Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 19 Apr 2017 20:27:26 -0400
From:      Ultima <ultima1252@gmail.com>
To:        David Mehler <dave.mehler@gmail.com>
Cc:        FreeBSD Mailing List <freebsd-questions@freebsd.org>, freebsd-pf@freebsd.org
Subject:   Re: freebsd 10.3, pf, and openvpn
Message-ID:  <CANJ8om7MxW_x%2BKi8SKha0XB5eHRUpSJS6FiQXCGx0Z9boeh8zw@mail.gmail.com>
In-Reply-To: <CANJ8om4H5PgPF8L72NQCNGf_OBAKt--rgm65A9D7iJF3Wrx-Eg@mail.gmail.com>
References:  <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com> <CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg@mail.gmail.com> <CAPORhP4_n-Gkzf-WgeEZHqzbPXnMgW3jKxe=stX2zcRHq7bN%2Bw@mail.gmail.com> <CANJ8om6FX9QvdP5vxMLdRU6P8ML-dY_yw%2BqB3u3BfYJLrGfGrg@mail.gmail.com> <CAPORhP5UEyW9Cz21PN5Bnt_7V-yBNHCJkpPad6PstDS-5DLwGQ@mail.gmail.com> <CANJ8om4H5PgPF8L72NQCNGf_OBAKt--rgm65A9D7iJF3Wrx-Eg@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
I forgot to mention, make sure the ext_gateway variable changed to the
correct gateway.

On Wed, Apr 19, 2017 at 8:24 PM, Ultima <ultima1252@gmail.com> wrote:

> I keep looking at the rules and finally decided to rewrite some of them.
> This may not fix the issue you are having with openvpn tho. The issue wit=
h
> that is most likely the passing out rules. This rule is kinda written wie=
rd
> and I suggest just removing it and passing everything out and verifying i=
f
> that is the cause. The problem is many connections that the host will ope=
n
> is opened at the high end ports, I believe it was around 40000:65535. I
> could be wrong tho and hope someone corrects my errors if so.
>
> > # Pass out only the desired ports from host and jails
> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> $tcp_services $tcpstate
> > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_service=
s
> $udpstate
>
> If ur still having issues with openvpn, with this ruleset, then first, tr=
y
> changing the block all rule to block on ext_if. This will determine if a
> pass rule internally is the cause.
>
> > block all
> block on $ext_if all
>
> Going to CC freebsd-pf@freebsd.org I hope this helps
>
> Ultima
>
>
> #
> # Required order: macros, options, normalization, queueing,
> # translation, filtering.
> # Note: translation rules are first match while filter rules are last
> match.
>
> # Macros
> ext_if=3D"vtnet0"
> ext_gateway=3D"10.0.0.1"
> int_if =3D "lo1"
> vpn_if =3D "tun0"
> jailnet =3D "10.0.0.0/8"
> vpnnet=3D"10.8.0.0/8"
> icmp_types=3D"{echoreq, unreach}"
> #IPV6 ICMP types:
> # packet to big and echo request type ping
> # Neighbor Discovery Protocol (NDP) (types 133-137):
> #   Router Solicitation (RS), Router Advertisement (RA)
> #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
> #   Route Redirection
> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rat=
e
> 5/3, overload <bruteforce> flush global)"
> tcpstate=3D"flags S/SA modulate state"
> udpstate=3D"keep state"
>
> # allowed traffic
> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
> http, imap, https, submission, imaps, 2703}"
> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500,
> 500, 50, 51}"
>
> # Name and IP of jails
> webmail=3D"10.0.0.15"
> # Name and IP of jailed ssh servers
> jssh1=3D"10.0.0.15"
> jssh2=3D"10.0.0.16"
> jssh3=3D"10.0.0.17"
> jssh4=3D"10.0.0.18"
> jssh1_tcp=3D"2220"
> jssh2_tcp=3D"2221"
> jssh3_tcp=3D"2222"
> jssh4_tcp=3D"2223"
> # The Asterisk Server
> asterisk=3D"10.0.0.17"
> asterisk_tcp=3D"5060:5061"
> asterisk_udp=3D"5060, 10000:10500"
> # The vpn server
> vpn=3D"10.8.0.1"
>
> # Options
> # block-policy can be either drop or return
> set block-policy drop
> set optimization conservative
> set skip on lo0
>
> # Normalization
> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts
> behind
> # firewall. Set random-id to help same.
> # Set mss to ATM network frame size for easy splitting upstream.
> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
> fragment reassemble
>
> # NAT
> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
> nat on $ext_if from $vpnnet to any -> ($ext_if)
>
> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
> jailed ssh servers
> # External redirect & reflect for internal hosts
> # Note, the -> $ip port $port is only required for port triggering.
> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
> port { $jssh1_tcp } tag jssh1 -> $jssh1
> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
> port { $jssh2_tcp } tag jssh2 -> $jssh2
> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
> port { $jssh3_tcp } tag jssh3 -> $jssh3
> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
> port { $jssh4_tcp } tag jssh4 -> $jssh4
>
> # Redirect traffic to the vpn server
> # External redirect
> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if),
> ($int_if) } port 1194 tag vpn -> $vpn
>
> # Redirect traffic to the asterisk server
> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
> # RTSP ports 10000 to 10500
> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag
> asterisk_udp -> $asterisk
> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag
> asterisk_tcp -> $asterisk
>
> # Tables
> table <bruteforce> persist file "/etc/pf/bruteforce"
> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
> table <fail2ban> persist file "/etc/pf/fail2ban"
> table <martians> persist file "/etc/pf/martians"
> # The ZeuS blocklist of c&c servers
> table <ZeuS> persist file "/etc/pf/ZeuS"
> # The malwaredomain ip block list
> table <malwaredomain> persist file "/etc/pf/malwaredomain"
> # Table of selected country IP addresses
> table <blocked_countries> persist file "/etc/pf/blocked_countries"
> # Table of apache mod_evasive blocks
> table <evasive> persist file "/etc/pf/evasive"
>
> antispoof for { $ext_if, $int_if }
>
> # Start by blocking by default
> block all
>
> # Block anything in the blocked_countries table first
> block in quick from <blocked_countries>
>
> # Block nmap scans
> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
>
> # Explicitly block unroutable addresses
> block drop in quick on $ext_if from <martians> to any
> block drop out quick on $ext_if from any to <martians>
>
> # Explicitly block anything in the bruteforce table
> block in quick from <bruteforce>
>
> # Explicitly block anything in the fail2ban table
> block in quick from <fail2ban>
>
> # Explicitly block anything in the droplasso table
> block in quick from <droplasso>
>
> # Explicitly block anything in the ZeuS table
> block in quick from <ZeuS>
>
> # Explicitly block anything in the malwaredomain table
> block in quick from <malwaredomain>
>
> # Block anything in the evasive table
> block in quick from <evasive>
>
> # allow ping and host unreach
> pass inet proto icmp icmp-type $icmp_types keep state
>
> # Traceroute
> # allow out the default range for traceroute(8):
>   # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
> pass inet proto udp to port 33433:33626 # For IPv4
>
> # Pass out only the desired ports from host and jails
> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> $tcp_services $tcpstate
> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services
> $udpstate
>
>  # Allow ssh connections in from the internet
> pass in inet proto tcp from any to ($ext_if) port ssh \
> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
> <bruteforce> flush global)
> # Pass in ssh traffic to the jails
> # pass rules for nat redirect
> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged
> jssh1 jssh2 jssh3 jssh4 \
> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
> <bruteforce> flush global)
> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags
> S/SA keep state
>
> # Pass traffic to the vpn
> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp }
> tagged vpn $udpstate
> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate
> pass out on tun0 keep state
> #pass quick on tun0 all keep state
>
> # Pass in smtp, http, https, submission, imaps traffic from the internet
> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \
> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
> <bruteforce> flush global)
>
> # pass traffic from the asterisk server
> pass inet proto tcp tagged asterisk_tcp keep state
> pass inet proto udp tagged asterisk_udp keep state
>
> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler <dave.mehler@gmail.com>
> wrote:
>
>> Hi,
>>
>> Thanks. Still no go on the vpn.In answer to your questions:
>>
>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>
>> > $tcp_services $tcpstate
>>
>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>
>> > $udp_services $udpstate
>>
>>
>>
>>
>> I've got only a selected list of ports that I want in or out,
>> everything else should be blocked.
>>
>> I tried commenting out the pass quick on tun0 all and replaced it with
>> set skip on tun0 no joy.
>>
>> I took out the second nat line on the vpnnet as of now I'm wanting to
>> keep the jailnet and the vpnnet ranges the same, though if this issue
>> doesn't soon resolve I might change that idea.
>>
>>
>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>
>>
>>
>> global)
>>
>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>
>>
>> What I wanted to achieve with this was nat reflection, external
>> connections to these hosts worked fine on the desired ports, but on
>> the host itself if I tried to do an ssh to one of my jails port 2220
>> it failed, these rules corrected that.
>>
>> Right now I'll settle for working.
>>
>> Thanks.
>> Dave.
>>
>> On 4/19/17, Ultima <ultima1252@gmail.com> wrote:
>> > After a full look, I suspect this being a problem entry.
>> >
>> >> # Pass out only the desired ports from host and jails
>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>> >> $tcp_services $tcpstate
>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port
>> >> $udp_services $udpstate
>> >
>> > Try commenting them and adding pass out all or pass inet proto { tcp,
>> udp }
>> > any and see if that works.
>> >
>> >
>> >> pass quick on tun0 all keep state
>> > This is another problem area, but probably not the cause. The quick is
>> > probably not handled as you are expecting. Pf reads the filtering rule=
s
>> in
>> > priority from bottom to top bottom being highest priority to top being
>> > lowest priority. When quick is added, this is more or less reversed fo=
r
>> the
>> > rule and because its near the bottom it has a lower priority. In gener=
al
>> > the "quick" directive can make pf very confusing and a ruleset harder =
to
>> > read so other than the top blocking entires with quick, I suggest neve=
r
>> > using it, or use it for all filters and make it simple the opposite wa=
y.
>> >
>> >
>> >> jailnet =3D "10.0.0.0/8"
>> >> vpnnet=3D"10.8.0.0/8"
>> > One thing I noticed is that the subnet chosen is an /8 subnet. Because
>> of
>> > this, the entire 10.* address space applies to jailnet making all
>> jailnet +
>> > vpnnet entries redundant. This also allows all addresses to
>> communicate, at
>> > least if pf isn't filtering them. Usually segmenting the subnet is
>> desired
>> > to limit communication between them.
>> >
>> >> pass quick on lo0 all
>> > Why not just skip on lo0?
>> >
>> >
>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>> > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> > global)
>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>> > Why does this nearly duplicate rules exist?
>> >
>> >
>> > Optimizing pf is fun, but one thing that is important to remember is t=
he
>> > more rules added, the more cycles used per packet. This is typically n=
ot
>> > noticed on a small deployments but it can become huge issue if grown.
>> >
>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler <dave.mehler@gmail.com>
>> > wrote:
>> >
>> >> Hello Ultima,
>> >>
>> >> Thank you for your reply. Thanks for the information, I'm liking the
>> >> new way the rules are looking. Unfortunately, still no go on the vpn.
>> >> Everything else is working, just not the vpn.
>> >>
>> >> Thanks.
>> >> Dave.
>> >> PS, here's my rules as they stand now.
>> >>
>> >> pf.conf:
>> >> #
>> >> # Required order: macros, options, normalization, queueing,
>> >> # translation, filtering.
>> >> # Note: translation rules are first match while filter rules are last
>> >> match.
>> >>
>> >> # Macros
>> >> ext_if=3D"vtnet0"
>> >> int_if =3D "lo1"
>> >> vpn_if =3D "tun0"
>> >> jailnet =3D "10.0.0.0/8"
>> >> vpnnet=3D"10.8.0.0/8"
>> >> icmp_types=3D"{echoreq, unreach}"
>> >> #IPV6 ICMP types:
>> >> # packet to big and echo request type ping
>> >> # Neighbor Discovery Protocol (NDP) (types 133-137):
>> >> #   Router Solicitation (RS), Router Advertisement (RA)
>> >> #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
>> >> #   Route Redirection
>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15,
>> >> max-src-conn-rate 5/3, overload <bruteforce> flush global)"
>> >> tcpstate =3D"flags S/SA modulate state"
>> >> udpstate =3D"keep state"
>> >> voipports =3D "{5060, 5061, 10000:10500}"
>> >>
>> >> # allowed traffic
>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>> >> bootpc, http, imap, https, submission, imaps, 2703}"
>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441,
>> >> 4500, 500, 50, 51}"
>> >>
>> >> # Name and IP of jails
>> >> webmail=3D"10.0.0.15"
>> >> # Name and IP of jailed ssh servers
>> >> jssh1=3D"10.0.0.15"
>> >> jssh2=3D"10.0.0.16"
>> >> jssh3=3D"10.0.0.17"
>> >> jssh4=3D"10.0.0.18"
>> >> # The Asterisk Server
>> >> asterisk=3D"10.0.0.17"
>> >> # The vpn server
>> >> vpn=3D"10.8.0.1"
>> >>
>> >> # Options
>> >> # block-policy can be either drop or return
>> >> set block-policy drop
>> >> set optimization conservative
>> >> set skip on tun0
>> >>
>> >> # Normalization
>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of host=
s
>> >> behind
>> >> # firewall. Set random-id to help same.
>> >> # Set mss to ATM network frame size for easy splitting upstream.
>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tc=
p
>> >> fragment reassemble
>> >>
>> >> # NAT
>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
>> >>
>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
>> >> jailed ssh servers
>> >> # External redirect
>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 222=
0
>> >> # reflect for internal hosts
>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 222=
0
>> >>
>> >> # External redirect
>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 222=
1
>> >> # reflect for internal hosts
>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 222=
1
>> >>
>> >> # External redirect
>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 222=
2
>> >> # reflect for internal hosts
>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 222=
2
>> >>
>> >> # External redirect
>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 222=
3
>> >> # reflect for internal hosts
>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 222=
3
>> >>
>> >> # Redirect traffic to the vpn server
>> >> # External redirect
>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn
>> port
>> >> 1194
>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn
>> port
>> >> 1194
>> >> # reflect for internal hosts
>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn
>> port
>> >> 1194
>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn
>> port
>> >> 1194
>> >>
>> >> # Redirect traffic to the asterisk server
>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
>> >> $asterisk port 5060
>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk
>> >> port
>> >> 5060
>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port
>> 5061
>> >> # RTSP ports 10000 to 10500
>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asteris=
k
>> >> port 10000:10500
>> >>
>> >> # Tables
>> >> table <bruteforce> persist file "/etc/pf/bruteforce"
>> >> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
>> >> table <fail2ban> persist file "/etc/pf/fail2ban"
>> >> table <martians> persist file "/etc/pf/martians"
>> >> # The ZeuS blocklist of c&c servers
>> >> table <ZeuS> persist file "/etc/pf/ZeuS"
>> >> # The malwaredomain ip block list
>> >> table <malwaredomain> persist file "/etc/pf/malwaredomain"
>> >> # Table of selected country IP addresses
>> >> table <blocked_countries> persist file "/etc/pf/blocked_countries"
>> >> # Table of apache mod_evasive blocks
>> >> table <evasive> persist file "/etc/pf/evasive"
>> >>
>> >> # for the spamd greylist/blacklist service
>> >> # (not related to spamassassin's spamd daemon)
>> >> #table <spamd> persist
>> >> #table <spamd-white> persist
>> >>
>> >> antispoof for $ext_if
>> >> antispoof for $int_if
>> >>
>> >> # Start by blocking by default
>> >> block all
>> >>
>> >> # Block anything in the blocked_countries table first
>> >> block in quick from <blocked_countries>
>> >>
>> >> # Block nmap scans
>> >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FU=
P
>> >>
>> >> # Explicitly block unroutable addresses
>> >> block drop in quick on $ext_if from <martians> to any
>> >> block drop out quick on $ext_if from any to <martians>
>> >>
>> >> # Explicitly block anything in the bruteforce table
>> >> block in quick from <bruteforce>
>> >>
>> >> # Explicitly block anything in the fail2ban table
>> >> block in quick from <fail2ban>
>> >>
>> >> # Explicitly block anything in the droplasso table
>> >> block in quick from <droplasso>
>> >>
>> >> # Explicitly block anything in the ZeuS table
>> >> block in quick from <ZeuS>
>> >>
>> >> # Explicitly block anything in the malwaredomain table
>> >> block in quick from <malwaredomain>
>> >>
>> >> # Block anything in the evasive table
>> >> block in quick from <evasive>
>> >>
>> >> # pass everything on the loopback interface
>> >> pass quick on lo0 all
>> >>
>> >> # allow ping and host unreach
>> >> pass inet proto icmp icmp-type $icmp_types keep state
>> >>
>> >> # Traceroute
>> >> # allow out the default range for traceroute(8):
>> >>   # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
>> >> pass inet proto udp to port 33433:33626 # For IPv4
>> >>
>> >> # Pass out only the desired ports from host and jails
>> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services
>> >> $tcpstate
>> >> pass inet proto udp from { self, $jailnet } to port $udp_services
>> >> $udpstate
>> >>
>> >>  # Allow ssh connections in from the internet
>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >> # Pass in ssh traffic to the jails
>> >> # pass rules for nat redirect
>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>> >>
>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>> >>
>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>> >>
>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>> >>
>> >> # Pass traffic to the vpn
>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate
>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate
>> >>
>> >> # Pass in http traffic from the internet
>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >>
>> >> # Pass in https traffic from the internet
>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >>
>> >> # Pass in smtp traffic from the internet
>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >>
>> >> # Pass in submission traffic from the internet
>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >>
>> >> # Pass in imaps traffic from the internet
>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>> >> global)
>> >>
>> >> # pass traffic from the asterisk server
>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state
>> >>
>> >>
>> >> On 4/18/17, Ultima <ultima1252@gmail.com> wrote:
>> >> > I didn't have time to read and look through this entire post, but I
>> >> think I
>> >> > know the issue you're running into and this suggestion should push
>> you
>> >> > in
>> >> > the right direction.
>> >> >
>> >> > this rule for example,
>> >> >
>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn por=
t
>> >> > 1194
>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn por=
t
>> >> > 1194
>> >> > # reflect for internal hosts
>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn por=
t
>> >> > 1194
>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn por=
t
>> >> > 1194
>> >> >
>> >> > This is probably not giving you the results you desire. Basically
>> >> > because
>> >> > no from or to ip is specified ALL and I quite literally mean ALL
>> >> > packets
>> >> > using port 1194 are being sent to $vpn port 1194. Usually you want =
to
>> >> make
>> >> > it something like,
>> >> >
>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn
>> >> > port
>> >> > 1194
>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn
>> >> > port
>> >> > 1194
>> >> >
>> >> > Now the traffic will be passed only when the packet is going to the
>> >> > host,
>> >> > not all traffic on a specific port. Another thing you may want to d=
o
>> is
>> >> > combined many of these rules you have.
>> >> >
>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn
>> >> > port
>> >> > 1194
>> >> >
>> >> > Also note the above, because we are specifying any for from, we can
>> >> remove
>> >> > the form rule entirely and make it shorter.
>> >> >
>> >> > Hope this helps
>> >> >
>> >> > Ultima
>> >> >
>> >>
>> >
>>
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om7MxW_x%2BKi8SKha0XB5eHRUpSJS6FiQXCGx0Z9boeh8zw>