options
# block-policy can be either drop or return
set block-policy return
set skip on lo0
set skip on lo1
#scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440
# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi=
nd
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
#scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble
tcp fragment reassemble
# NAT
#nat on $ext_if inet from $jailnet to any -> ($ext_if)
nat on $ext_if from $jailnet to any -> ($ext_if) static-port
# Nat internal hosts
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $int_if from lo1:network to any -> ($int_if)
# Redirect any packets requesting ports 2220, 2221, or 2222 to jailed ssh s=
erver
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2220 ->
$jssh1 port 2220
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2221 ->
$jssh2 port 2221
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2222 ->
$jssh3 port 2222
# Redirect traffic to the asterisk server
# SIP on UDP port 5060, 5061 for secure signaling.
# Used for signals such as "hang up"
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
# RTSP ports 10000 to 20000
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
# IAX2- the IAX protocol
# UDP 4569
#rdr pass on $ext_if inet proto udp from any to $ext_if port 4569 ->
$asterisk port 4569
# IAX - old IAX protocol
# port UDP 5036
#rdr pass on $ext_if inet proto udp from any to $ext_if port 5036 ->
$asterisk port 5036
# Tables
#table <badips> persist file "/etc/pf/badips"
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"
# Pass anything on the lo* interfaces
#antispoof quick for lo0 inet
pass quick on lo0 all
#pass quick on lo1 all
# Block by default
block all
# Try to block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# Explicitly block unroutable addresses
#antispoof quick for ($ext_if)
#block in quick on $ext_if from <badips> to any
#block out quick on $ext_if from any to <badips>
# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>
# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>
# Explicitly block anything in the droplasso table
block in quick from <droplasso>
# Pass out only the desired ports from host and jails
pass quick proto tcp from {self} to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto tcp from $jailnet to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto {tcp, udp} from {self} to port $udp_services keep state
pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state
# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state
# Traceroute
# allow out the default range for traceroute(8):
# =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4
# tag packets in on $int_if and pass them out on $ext_if
#pass in quick on $int_if from any to any tag INTNET
#pass in on $ext_if proto tcp from any to $webmail port http flags
S/SA synproxy state
# allow https traffic out from the jails
pass out proto tcp from $jailnet port https to any keep state
# Allow ssh connections in from the internet
pass in inet proto tcp from any to $ext_if port ssh keep state
# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 keep state
# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 keep state
# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 keep state
# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 keep state
# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 keep state
# Pass out port 80 to the jailed web servers
pass out inet proto tcp from $int_if to $webmail port 80 keep state
pass out inet proto tcp from $int_if to $webmail2 port 80 keep state
# pass traffic from the asterisk server
pass quick inet proto udp from $asterisk to any port $voipports keep state
# IPv6
# allowing in ping
pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st=
ate
pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ),
ff02::/16 } icmp6-type $icmp6_types_ext_if keep state
# Allow outgoing services
pass out on $ext_if inet6 proto tcp to any port $tcp_services
pass out on $ext_if inet6 proto udp to any port $udp_services
# Trace route out
pass out on $ext_if inet6 proto udp from any to any port 33433 ><
33626 keep state
# allow incoming traffic
#pass in on $ext_if inet6 proto tcp from any to $http_servers6 port
http keep state
#pass in on $ext_if inet6 proto tcp from any to $mail_servers6 port
$mail_ports keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to any port
#$tcp46_services flags S/SA keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to
#( $ext_comcast_if ) port $tcp46_services_ext_if flags S/SA
#keep state
#pass in quick on $ext_comcast_if inet6 proto udp from any to
#( $ext_comcast_if ) port $udp6_services_ext_if keep state
#pass quick on $jailnet all keep state
working but totally open pf.conf1:
ext_if=3D"vtnet0"
int_if =3D "lo1"
jailnet =3D $int_if:network
asterisk=3D"10.0.0.17"
set block-policy return
set skip on lo0
nat on $ext_if inet from $jailnet to any -> ($ext_if)
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
pass all
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP5XQGnh%2BDJ2uOSLYPuK1CbzgViUzXKwMBV=4e%2BSXi2Eeg>