From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 06:26:35 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8FE5C16A41F for ; Thu, 5 Jul 2007 06:26:35 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from mx.levier.org (ns.argosnet.com [213.251.139.26]) by mx1.freebsd.org (Postfix) with ESMTP id 4284F13C468 for ; Thu, 5 Jul 2007 06:26:35 +0000 (UTC) (envelope-from llevier@argosnet.com) Received: from localhost (ns [213.251.139.26]) by mx.levier.org (Postfix) with ESMTP id 27B02267E81 for ; Thu, 5 Jul 2007 08:26:35 +0200 (CEST) X-Virus-Scanned: amavisd-new at argosnet.com Received: from mx.levier.org ([213.251.139.26]) by localhost (ns.levier.org [213.251.139.26]) (amavisd-new, port 10024) with ESMTP id MNGRWX8CISQa for ; Thu, 5 Jul 2007 08:25:47 +0200 (CEST) Received: from Osgiliath.argosnet.com (tirion.argosnet.com [82.224.1.141]) by mx.levier.org (Postfix) with ESMTP id BF688267E13 for ; Thu, 5 Jul 2007 08:25:46 +0200 (CEST) X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Thu, 05 Jul 2007 08:25:42 +0200 To: freebsd-pf@freebsd.org From: Laurent LEVIER Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Message-Id: <20070705062546.BF688267E13@mx.levier.org> Subject: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 06:26:35 -0000 Hi All, I am currently setting up a ChilliSpot server using the conup/condown command. Since the LAN will also be publicly available, I am using Chilli as UAM. These con* scripts are launched with additional arguments (IP address, device) when a user is authenticated ont he HotSpot This way, I can update firewall rules dynamically to allow the authenticated user to pass...or to no longer pass when session is over. Apparently, best way to solve this with pf is to use tables, since an anchor permits to add a rule, but not to delete the added rule (at least I did not find how to). But it seems it does not fully work for me. If you read at my pf.conf file at the end of this email, you will see I created a table "public_granted" that is associated with 2 rules: 1) a rdr to redirect to Squid transparently (rule is before the one redirecting transparently to Chilli authentication server) 2) a pass in quick rule to allow new user to pass through. The problem I have is: - When the public_granted table is updated with a new IP address, pf let the user pass through. - But when I delete this @IP from the table, pf keeps allowing the user to pass through. I appreciate all advices to help me solving this weird situation. Thanks in advance My pf.conf: ### Options # pf configuration set block-policy return set state-policy if-bound # localhost set skip on lo0 ### Declarations # Interface declaration if_ext="nve0" # Internet Interface if_int="bge0" # Public access Interface if_wifi="tun0" # WiFi Hotspot Interface # Subnets declaration net_public= "192.168.254.0/24" net_wifi_admin="192.168.253.252/30" # IP declaration ip_ext_me="192.168.0.100" ip_wifi_me="192.168.254.1" ip_wifi_admin_me="192.168.253.253" ip_hotspot="192.168.253.254" ### Tables! table ### Redirections # Squid redirection for authenticated users on Public rdr on $if_int proto tcp from to 0.0.0.0/0 port 80 -> localhost port 8080 rdr on $if_wifi proto tcp from to 0.0.0.0/0 port 80 -> localhost port 8080 # Authentication portal for Public rdr on $if_int proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 rdr on $if_wifi proto tcp from $net_public to any port 80 -> $ip_wifi_me port 3990 ### NAT # Public to me on Internet side nat on $if_ext from $net_public to any -> $ip_ext_me ### Filtering # Hotspot is a typical network client pass out quick from any to any keep state # Who can admin me? pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 ## Logs from Public access side # Syslog from access point sent to me pass in log quick on $if_int proto udp from $ip_hotspot to $ip_wifi_admin_me port = 514 # DHCP pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 67 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 68 # DNS for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_int proto udp from $net_public to $ip_wifi_me port = 53 # DNS for WiFi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 53 pass in log quick on $if_wifi proto udp from $net_public to $ip_wifi_me port = 53 # Authentication portal for Public pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_int proto tcp from $net_public to $ip_wifi_me port = 443 # Authentication portal for Wifi pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 3990 pass in log quick on $if_wifi proto tcp from $net_public to $ip_wifi_me port = 443 # Ping is granted to authenticated users (public_granted table) pass in log quick on $if_wifi proto icmp from to $ip_wifi_me keep state # Closing rule for Public & WiFi block in log quick from any to $ip_wifi_me block in log quick from any to $ip_wifi_admin_me ## HotSpot LAN configuration # Table public_granted: contains granted users on Radius pass in log quick on $if_int from to any keep state pass in log quick on $if_wifi from to any keep state # Finally block & log everything block in log from any to any Laurent LEVIER Systems & Networks Senior Security Expert, CISSP CISM