Date: Wed, 23 Jul 2008 21:28:05 +0300 From: "Ivan Petrushev" <ivanatora@gmail.com> To: freebsd-pf@freebsd.org Subject: Why this rule doesn't score a match? Message-ID: <d39744a20807231128j6641996i95ee8fec03053b6e@mail.gmail.com> In-Reply-To: <d39744a20807231127u11df822rc2022a70b1a1af3e@mail.gmail.com> References: <d39744a20807231025w42fc4a99ha1e99be5fd5c76b0@mail.gmail.com> <48876DAD.9080100@optiksecurite.com> <d39744a20807231127u11df822rc2022a70b1a1af3e@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hmmm, yes I'm on FreeBSD 7
I tried these pass rules before - nothing gets logged.
I thought traffic is going both TO these ports and FROM these ports.
Let's take for example a simple HTTP connection. The browser
communicates to the remote server trough remote port 80 and says 'GET
/index.html', then closes the connection. The HTTP server on the
remote side opens a connection to the local machine (on some of our
local port range)... but what is the port number on his side? I think
that it is again 80.
About pass in/pass out - I think that in/out keyword can be dropped?
PF can do without that, right?
These are my current filter rules, still nothing gets logged:
##############################
pass log on $if proto tcp from any port $tcp_services
pass log on $if proto udp from any port $udp_services
pass log on $if proto tcp from any to $ext_ip port $tcp_services
pass log on $if proto udp from any to $ext_ip port $udp_services
#############################
Regards, Ivan.
On Wed, Jul 23, 2008 at 8:43 PM, FreeBSD <freebsd@optiksecurite.com> wrote:
> Ivan Petrushev a =E9crit :
>>
>> Hello,
>> I'm trying very simple 'block all, allow a few' firewall, but
>> something doesn't seem right.
>> As far as I remember 'the right matched rule' is taken and executed -
>> this doesn't seem working here.
>> Here is my firewall:
>> #####################
>> #macros
>> if =3D "re0"
>> ext_ip =3D "10.10.10.21"
>> tcp_services =3D "{http, https, ssh, domain, 5190, 5222, ftp, 1025}"
>> udp_services =3D "{domain, 5190, 5222, ftp}"
>>
>> #filter
>> block in log on $if
>> pass on $if proto tcp from any port $tcp_services
>> pass on $if proto udp from any port $udp_services
>> ####################
>> The point here is that if a packet for some of the listed service is
>> matching against the rules, it will match the block rule, but after
>> that will match some of the last two and get passed. Instead it gets
>> blocked and I see it into the log:
>> tcpdump -n -i pflog0
>> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24
>> [bad hdr length 0 - too short, < 20]
>> (there are many of these, including on the other ports)
>>
>> Now, there is something different. I tried removing the block rule,
>> and added logging for the 'pass' rules. In that case a packet
>> traveling down the rules should match only on the 'pass' rules and get
>> logged.
>> ####################
>> #filter
>> #block in log on $if
>> pass log on $if proto tcp from any port $tcp_services
>> pass log on $if proto udp from any port $udp_services
>> ####################
>>
>> Well, it doesn't get logged. The only thing I see into the log is:
>> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain]
>> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) =
or
>> 80...
>>
>> What could be wrong here - it is fairly simple ruleset?
>>
>
> You should try "pass in on $if proto tcp from any to $ext_ip port
> $tcp_services flags S/SA keep state" and "pass in on $if proto udp from a=
ny
> to $ext_ip port $udp_services keep state"
>
> Your rule expect the traffic to came FROM $tcp_services but it is goint T=
O
> those ports.
>
> You can omit the "flags S/SA keep state" and the "keep state" if you're
> using FreeBSD 7, it is added automatically.
>
> I would also suggest you to use "block all log" instead of "block in log"
> and specifiy rules for your outgoing traffic too.
>
> Good luck
>
> Martin
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d39744a20807231128j6641996i95ee8fec03053b6e>