From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 18:28:06 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 965391065672 for ; Wed, 23 Jul 2008 18:28:06 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: from qw-out-2122.google.com (qw-out-2122.google.com [74.125.92.25]) by mx1.freebsd.org (Postfix) with ESMTP id 538728FC0C for ; Wed, 23 Jul 2008 18:28:06 +0000 (UTC) (envelope-from ivanatora@gmail.com) Received: by qw-out-2122.google.com with SMTP id 9so241445qwb.7 for ; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=M0tbldVonb3AznxQV0JobycLuBtOdALqCNRCrYgkRSQ=; b=BW0gZU3wLR/meP53cNDq+C2aOkRFo7hucia/pxRD5rC5+EiMiegFITz/xecvu0QqvH j/slJq08gMzHzfD4Y/VW5IZhMS7YQ7nK0IDFy1Cft9tjRjeTZBc1sLB4pmCjNlfaQjDP ZF+UXLbpfOcxt9KAyoHGsEDpU/BSQUfxYRZAo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=AneiSNvw4oFRfEX/H7r1MARXWKpSpXs6++yCDSB9KF2/n17DADyO2Ip1RCNeClS8M8 wtg29udhqlPC29J2KG3zVTX5p9QMxzvQxaVnAFq+aiXL5lErUJUsAyQgPUiQ5tkxUx2E pZ/bRUzs4F7y4AptAd9E6kWRqAisrnenOgdqs= Received: by 10.150.191.15 with SMTP id o15mr605594ybf.54.1216837685191; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) Received: by 10.151.50.12 with HTTP; Wed, 23 Jul 2008 11:28:05 -0700 (PDT) Message-ID: Date: Wed, 23 Jul 2008 21:28:05 +0300 From: "Ivan Petrushev" To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <48876DAD.9080100@optiksecurite.com> Subject: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 18:28:06 -0000 Hmmm, yes I'm on FreeBSD 7 I tried these pass rules before - nothing gets logged. I thought traffic is going both TO these ports and FROM these ports. Let's take for example a simple HTTP connection. The browser communicates to the remote server trough remote port 80 and says 'GET /index.html', then closes the connection. The HTTP server on the remote side opens a connection to the local machine (on some of our local port range)... but what is the port number on his side? I think that it is again 80. About pass in/pass out - I think that in/out keyword can be dropped? PF can do without that, right? These are my current filter rules, still nothing gets logged: ############################## pass log on $if proto tcp from any port $tcp_services pass log on $if proto udp from any port $udp_services pass log on $if proto tcp from any to $ext_ip port $tcp_services pass log on $if proto udp from any to $ext_ip port $udp_services ############################# Regards, Ivan. On Wed, Jul 23, 2008 at 8:43 PM, FreeBSD wrote: > Ivan Petrushev a =E9crit : >> >> Hello, >> I'm trying very simple 'block all, allow a few' firewall, but >> something doesn't seem right. >> As far as I remember 'the right matched rule' is taken and executed - >> this doesn't seem working here. >> Here is my firewall: >> ##################### >> #macros >> if =3D "re0" >> ext_ip =3D "10.10.10.21" >> tcp_services =3D "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" >> udp_services =3D "{domain, 5190, 5222, ftp}" >> >> #filter >> block in log on $if >> pass on $if proto tcp from any port $tcp_services >> pass on $if proto udp from any port $udp_services >> #################### >> The point here is that if a packet for some of the listed service is >> matching against the rules, it will match the block rule, but after >> that will match some of the last two and get passed. Instead it gets >> blocked and I see it into the log: >> tcpdump -n -i pflog0 >> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 >> [bad hdr length 0 - too short, < 20] >> (there are many of these, including on the other ports) >> >> Now, there is something different. I tried removing the block rule, >> and added logging for the 'pass' rules. In that case a packet >> traveling down the rules should match only on the 'pass' rules and get >> logged. >> #################### >> #filter >> #block in log on $if >> pass log on $if proto tcp from any port $tcp_services >> pass log on $if proto udp from any port $udp_services >> #################### >> >> Well, it doesn't get logged. The only thing I see into the log is: >> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] >> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) = or >> 80... >> >> What could be wrong here - it is fairly simple ruleset? >> > > You should try "pass in on $if proto tcp from any to $ext_ip port > $tcp_services flags S/SA keep state" and "pass in on $if proto udp from a= ny > to $ext_ip port $udp_services keep state" > > Your rule expect the traffic to came FROM $tcp_services but it is goint T= O > those ports. > > You can omit the "flags S/SA keep state" and the "keep state" if you're > using FreeBSD 7, it is added automatically. > > I would also suggest you to use "block all log" instead of "block in log" > and specifiy rules for your outgoing traffic too. > > Good luck > > Martin >