FreeBSD Mail Archives

Date:      Wed, 23 Jul 2008 15:04:06 -0400
From:      Jon Radel <jon@radel.com>
To:        Ivan Petrushev <ivanatora@gmail.com>
Cc:        freebsd-pf@freebsd.org
Subject:   Re: Why this rule doesn't score a match?
Message-ID:  <488780A6.4010807@radel.com>
In-Reply-To: <d39744a20807231128j6641996i95ee8fec03053b6e@mail.gmail.com>
References:  <d39744a20807231025w42fc4a99ha1e99be5fd5c76b0@mail.gmail.com>	<48876DAD.9080100@optiksecurite.com>	<d39744a20807231127u11df822rc2022a70b1a1af3e@mail.gmail.com> <d39744a20807231128j6641996i95ee8fec03053b6e@mail.gmail.com>


[-- Attachment #1 --]
Ivan Petrushev wrote:
> Hmmm, yes I'm on FreeBSD 7
> I tried these pass rules before - nothing gets logged.
> I thought traffic is going both TO these ports and FROM these ports.
> Let's take for example a simple HTTP connection. The browser
> communicates to the remote server trough remote port 80 and says 'GET
> /index.html', then closes the connection. The HTTP server on the
> remote side opens a connection to the local machine (on some of our
> local port range)... but what is the port number on his side? I think
> that it is again 80.
> About pass in/pass out - I think that in/out keyword can be dropped?
> PF can do without that, right?
> 
> These are my current filter rules, still nothing gets logged:
> ##############################
> pass log on $if proto tcp from any port $tcp_services
> pass log on $if proto udp from any port $udp_services
> pass log on $if proto tcp from any to $ext_ip port $tcp_services
> pass log on $if proto udp from any to $ext_ip port $udp_services
> #############################

HTTP doesn't work like that.  The client opens a connection from an 
arbitrary port (generally high and pseudo-random) to port 80 (or 8080, 
or whatever the published port the server listens on is).  The server 
does NOT open a connection to you.

Your initial packet to the web server

from YOU port NNNN
to SERVER port 80

never gets through your rule set so there's never a response from the 
server to get logged.

You'd do much better, if this is a workstation on which you run a 
webbrowser and other clients, rather than a router/firewall, to do 
something like:

pass out on $if proto tcp to any port $tcp_services flags S/SA keep state

This allows the initial packet from your machine out and uses the PF 
state mechanism (which you really, really, really should be using for 
reasons of efficiency and security) to allow all further packets for 
that TCP connection both in and out on that interface.

Unless you're offering services on this computer to which you want other 
machines to establish connections, you're much better off having no, or 
minimal, "pass in" rules.  That way people can't send you random, 
possibly nasty, packets which you accept simply because they used a 
source port of 80.

--Jon Radel

[-- Attachment #2 --]
0�	*�H��
��0�10	+0�	*�H��
��	10��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0��0�\�m����t�������v0
	*�H��
0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0
080324165921Z
090324165921Z0^10URadel10U*
Jon Thomas10UJon Thomas Radel10	*�H��
	
jon@radel.com0�"0
	*�H��
�0�
��t,P���p�#�
٬q�_�2�=�L����-^m�>�z3�����ʟV�!��[(�[ A���o������E��}ϛ�3/��6�?񥃮�c��W�x(/��)'�$6�s�T�l<*�i��'��=���uox�Mbt�
���r�dtn��x��ud���1�R6����T����>z�U0���FZ,v�N�9�NP{�>q�E�`^���P;	�*Wg/jN*O�V�ՠ��Q����M���B�(�=����:����
��*0(0U0�
jon@radel.com0U�00
	*�H��
����h�!o�ܨ��[�А!f�N#[�Z�
�b$3?�x&��$�~Ħ9�}`�MX[It}�/�b�XZa����jgx���ɥ��' �2N��rt�WA�r �sFި��'���^@mDVw\��)����0�?0���
0
	*�H��
0��10	UZA10UWestern Cape10U	Cape Town10U
Thawte Consulting1(0&UCertification Services Division1$0"UThawte Personal Freemail CA1+0)	*�H��
	personal-freemail@thawte.com0
030717000000Z
130716235959Z0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CA0��0
	*�H��
��0����Ħ<UsU�N�ʙZh�up��������[�v�:a�Q���P
0�cZ,�p����+�Z�?qV˯<���6$*�+��w=�+��>�@�dק���e��*T�H���<a@dr`�����0��0U�0�0CU<0:08�6�4�2http://crl.thawte.com/ThawtePersonalFreemailCA.crl0U0)U"0 �010UPrivateLabel2-1380
	*�H��
��H��P��.�
�f�g�����C���L!��6�-�6/��P �p<���ab��:~�����t�%P�b��'qW%�ݩ�9�� Oe_�������N���4�[5Mw�V!x��!5�$��F�]_eO1�d0�`0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0	+���0	*�H��
	1	*�H��
0	*�H��
	1
080723190406Z0#	*�H��
	1����&������ݨ[����0R	*�H��
	1E0C0
*�H��
0*�H��
�0
*�H��
@0+0
*�H��
(0��	+�71x0v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0��*�H��
	1x�v0b10	UZA1%0#U
Thawte Consulting (Pty) Ltd.1,0*U#Thawte Personal Freemail Issuing CAm����t�������v0
	*�H��
��j���v ��_}{�$IW�2k�/!#3s�{&��n�\�~�79
��з�r8���6��z�;<l@,�����Rq�H=���yN����@ς~ڌ���~^��!�
�h�gJ��<ػjP�ٴ>��>M;���%&{�&4 ����*�����=�����{��3�6�����Ϣ�Ad7L��g�:9�+�����E�tщ����y0Ԩk~��f��u;�����/�o��0��K��u�B8���v����<

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?488780A6.4010807>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation