From owner-freebsd-pf@freebsd.org  Tue Mar 21 12:52:45 2017
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 424A8D16987
 for <freebsd-pf@mailman.ysv.freebsd.org>; Tue, 21 Mar 2017 12:52:45 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com
 [IPv6:2a00:1450:400c:c0c::234])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id C38D084E
 for <freebsd-pf@freebsd.org>; Tue, 21 Mar 2017 12:52:44 +0000 (UTC)
 (envelope-from dave.mehler@gmail.com)
Received: by mail-wr0-x234.google.com with SMTP id u108so111327539wrb.3
 for <freebsd-pf@freebsd.org>; Tue, 21 Mar 2017 05:52:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025;
 h=mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=cHx1w9Lboo7Yl9iDVkgDCiD6gTnyTCdMzaOhv3BUzzY=;
 b=bfPF3ZfFBP7pabjLkAMkPSoU6Rh+WLzfj5G9PrjfJWNiRk5fxJeCSxwuQ0Y8x0/1aP
 vEFrKAWpQGBDohIn1SQCC+l+BsELl6rvz2u8tlzNTs1p2FvxWMFo3Gq4D86hFTznp5Zu
 iUXXn3DkvLkI4djTsllTR8nxeanXbHryq9J/MswEqmS/VNXMRplCb8U1CDCkxvGHKvT4
 uN7LjL/D+OcXIeLjE8nes2eeTJ+TxSAqZeS5dSZ0qtWxlfCwCtQj92S/o77WLW0apnqG
 kiVtkyi1sY0s8MVIL7ZrHeAF7dE8K5Io60hPf5XD0j2MqaHDfB19rFfNIfQ3oPraralR
 pWlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to
 :content-transfer-encoding;
 bh=cHx1w9Lboo7Yl9iDVkgDCiD6gTnyTCdMzaOhv3BUzzY=;
 b=bQfbUjo3hUAK9GaT0MoiTh3BosnqvKQrl6vDtrWtu4dd+E76qUvE3taX8iyEC05y2Q
 IRH2XuBI8ScxmnsarXED2sQwAbb0ySHEDeOpyNofWJ35W80IpPHY0NwuI6pytL2hJufG
 zSnChymLKh8ielmArARFILXSTFqEylZDwKov9F3fwN1dSMU8M5+EdE80nTzW33WgPwr1
 yk65OGR7cnILb0honQXDahyNDVzCe07wiCjU785/xoYmFdfDITfiNQK/1f7KxeNAz33w
 BR3u2EygqD9YsQF600i28ULjQYqkbtNbmLmvUuut0JaQmxAbQaM7VMDxLCokQyFNVNVx
 8THw==
X-Gm-Message-State: AFeK/H1NgW5pL5BA15L99i7ECuyZSfdtjO9i5poelDSxdpwK9Xhmlx6sA4ObTjxgYvmB/Bng5ZyMi8DHM9s7NA==
X-Received: by 10.223.129.4 with SMTP id 4mr29277008wrm.4.1490100762754; Tue,
 21 Mar 2017 05:52:42 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.148.35 with HTTP; Tue, 21 Mar 2017 05:52:42 -0700 (PDT)
From: David Mehler <dave.mehler@gmail.com>
Date: Tue, 21 Mar 2017 08:52:42 -0400
Message-ID: <CAPORhP5XQGnh+DJ2uOSLYPuK1CbzgViUzXKwMBV=4e+SXi2Eeg@mail.gmail.com>
Subject: FreeBSD 10.3, pf, and rtp, definite firewall issue
To: freebsd-pf <freebsd-pf@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 12:52:45 -0000

Hello,

 I've included my firewall rules below. Can someone take a look at
them and give me an assessment? They are working for the most part
except with asterisk in a jail and rtp.

 I've got a single server a vps and one public IP. On the server
 (Freebsd 10.3 trying to decide whether to go 11 opinions?), it has two jai=
ls
 running services one of which is Asterisk.

 I get to the point where I can connect a soft phone app zoiper it
 works, but I hear no audio from the Asterisk. I finally got the
 debugging going and determined that Asterisk is working fine. So what
 I did was take the line in the attached ruleset

 block all

 and changed it to

 pass all

 and removed all other rules.

 That worked, telling me I've got a firewall issue. I've been working
 on that for the last day and getting nowhere, rtp is definitely not
 working in my configuration, kind of like ftp thank god I don't have
 to do that.

 Anyway I was wondering if you could take a look? The pf.conf1 file is
 the modified file that does work, while the pf.conf file is my ruleset
 that i'd like to use.

 Thanks.
 Dave.

non-working pf.conf:
	#

#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match=
.
# 12/27/15: added in ipv6 firewall rules

################ Macros ###################################
### Interfaces ###
ext_if=3D"vtnet0"
int_if =3D "lo1"
jailnet =3D $int_if:network
icmp_types=3D"{echoreq, unreach}"
icmp6_types=3D"{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types_ext_if=3D"{ 128, 133, 134, 135, 136, 137 }"
synstate =3D"flags S/SA synproxy state"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"

# Name and IP of jails
webmail=3D"10.0.0.15"
webmail2=3D"10.0.0.16"
# Name and IP of jailed ssh server
jssh1=3D"10.0.0.15"
jssh2=3D"10.0.0.16"
jssh3=3D"10.0.0.17"
# The Asterisk Server
asterisk=3D"10.0.0.17"
voipports =3D "{ 5060, 5061, 10000:20000 }"

# allowed traffic
tcp_services=3D"{7, bootpc, bootps, ftp-data, ftp, ssh, smtp, domain,
http, imap, https, imaps, 2703, 587, 43}"
tcp6_services=3D"{ssh, smtp, domain, http, imap, https, imaps, 43}"
udp_services=3D"{bootpc, bootps, domain, ntp, 3690, 6277, 24441}"
udp6_services=3D"{domain, ntp, 546}"

# Options
# block-policy can be either drop or return
set block-policy return
set skip on lo0
set skip on lo1
#scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440

# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi=
nd
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
#scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble
tcp fragment reassemble

# NAT
#nat on $ext_if inet from $jailnet to any -> ($ext_if)
nat on $ext_if from $jailnet to any -> ($ext_if) static-port

# Nat internal hosts
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $int_if from lo1:network to any -> ($int_if)

# Redirect any packets requesting ports 2220, 2221, or 2222 to jailed ssh s=
erver
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2220 ->
$jssh1 port 2220
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2221 ->
$jssh2 port 2221
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2222 ->
$jssh3 port 2222
# Redirect traffic to the asterisk server
# SIP on UDP port 5060, 5061 for secure signaling.
# Used for signals such as "hang up"
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
# RTSP ports 10000 to 20000
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
# IAX2- the IAX protocol
# UDP 4569
#rdr pass on $ext_if inet proto udp from any to $ext_if port 4569 ->
$asterisk port 4569
# IAX - old IAX protocol
# port UDP 5036
#rdr pass on $ext_if inet proto udp from any to $ext_if port 5036 ->
$asterisk port 5036

# Tables
#table <badips> persist file "/etc/pf/badips"
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"

# Pass anything on the lo* interfaces
#antispoof quick for lo0 inet
pass quick on lo0 all
#pass quick on lo1 all

# Block by default
block all

# Try to block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP

# Explicitly block unroutable addresses
#antispoof quick for ($ext_if)
#block in quick on $ext_if from <badips> to any
#block out quick on $ext_if from any to <badips>

# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>

# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>

# Explicitly block anything in the droplasso table
block in quick from <droplasso>

# Pass out only the desired ports from host and jails
pass quick proto tcp from {self} to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto tcp from $jailnet to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto {tcp, udp} from {self} to port $udp_services keep state
pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state

# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state

# Traceroute
# allow out the default range for traceroute(8):
  # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4

# tag packets in on $int_if and pass them out on $ext_if
#pass in quick on $int_if from any to any tag INTNET
#pass in on $ext_if proto tcp from any to $webmail port http flags
S/SA synproxy state

# allow https traffic out from the jails
pass out proto tcp from $jailnet port https to any keep state

 # Allow ssh connections in from the internet
pass in inet proto tcp from any to $ext_if port ssh keep state

# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 keep state

# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 keep state

# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 keep state

# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 keep state

# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 keep state

# Pass out port 80 to the jailed web servers
pass out inet proto tcp from $int_if to $webmail port 80 keep state
pass out inet proto tcp from $int_if to $webmail2 port 80 keep state

# pass traffic from the asterisk server
pass quick inet proto udp from $asterisk to any port $voipports keep state

# IPv6
# allowing in ping
pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep st=
ate
pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ),
ff02::/16 } icmp6-type $icmp6_types_ext_if keep state

# Allow outgoing services
pass out on $ext_if inet6 proto tcp to any port $tcp_services
pass out on $ext_if inet6 proto udp to any port $udp_services

# Trace route out
pass out on $ext_if inet6 proto udp from any to any port 33433 ><
33626 keep state

# allow incoming traffic
#pass in on $ext_if inet6 proto tcp from any to $http_servers6 port
http keep state
#pass in on $ext_if inet6 proto tcp from any to $mail_servers6 port
$mail_ports keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to any port
	#$tcp46_services flags S/SA keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to
	#( $ext_comcast_if ) port $tcp46_services_ext_if flags S/SA
	#keep state
#pass in quick on $ext_comcast_if inet6 proto udp from any to
	#( $ext_comcast_if ) port $udp6_services_ext_if keep state

#pass quick on $jailnet all keep state

working but totally open pf.conf1:
ext_if=3D"vtnet0"
int_if =3D "lo1"
jailnet =3D $int_if:network
asterisk=3D"10.0.0.17"
set block-policy return
set skip on lo0
nat on $ext_if inet from $jailnet to any -> ($ext_if)
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
pass all