Date: Tue, 18 Apr 2017 16:20:58 -0400 From: David Mehler <dave.mehler@gmail.com> To: Ultima <ultima1252@gmail.com> Cc: freebsd-questions <freebsd-questions@freebsd.org> Subject: Re: freebsd 10.3, pf, and openvpn Message-ID: <CAPORhP4_n-Gkzf-WgeEZHqzbPXnMgW3jKxe=stX2zcRHq7bN%2Bw@mail.gmail.com> In-Reply-To: <CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg@mail.gmail.com> References: <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com> <CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello Ultima,
Thank you for your reply. Thanks for the information, I'm liking the
new way the rules are looking. Unfortunately, still no go on the vpn.
Everything else is working, just not the vpn.
Thanks.
Dave.
PS, here's my rules as they stand now.
pf.conf:
#
# Required order: macros, options, normalization, queueing,
# translation, filtering.
# Note: translation rules are first match while filter rules are last match=
.
# Macros
ext_if=3D"vtnet0"
int_if =3D "lo1"
vpn_if =3D "tun0"
jailnet =3D "10.0.0.0/8"
vpnnet=3D"10.8.0.0/8"
icmp_types=3D"{echoreq, unreach}"
#IPV6 ICMP types:
# packet to big and echo request type ping
# Neighbor Discovery Protocol (NDP) (types 133-137):
# Router Solicitation (RS), Router Advertisement (RA)
# Neighbor Solicitation (NS), Neighbor Advertisement (NA)
# Route Redirection
icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
#synstate=3D"flags S/SA synproxy state (max-src-conn 15,
max-src-conn-rate 5/3, overload <bruteforce> flush global)"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"
voipports =3D "{5060, 5061, 10000:10500}"
# allowed traffic
tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, imap, https, submission, imaps, 2703}"
udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441,
4500, 500, 50, 51}"
# Name and IP of jails
webmail=3D"10.0.0.15"
# Name and IP of jailed ssh servers
jssh1=3D"10.0.0.15"
jssh2=3D"10.0.0.16"
jssh3=3D"10.0.0.17"
jssh4=3D"10.0.0.18"
# The Asterisk Server
asterisk=3D"10.0.0.17"
# The vpn server
vpn=3D"10.8.0.1"
# Options
# block-policy can be either drop or return
set block-policy drop
set optimization conservative
set skip on tun0
# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi=
nd
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
# NAT
nat on $ext_if from $jailnet to any -> ($ext_if) static-port
nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
# Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
jailed ssh servers
# External redirect
rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 2220
# reflect for internal hosts
rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 2220
# External redirect
rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 2221
# reflect for internal hosts
rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 2221
# External redirect
rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 2222
# reflect for internal hosts
rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 2222
# External redirect
rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 2223
# reflect for internal hosts
rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 2223
# Redirect traffic to the vpn server
# External redirect
rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn port 11=
94
#rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn port 1=
194
# reflect for internal hosts
rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn port 11=
94
#rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn port 1=
194
# Redirect traffic to the asterisk server
# SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
$asterisk port 5060
#rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk port =
5060
rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port 5061
# RTSP ports 10000 to 10500
rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asterisk
port 10000:10500
# Tables
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"
table <martians> persist file "/etc/pf/martians"
# The ZeuS blocklist of c&c servers
table <ZeuS> persist file "/etc/pf/ZeuS"
# The malwaredomain ip block list
table <malwaredomain> persist file "/etc/pf/malwaredomain"
# Table of selected country IP addresses
table <blocked_countries> persist file "/etc/pf/blocked_countries"
# Table of apache mod_evasive blocks
table <evasive> persist file "/etc/pf/evasive"
# for the spamd greylist/blacklist service
# (not related to spamassassin's spamd daemon)
#table <spamd> persist
#table <spamd-white> persist
antispoof for $ext_if
antispoof for $int_if
# Start by blocking by default
block all
# Block anything in the blocked_countries table first
block in quick from <blocked_countries>
# Block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# Explicitly block unroutable addresses
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>
# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>
# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>
# Explicitly block anything in the droplasso table
block in quick from <droplasso>
# Explicitly block anything in the ZeuS table
block in quick from <ZeuS>
# Explicitly block anything in the malwaredomain table
block in quick from <malwaredomain>
# Block anything in the evasive table
block in quick from <evasive>
# pass everything on the loopback interface
pass quick on lo0 all
# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state
# Traceroute
# allow out the default range for traceroute(8):
# =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4
# Pass out only the desired ports from host and jails
pass inet proto tcp from { self, $jailnet } to any port $tcp_services $tcps=
tate
pass inet proto udp from { self, $jailnet } to port $udp_services $udpstate
# Allow ssh connections in from the internet
pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in ssh traffic to the jails
# pass rules for nat redirect
pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
# Pass traffic to the vpn
pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
#pass in inet proto tcp from any to $vpn port 1194 $udpstate
pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
#pass inet proto tcp from any to $vpn port 1194 $udpstate
# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# pass traffic from the asterisk server
pass inet proto { tcp, udp } to $asterisk port $voipports keep state
On 4/18/17, Ultima <ultima1252@gmail.com> wrote:
> I didn't have time to read and look through this entire post, but I think=
I
> know the issue you're running into and this suggestion should push you in
> the right direction.
>
> this rule for example,
>
> rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port 1194
> rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port 1194
> # reflect for internal hosts
> rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port 1194
> rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port 1194
>
> This is probably not giving you the results you desire. Basically because
> no from or to ip is specified ALL and I quite literally mean ALL packets
> using port 1194 are being sent to $vpn port 1194. Usually you want to mak=
e
> it something like,
>
> rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn port
> 1194
> rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn port
> 1194
>
> Now the traffic will be passed only when the packet is going to the host,
> not all traffic on a specific port. Another thing you may want to do is
> combined many of these rules you have.
>
> rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn port
> 1194
>
> Also note the above, because we are specifying any for from, we can remov=
e
> the form rule entirely and make it shorter.
>
> Hope this helps
>
> Ultima
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP4_n-Gkzf-WgeEZHqzbPXnMgW3jKxe=stX2zcRHq7bN%2Bw>