From owner-freebsd-pf@FreeBSD.ORG Wed Jul 23 18:44:32 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E216B1065675 for ; Wed, 23 Jul 2008 18:44:32 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) Received: from relais.videotron.ca (relais.videotron.ca [24.201.245.36]) by mx1.freebsd.org (Postfix) with ESMTP id CA0928FC1F for ; Wed, 23 Jul 2008 18:44:32 +0000 (UTC) (envelope-from freebsd@optiksecurite.com) MIME-version: 1.0 Content-transfer-encoding: 8BIT Content-type: text/plain; charset=ISO-8859-1; format=flowed Received: from [192.168.10.102] ([74.56.107.65]) by VL-MH-MR002.ip.videotron.ca (Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)) with ESMTP id <0K4G00D4AZVQ5I20@VL-MH-MR002.ip.videotron.ca> for freebsd-pf@freebsd.org; Wed, 23 Jul 2008 13:43:02 -0400 (EDT) Message-id: <48876DAD.9080100@optiksecurite.com> Date: Wed, 23 Jul 2008 13:43:09 -0400 From: FreeBSD User-Agent: Thunderbird 2.0.0.14 (Windows/20080421) To: Ivan Petrushev References: In-reply-to: Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Jul 2008 18:44:33 -0000 Ivan Petrushev a écrit : > Hello, > I'm trying very simple 'block all, allow a few' firewall, but > something doesn't seem right. > As far as I remember 'the right matched rule' is taken and executed - > this doesn't seem working here. > Here is my firewall: > ##################### > #macros > if = "re0" > ext_ip = "10.10.10.21" > tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}" > udp_services = "{domain, 5190, 5222, ftp}" > > #filter > block in log on $if > pass on $if proto tcp from any port $tcp_services > pass on $if proto udp from any port $udp_services > #################### > The point here is that if a packet for some of the listed service is > matching against the rules, it will match the block rule, but after > that will match some of the last two and get passed. Instead it gets > blocked and I see it into the log: > tcpdump -n -i pflog0 > 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24 > [bad hdr length 0 - too short, < 20] > (there are many of these, including on the other ports) > > Now, there is something different. I tried removing the block rule, > and added logging for the 'pass' rules. In that case a packet > traveling down the rules should match only on the 'pass' rules and get > logged. > #################### > #filter > #block in log on $if > pass log on $if proto tcp from any port $tcp_services > pass log on $if proto udp from any port $udp_services > #################### > > Well, it doesn't get logged. The only thing I see into the log is: > 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain] > And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80... > > What could be wrong here - it is fairly simple ruleset? > You should try "pass in on $if proto tcp from any to $ext_ip port $tcp_services flags S/SA keep state" and "pass in on $if proto udp from any to $ext_ip port $udp_services keep state" Your rule expect the traffic to came FROM $tcp_services but it is goint TO those ports. You can omit the "flags S/SA keep state" and the "keep state" if you're using FreeBSD 7, it is added automatically. I would also suggest you to use "block all log" instead of "block in log" and specifiy rules for your outgoing traffic too. Good luck Martin