From owner-freebsd-questions@freebsd.org Thu Apr 20 00:27:28 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 13602D4565F; Thu, 20 Apr 2017 00:27:28 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yb0-x233.google.com (mail-yb0-x233.google.com [IPv6:2607:f8b0:4002:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id BE83C112F; Thu, 20 Apr 2017 00:27:27 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yb0-x233.google.com with SMTP id s22so18892559ybe.3; Wed, 19 Apr 2017 17:27:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a2yneehXTS1OGSPPIx9E7jcz8o46BkOg98AakciHcvc=; b=gKdjvS941qoRDAWBYtwBN8/HvQREcG+xTCiHFNBtirzxx0dlEOJNqZ8DKfqjIDlTmQ MrHb/bI+3HIjE88FL8dBMUAnpc0lFr291vPZFg+AJb0GBU7C0R2Tk4wcUoP2ctR5sHJ0 156tsnJ2nwvtAr4BvHKHivkYCj2cEpkrcQbXmUpfqSILXoxH96bHX9gPoOjnvJi4yHAS 4Yeevr23+aIIBkWs/cZqDrw+KejUnWgkYNBtGEwR9KlsPjgBp5+x0FQVVNJ8F+Vq1kLf qKeXZOCqMk8hQk2h4bMkWpE68LnTLPENWu5hMilmXUZgqhQ4uIQN3SSUlcgH923aCQao Q8VA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a2yneehXTS1OGSPPIx9E7jcz8o46BkOg98AakciHcvc=; b=kRVq07iIkYVRrtWcp4yRZZzbEYlh8u5/yJ8NvOgy97TL5Gmy34CcInZ5vHfZ3xQVN2 iFNkdcPGf3Hsd8SAzMF2PfunRwo1nlz9VEdFb0bkYHXIV3sjqQ86qMoa+8Jc0JIeTo0T nuyus7h5/1gM+9YRZDfBtxHI2/3Tw84+hxlLUSOlgGHbrLmOwE6M/ktSpvlIa7pjnWDt QVYztgAJa1o1KiPr7Ote9VT8o8d3pwzHw2Ahsr/g21oSLq117zw1Pzpmb4GbWYPpPq+U fB4lC8NOjsIGl6yKz7P9EiKlu9EBx9YBRmu1siYz2jOZQ1qG2D1tJhSYQRU4xvtAS+zS 8YKQ== X-Gm-Message-State: AN3rC/7rM4iam3J8XvqzoTkihMzli3+7YOuEGvc4pQYOB3I0qcb4ArMG NmlsZ6CntZtdhf2YsVhTxnXmTfSfCXJm X-Received: by 10.37.173.29 with SMTP id y29mr4514394ybi.52.1492648046805; Wed, 19 Apr 2017 17:27:26 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Wed, 19 Apr 2017 17:27:26 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Wed, 19 Apr 2017 20:27:26 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: David Mehler Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 00:27:28 -0000 I forgot to mention, make sure the ext_gateway variable changed to the correct gateway. On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: > I keep looking at the rules and finally decided to rewrite some of them. > This may not fix the issue you are having with openvpn tho. The issue wit= h > that is most likely the passing out rules. This rule is kinda written wie= rd > and I suggest just removing it and passing everything out and verifying i= f > that is the cause. The problem is many connections that the host will ope= n > is opened at the high end ports, I believe it was around 40000:65535. I > could be wrong tho and hope someone corrects my errors if so. > > > # Pass out only the desired ports from host and jails > > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > $tcp_services $tcpstate > > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_service= s > $udpstate > > If ur still having issues with openvpn, with this ruleset, then first, tr= y > changing the block all rule to block on ext_if. This will determine if a > pass rule internally is the cause. > > > block all > block on $ext_if all > > Going to CC freebsd-pf@freebsd.org I hope this helps > > Ultima > > > # > # Required order: macros, options, normalization, queueing, > # translation, filtering. > # Note: translation rules are first match while filter rules are last > match. > > # Macros > ext_if=3D"vtnet0" > ext_gateway=3D"10.0.0.1" > int_if =3D "lo1" > vpn_if =3D "tun0" > jailnet =3D "10.0.0.0/8" > vpnnet=3D"10.8.0.0/8" > icmp_types=3D"{echoreq, unreach}" > #IPV6 ICMP types: > # packet to big and echo request type ping > # Neighbor Discovery Protocol (NDP) (types 133-137): > # Router Solicitation (RS), Router Advertisement (RA) > # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > # Route Redirection > icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rat= e > 5/3, overload flush global)" > tcpstate=3D"flags S/SA modulate state" > udpstate=3D"keep state" > > # allowed traffic > tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, > http, imap, https, submission, imaps, 2703}" > udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, > http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500, > 500, 50, 51}" > > # Name and IP of jails > webmail=3D"10.0.0.15" > # Name and IP of jailed ssh servers > jssh1=3D"10.0.0.15" > jssh2=3D"10.0.0.16" > jssh3=3D"10.0.0.17" > jssh4=3D"10.0.0.18" > jssh1_tcp=3D"2220" > jssh2_tcp=3D"2221" > jssh3_tcp=3D"2222" > jssh4_tcp=3D"2223" > # The Asterisk Server > asterisk=3D"10.0.0.17" > asterisk_tcp=3D"5060:5061" > asterisk_udp=3D"5060, 10000:10500" > # The vpn server > vpn=3D"10.8.0.1" > > # Options > # block-policy can be either drop or return > set block-policy drop > set optimization conservative > set skip on lo0 > > # Normalization > # normalize all incoming traffic. Set ttl 254: limits mapping of hosts > behind > # firewall. Set random-id to help same. > # Set mss to ATM network frame size for easy splitting upstream. > scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > fragment reassemble > > # NAT > nat on $ext_if from $jailnet to any -> ($ext_if) static-port > nat on $ext_if from $vpnnet to any -> ($ext_if) > > # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to > jailed ssh servers > # External redirect & reflect for internal hosts > # Note, the -> $ip port $port is only required for port triggering. > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh1_tcp } tag jssh1 -> $jssh1 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh2_tcp } tag jssh2 -> $jssh2 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh3_tcp } tag jssh3 -> $jssh3 > rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } > port { $jssh4_tcp } tag jssh4 -> $jssh4 > > # Redirect traffic to the vpn server > # External redirect > rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), > ($int_if) } port 1194 tag vpn -> $vpn > > # Redirect traffic to the asterisk server > # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > # RTSP ports 10000 to 10500 > rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag > asterisk_udp -> $asterisk > rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag > asterisk_tcp -> $asterisk > > # Tables > table persist file "/etc/pf/bruteforce" > table persist file "/etc/pf/pf.drop.lasso.conf" > table persist file "/etc/pf/fail2ban" > table persist file "/etc/pf/martians" > # The ZeuS blocklist of c&c servers > table persist file "/etc/pf/ZeuS" > # The malwaredomain ip block list > table persist file "/etc/pf/malwaredomain" > # Table of selected country IP addresses > table persist file "/etc/pf/blocked_countries" > # Table of apache mod_evasive blocks > table persist file "/etc/pf/evasive" > > antispoof for { $ext_if, $int_if } > > # Start by blocking by default > block all > > # Block anything in the blocked_countries table first > block in quick from > > # Block nmap scans > block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP > > # Explicitly block unroutable addresses > block drop in quick on $ext_if from to any > block drop out quick on $ext_if from any to > > # Explicitly block anything in the bruteforce table > block in quick from > > # Explicitly block anything in the fail2ban table > block in quick from > > # Explicitly block anything in the droplasso table > block in quick from > > # Explicitly block anything in the ZeuS table > block in quick from > > # Explicitly block anything in the malwaredomain table > block in quick from > > # Block anything in the evasive table > block in quick from > > # allow ping and host unreach > pass inet proto icmp icmp-type $icmp_types keep state > > # Traceroute > # allow out the default range for traceroute(8): > # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > pass inet proto udp to port 33433:33626 # For IPv4 > > # Pass out only the desired ports from host and jails > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > $tcp_services $tcpstate > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services > $udpstate > > # Allow ssh connections in from the internet > pass in inet proto tcp from any to ($ext_if) port ssh \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > # Pass in ssh traffic to the jails > # pass rules for nat redirect > pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged > jssh1 jssh2 jssh3 jssh4 \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags > S/SA keep state > > # Pass traffic to the vpn > pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } > tagged vpn $udpstate > pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate > pass out on tun0 keep state > #pass quick on tun0 all keep state > > # Pass in smtp, http, https, submission, imaps traffic from the internet > pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ > flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload > flush global) > > # pass traffic from the asterisk server > pass inet proto tcp tagged asterisk_tcp keep state > pass inet proto udp tagged asterisk_udp keep state > > On Wed, Apr 19, 2017 at 11:06 AM, David Mehler > wrote: > >> Hi, >> >> Thanks. Still no go on the vpn.In answer to your questions: >> >> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> >> > $tcp_services $tcpstate >> >> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >> >> > $udp_services $udpstate >> >> >> >> >> I've got only a selected list of ports that I want in or out, >> everything else should be blocked. >> >> I tried commenting out the pass quick on tun0 all and replaced it with >> set skip on tun0 no joy. >> >> I took out the second nat line on the vpnnet as of now I'm wanting to >> keep the jailnet and the vpnnet ranges the same, though if this issue >> doesn't soon resolve I might change that idea. >> >> >> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> >> >> global) >> >> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> >> What I wanted to achieve with this was nat reflection, external >> connections to these hosts worked fine on the desired ports, but on >> the host itself if I tried to do an ssh to one of my jails port 2220 >> it failed, these rules corrected that. >> >> Right now I'll settle for working. >> >> Thanks. >> Dave. >> >> On 4/19/17, Ultima wrote: >> > After a full look, I suspect this being a problem entry. >> > >> >> # Pass out only the desired ports from host and jails >> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> >> $tcp_services $tcpstate >> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port >> >> $udp_services $udpstate >> > >> > Try commenting them and adding pass out all or pass inet proto { tcp, >> udp } >> > any and see if that works. >> > >> > >> >> pass quick on tun0 all keep state >> > This is another problem area, but probably not the cause. The quick is >> > probably not handled as you are expecting. Pf reads the filtering rule= s >> in >> > priority from bottom to top bottom being highest priority to top being >> > lowest priority. When quick is added, this is more or less reversed fo= r >> the >> > rule and because its near the bottom it has a lower priority. In gener= al >> > the "quick" directive can make pf very confusing and a ruleset harder = to >> > read so other than the top blocking entires with quick, I suggest neve= r >> > using it, or use it for all filters and make it simple the opposite wa= y. >> > >> > >> >> jailnet =3D "10.0.0.0/8" >> >> vpnnet=3D"10.8.0.0/8" >> > One thing I noticed is that the subnet chosen is an /8 subnet. Because >> of >> > this, the entire 10.* address space applies to jailnet making all >> jailnet + >> > vpnnet entries redundant. This also allows all addresses to >> communicate, at >> > least if pf isn't filtering them. Usually segmenting the subnet is >> desired >> > to limit communication between them. >> > >> >> pass quick on lo0 all >> > Why not just skip on lo0? >> > >> > >> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> > (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> > global) >> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> > Why does this nearly duplicate rules exist? >> > >> > >> > Optimizing pf is fun, but one thing that is important to remember is t= he >> > more rules added, the more cycles used per packet. This is typically n= ot >> > noticed on a small deployments but it can become huge issue if grown. >> > >> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler >> > wrote: >> > >> >> Hello Ultima, >> >> >> >> Thank you for your reply. Thanks for the information, I'm liking the >> >> new way the rules are looking. Unfortunately, still no go on the vpn. >> >> Everything else is working, just not the vpn. >> >> >> >> Thanks. >> >> Dave. >> >> PS, here's my rules as they stand now. >> >> >> >> pf.conf: >> >> # >> >> # Required order: macros, options, normalization, queueing, >> >> # translation, filtering. >> >> # Note: translation rules are first match while filter rules are last >> >> match. >> >> >> >> # Macros >> >> ext_if=3D"vtnet0" >> >> int_if =3D "lo1" >> >> vpn_if =3D "tun0" >> >> jailnet =3D "10.0.0.0/8" >> >> vpnnet=3D"10.8.0.0/8" >> >> icmp_types=3D"{echoreq, unreach}" >> >> #IPV6 ICMP types: >> >> # packet to big and echo request type ping >> >> # Neighbor Discovery Protocol (NDP) (types 133-137): >> >> # Router Solicitation (RS), Router Advertisement (RA) >> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >> >> # Route Redirection >> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, >> >> max-src-conn-rate 5/3, overload flush global)" >> >> tcpstate =3D"flags S/SA modulate state" >> >> udpstate =3D"keep state" >> >> voipports =3D "{5060, 5061, 10000:10500}" >> >> >> >> # allowed traffic >> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >> >> bootpc, http, imap, https, submission, imaps, 2703}" >> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441, >> >> 4500, 500, 50, 51}" >> >> >> >> # Name and IP of jails >> >> webmail=3D"10.0.0.15" >> >> # Name and IP of jailed ssh servers >> >> jssh1=3D"10.0.0.15" >> >> jssh2=3D"10.0.0.16" >> >> jssh3=3D"10.0.0.17" >> >> jssh4=3D"10.0.0.18" >> >> # The Asterisk Server >> >> asterisk=3D"10.0.0.17" >> >> # The vpn server >> >> vpn=3D"10.8.0.1" >> >> >> >> # Options >> >> # block-policy can be either drop or return >> >> set block-policy drop >> >> set optimization conservative >> >> set skip on tun0 >> >> >> >> # Normalization >> >> # normalize all incoming traffic. Set ttl 254: limits mapping of host= s >> >> behind >> >> # firewall. Set random-id to help same. >> >> # Set mss to ATM network frame size for easy splitting upstream. >> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tc= p >> >> fragment reassemble >> >> >> >> # NAT >> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port >> >> >> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >> >> jailed ssh servers >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 222= 0 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 222= 0 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 222= 1 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 222= 1 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 222= 2 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 222= 2 >> >> >> >> # External redirect >> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 222= 3 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 222= 3 >> >> >> >> # Redirect traffic to the vpn server >> >> # External redirect >> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn >> port >> >> 1194 >> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn >> port >> >> 1194 >> >> # reflect for internal hosts >> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn >> port >> >> 1194 >> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn >> port >> >> 1194 >> >> >> >> # Redirect traffic to the asterisk server >> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> >> >> $asterisk port 5060 >> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk >> >> port >> >> 5060 >> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port >> 5061 >> >> # RTSP ports 10000 to 10500 >> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asteris= k >> >> port 10000:10500 >> >> >> >> # Tables >> >> table persist file "/etc/pf/bruteforce" >> >> table persist file "/etc/pf/pf.drop.lasso.conf" >> >> table persist file "/etc/pf/fail2ban" >> >> table persist file "/etc/pf/martians" >> >> # The ZeuS blocklist of c&c servers >> >> table persist file "/etc/pf/ZeuS" >> >> # The malwaredomain ip block list >> >> table persist file "/etc/pf/malwaredomain" >> >> # Table of selected country IP addresses >> >> table persist file "/etc/pf/blocked_countries" >> >> # Table of apache mod_evasive blocks >> >> table persist file "/etc/pf/evasive" >> >> >> >> # for the spamd greylist/blacklist service >> >> # (not related to spamassassin's spamd daemon) >> >> #table persist >> >> #table persist >> >> >> >> antispoof for $ext_if >> >> antispoof for $int_if >> >> >> >> # Start by blocking by default >> >> block all >> >> >> >> # Block anything in the blocked_countries table first >> >> block in quick from >> >> >> >> # Block nmap scans >> >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FU= P >> >> >> >> # Explicitly block unroutable addresses >> >> block drop in quick on $ext_if from to any >> >> block drop out quick on $ext_if from any to >> >> >> >> # Explicitly block anything in the bruteforce table >> >> block in quick from >> >> >> >> # Explicitly block anything in the fail2ban table >> >> block in quick from >> >> >> >> # Explicitly block anything in the droplasso table >> >> block in quick from >> >> >> >> # Explicitly block anything in the ZeuS table >> >> block in quick from >> >> >> >> # Explicitly block anything in the malwaredomain table >> >> block in quick from >> >> >> >> # Block anything in the evasive table >> >> block in quick from >> >> >> >> # pass everything on the loopback interface >> >> pass quick on lo0 all >> >> >> >> # allow ping and host unreach >> >> pass inet proto icmp icmp-type $icmp_types keep state >> >> >> >> # Traceroute >> >> # allow out the default range for traceroute(8): >> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >> >> pass inet proto udp to port 33433:33626 # For IPv4 >> >> >> >> # Pass out only the desired ports from host and jails >> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services >> >> $tcpstate >> >> pass inet proto udp from { self, $jailnet } to port $udp_services >> >> $udpstate >> >> >> >> # Allow ssh connections in from the internet >> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> # Pass in ssh traffic to the jails >> >> # pass rules for nat redirect >> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state >> >> >> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state >> >> >> >> # Pass traffic to the vpn >> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate >> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate >> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate >> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate >> >> >> >> # Pass in http traffic from the internet >> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in https traffic from the internet >> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in smtp traffic from the internet >> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in submission traffic from the internet >> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # Pass in imaps traffic from the internet >> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state >> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >> >> global) >> >> >> >> # pass traffic from the asterisk server >> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state >> >> >> >> >> >> On 4/18/17, Ultima wrote: >> >> > I didn't have time to read and look through this entire post, but I >> >> think I >> >> > know the issue you're running into and this suggestion should push >> you >> >> > in >> >> > the right direction. >> >> > >> >> > this rule for example, >> >> > >> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > # reflect for internal hosts >> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn por= t >> >> > 1194 >> >> > >> >> > This is probably not giving you the results you desire. Basically >> >> > because >> >> > no from or to ip is specified ALL and I quite literally mean ALL >> >> > packets >> >> > using port 1194 are being sent to $vpn port 1194. Usually you want = to >> >> make >> >> > it something like, >> >> > >> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > >> >> > Now the traffic will be passed only when the packet is going to the >> >> > host, >> >> > not all traffic on a specific port. Another thing you may want to d= o >> is >> >> > combined many of these rules you have. >> >> > >> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn >> >> > port >> >> > 1194 >> >> > >> >> > Also note the above, because we are specifying any for from, we can >> >> remove >> >> > the form rule entirely and make it shorter. >> >> > >> >> > Hope this helps >> >> > >> >> > Ultima >> >> > >> >> >> > >> > >