From owner-freebsd-questions@freebsd.org Thu Apr 20 02:01:26 2017 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 65B40D46652; Thu, 20 Apr 2017 02:01:26 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: from mail-wr0-x22e.google.com (mail-wr0-x22e.google.com [IPv6:2a00:1450:400c:c0c::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EB34D10C2; Thu, 20 Apr 2017 02:01:25 +0000 (UTC) (envelope-from dave.mehler@gmail.com) Received: by mail-wr0-x22e.google.com with SMTP id c55so26207972wrc.3; Wed, 19 Apr 2017 19:01:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Q2XaaMRfkBlIIBMWOSmEcRVgEQFIXVAwQG8uL7oMq1k=; b=SpckbWSObZtEgfEZZlN71Zon5DR+RLCfUFa3krFvBGSK3NtuMZKQ87GrdQ2DDMleYl /lRvX6c9qRzTbTKL9g2LwzD5IsO+LmiwjGxyVmW0jvEz8Fognbe3MQTAsKaolSaFtf0w BxprEXOUUNY9O1r8oNW4B/09F3E7mPOiW7NrEJ4HMjRYzfneLmJI22Sd/CFoZX8yFsWM hckW9V1XWYK6aSbGQZ+wnFFrglE37eQVFHgYiCHTdcrF5ExpuYDXR5lNkFx0LmxOT/kk ZLDcsBBclyF3JcyIiKzU9Zcz67ro7WRWF98cArCx2sDxr+SF1JSEjEX0IizRy3egyvfJ qwdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Q2XaaMRfkBlIIBMWOSmEcRVgEQFIXVAwQG8uL7oMq1k=; b=l7OitDd7zz52C7C4GTqVDvtl24+PzFnnKhLKFIixon6QZ9PDPL4l+CXnvz37zPLc1l abe5yzrZU1pjKaEbFuFnHic3YV889QREzWTMDXlFScUuQt0BJ8xvVNnYCqd3u+euF6TZ 4kYjjJ/6jvCmg6D15to9FFLJAJVwM8iOywIcazzbJoroQnpkF79xwpl8P+R3P14z+fOk meEefNy5YjLh4ROn/hV8Ii11LYuO/DtGzLg0mi2LpnSsLCwom2Ps8lduqMKjhuMwFqCD jTwagZNEDUoDWLkJ4KeRob24H4jXIlU+e11XcCMLBWVtXS9obI/vc+vvpKr6UJk4U/Nh AWng== X-Gm-Message-State: AN3rC/4+LyqPxRQIwDSVP/B1TVgv2N2hsXS+QXQKmxg4YFC/DRatEp6x v8jV8c0EuL6DMD2OuuYZpRI4eT5OjA== X-Received: by 10.223.133.133 with SMTP id 5mr5130634wrt.83.1492653682858; Wed, 19 Apr 2017 19:01:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.223.182.175 with HTTP; Wed, 19 Apr 2017 19:01:22 -0700 (PDT) In-Reply-To: References: From: David Mehler Date: Wed, 19 Apr 2017 22:01:22 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: Ultima Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 02:01:26 -0000 Hello, I commented out the rules indicated and still nothing. Thanks. DAve. On 4/19/17, Ultima wrote: > I forgot to mention, make sure the ext_gateway variable changed to the > correct gateway. > > On Wed, Apr 19, 2017 at 8:24 PM, Ultima wrote: > >> I keep looking at the rules and finally decided to rewrite some of them. >> This may not fix the issue you are having with openvpn tho. The issue >> with >> that is most likely the passing out rules. This rule is kinda written >> wierd >> and I suggest just removing it and passing everything out and verifying >> if >> that is the cause. The problem is many connections that the host will >> open >> is opened at the high end ports, I believe it was around 40000:65535. I >> could be wrong tho and hope someone corrects my errors if so. >> >> > # Pass out only the desired ports from host and jails >> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> $tcp_services $tcpstate >> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >> > $udp_services >> $udpstate >> >> If ur still having issues with openvpn, with this ruleset, then first, >> try >> changing the block all rule to block on ext_if. This will determine if a >> pass rule internally is the cause. >> >> > block all >> block on $ext_if all >> >> Going to CC freebsd-pf@freebsd.org I hope this helps >> >> Ultima >> >> >> # >> # Required order: macros, options, normalization, queueing, >> # translation, filtering. >> # Note: translation rules are first match while filter rules are last >> match. >> >> # Macros >> ext_if=3D"vtnet0" >> ext_gateway=3D"10.0.0.1" >> int_if =3D "lo1" >> vpn_if =3D "tun0" >> jailnet =3D "10.0.0.0/8" >> vpnnet=3D"10.8.0.0/8" >> icmp_types=3D"{echoreq, unreach}" >> #IPV6 ICMP types: >> # packet to big and echo request type ping >> # Neighbor Discovery Protocol (NDP) (types 133-137): >> # Router Solicitation (RS), Router Advertisement (RA) >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >> # Route Redirection >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-ra= te >> 5/3, overload flush global)" >> tcpstate=3D"flags S/SA modulate state" >> udpstate=3D"keep state" >> >> # allowed traffic >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc= , >> http, imap, https, submission, imaps, 2703}" >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc= , >> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500= , >> 500, 50, 51}" >> >> # Name and IP of jails >> webmail=3D"10.0.0.15" >> # Name and IP of jailed ssh servers >> jssh1=3D"10.0.0.15" >> jssh2=3D"10.0.0.16" >> jssh3=3D"10.0.0.17" >> jssh4=3D"10.0.0.18" >> jssh1_tcp=3D"2220" >> jssh2_tcp=3D"2221" >> jssh3_tcp=3D"2222" >> jssh4_tcp=3D"2223" >> # The Asterisk Server >> asterisk=3D"10.0.0.17" >> asterisk_tcp=3D"5060:5061" >> asterisk_udp=3D"5060, 10000:10500" >> # The vpn server >> vpn=3D"10.8.0.1" >> >> # Options >> # block-policy can be either drop or return >> set block-policy drop >> set optimization conservative >> set skip on lo0 >> >> # Normalization >> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts >> behind >> # firewall. Set random-id to help same. >> # Set mss to ATM network frame size for easy splitting upstream. >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp >> fragment reassemble >> >> # NAT >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >> nat on $ext_if from $vpnnet to any -> ($ext_if) >> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >> jailed ssh servers >> # External redirect & reflect for internal hosts >> # Note, the -> $ip port $port is only required for port triggering. >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh1_tcp } tag jssh1 -> $jssh1 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh2_tcp } tag jssh2 -> $jssh2 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh3_tcp } tag jssh3 -> $jssh3 >> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } >> port { $jssh4_tcp } tag jssh4 -> $jssh4 >> >> # Redirect traffic to the vpn server >> # External redirect >> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), >> ($int_if) } port 1194 tag vpn -> $vpn >> >> # Redirect traffic to the asterisk server >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >> # RTSP ports 10000 to 10500 >> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag >> asterisk_udp -> $asterisk >> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag >> asterisk_tcp -> $asterisk >> >> # Tables >> table persist file "/etc/pf/bruteforce" >> table persist file "/etc/pf/pf.drop.lasso.conf" >> table persist file "/etc/pf/fail2ban" >> table persist file "/etc/pf/martians" >> # The ZeuS blocklist of c&c servers >> table persist file "/etc/pf/ZeuS" >> # The malwaredomain ip block list >> table persist file "/etc/pf/malwaredomain" >> # Table of selected country IP addresses >> table persist file "/etc/pf/blocked_countries" >> # Table of apache mod_evasive blocks >> table persist file "/etc/pf/evasive" >> >> antispoof for { $ext_if, $int_if } >> >> # Start by blocking by default >> block all >> >> # Block anything in the blocked_countries table first >> block in quick from >> >> # Block nmap scans >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP >> >> # Explicitly block unroutable addresses >> block drop in quick on $ext_if from to any >> block drop out quick on $ext_if from any to >> >> # Explicitly block anything in the bruteforce table >> block in quick from >> >> # Explicitly block anything in the fail2ban table >> block in quick from >> >> # Explicitly block anything in the droplasso table >> block in quick from >> >> # Explicitly block anything in the ZeuS table >> block in quick from >> >> # Explicitly block anything in the malwaredomain table >> block in quick from >> >> # Block anything in the evasive table >> block in quick from >> >> # allow ping and host unreach >> pass inet proto icmp icmp-type $icmp_types keep state >> >> # Traceroute >> # allow out the default range for traceroute(8): >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >> pass inet proto udp to port 33433:33626 # For IPv4 >> >> # Pass out only the desired ports from host and jails >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >> $tcp_services $tcpstate >> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services >> $udpstate >> >> # Allow ssh connections in from the internet >> pass in inet proto tcp from any to ($ext_if) port ssh \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> # Pass in ssh traffic to the jails >> # pass rules for nat redirect >> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged >> jssh1 jssh2 jssh3 jssh4 \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags >> S/SA keep state >> >> # Pass traffic to the vpn >> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } >> tagged vpn $udpstate >> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate >> pass out on tun0 keep state >> #pass quick on tun0 all keep state >> >> # Pass in smtp, http, https, submission, imaps traffic from the internet >> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ >> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload >> flush global) >> >> # pass traffic from the asterisk server >> pass inet proto tcp tagged asterisk_tcp keep state >> pass inet proto udp tagged asterisk_udp keep state >> >> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler >> wrote: >> >>> Hi, >>> >>> Thanks. Still no go on the vpn.In answer to your questions: >>> >>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> >>> > $tcp_services $tcpstate >>> >>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port >>> >>> > $udp_services $udpstate >>> >>> >>> >>> >>> I've got only a selected list of ports that I want in or out, >>> everything else should be blocked. >>> >>> I tried commenting out the pass quick on tun0 all and replaced it with >>> set skip on tun0 no joy. >>> >>> I took out the second nat line on the vpnnet as of now I'm wanting to >>> keep the jailnet and the vpnnet ranges the same, though if this issue >>> doesn't soon resolve I might change that idea. >>> >>> >>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >>> >>> >>> global) >>> >>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >>> >>> What I wanted to achieve with this was nat reflection, external >>> connections to these hosts worked fine on the desired ports, but on >>> the host itself if I tried to do an ssh to one of my jails port 2220 >>> it failed, these rules corrected that. >>> >>> Right now I'll settle for working. >>> >>> Thanks. >>> Dave. >>> >>> On 4/19/17, Ultima wrote: >>> > After a full look, I suspect this being a problem entry. >>> > >>> >> # Pass out only the desired ports from host and jails >>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port >>> >> $tcp_services $tcpstate >>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port >>> >> $udp_services $udpstate >>> > >>> > Try commenting them and adding pass out all or pass inet proto { tcp, >>> udp } >>> > any and see if that works. >>> > >>> > >>> >> pass quick on tun0 all keep state >>> > This is another problem area, but probably not the cause. The quick i= s >>> > probably not handled as you are expecting. Pf reads the filtering >>> > rules >>> in >>> > priority from bottom to top bottom being highest priority to top bein= g >>> > lowest priority. When quick is added, this is more or less reversed >>> > for >>> the >>> > rule and because its near the bottom it has a lower priority. In >>> > general >>> > the "quick" directive can make pf very confusing and a ruleset harder >>> > to >>> > read so other than the top blocking entires with quick, I suggest >>> > never >>> > using it, or use it for all filters and make it simple the opposite >>> > way. >>> > >>> > >>> >> jailnet =3D "10.0.0.0/8" >>> >> vpnnet=3D"10.8.0.0/8" >>> > One thing I noticed is that the subnet chosen is an /8 subnet. Becaus= e >>> of >>> > this, the entire 10.* address space applies to jailnet making all >>> jailnet + >>> > vpnnet entries redundant. This also allows all addresses to >>> communicate, at >>> > least if pf isn't filtering them. Usually segmenting the subnet is >>> desired >>> > to limit communication between them. >>> > >>> >> pass quick on lo0 all >>> > Why not just skip on lo0? >>> > >>> > >>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> > (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> > global) >>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> > Why does this nearly duplicate rules exist? >>> > >>> > >>> > Optimizing pf is fun, but one thing that is important to remember is >>> > the >>> > more rules added, the more cycles used per packet. This is typically >>> > not >>> > noticed on a small deployments but it can become huge issue if grown. >>> > >>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler >>> > wrote: >>> > >>> >> Hello Ultima, >>> >> >>> >> Thank you for your reply. Thanks for the information, I'm liking the >>> >> new way the rules are looking. Unfortunately, still no go on the vpn= . >>> >> Everything else is working, just not the vpn. >>> >> >>> >> Thanks. >>> >> Dave. >>> >> PS, here's my rules as they stand now. >>> >> >>> >> pf.conf: >>> >> # >>> >> # Required order: macros, options, normalization, queueing, >>> >> # translation, filtering. >>> >> # Note: translation rules are first match while filter rules are las= t >>> >> match. >>> >> >>> >> # Macros >>> >> ext_if=3D"vtnet0" >>> >> int_if =3D "lo1" >>> >> vpn_if =3D "tun0" >>> >> jailnet =3D "10.0.0.0/8" >>> >> vpnnet=3D"10.8.0.0/8" >>> >> icmp_types=3D"{echoreq, unreach}" >>> >> #IPV6 ICMP types: >>> >> # packet to big and echo request type ping >>> >> # Neighbor Discovery Protocol (NDP) (types 133-137): >>> >> # Router Solicitation (RS), Router Advertisement (RA) >>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) >>> >> # Route Redirection >>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" >>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, >>> >> max-src-conn-rate 5/3, overload flush global)" >>> >> tcpstate =3D"flags S/SA modulate state" >>> >> udpstate =3D"keep state" >>> >> voipports =3D "{5060, 5061, 10000:10500}" >>> >> >>> >> # allowed traffic >>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>> >> bootpc, http, imap, https, submission, imaps, 2703}" >>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, >>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441= , >>> >> 4500, 500, 50, 51}" >>> >> >>> >> # Name and IP of jails >>> >> webmail=3D"10.0.0.15" >>> >> # Name and IP of jailed ssh servers >>> >> jssh1=3D"10.0.0.15" >>> >> jssh2=3D"10.0.0.16" >>> >> jssh3=3D"10.0.0.17" >>> >> jssh4=3D"10.0.0.18" >>> >> # The Asterisk Server >>> >> asterisk=3D"10.0.0.17" >>> >> # The vpn server >>> >> vpn=3D"10.8.0.1" >>> >> >>> >> # Options >>> >> # block-policy can be either drop or return >>> >> set block-policy drop >>> >> set optimization conservative >>> >> set skip on tun0 >>> >> >>> >> # Normalization >>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of >>> >> hosts >>> >> behind >>> >> # firewall. Set random-id to help same. >>> >> # Set mss to ATM network frame size for easy splitting upstream. >>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble >>> >> tcp >>> >> fragment reassemble >>> >> >>> >> # NAT >>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port >>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port >>> >> >>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to >>> >> jailed ssh servers >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port >>> >> 2220 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port >>> >> 2220 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port >>> >> 2221 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port >>> >> 2221 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port >>> >> 2222 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port >>> >> 2222 >>> >> >>> >> # External redirect >>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port >>> >> 2223 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port >>> >> 2223 >>> >> >>> >> # Redirect traffic to the vpn server >>> >> # External redirect >>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> # reflect for internal hosts >>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn >>> port >>> >> 1194 >>> >> >>> >> # Redirect traffic to the asterisk server >>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. >>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> >>> >> $asterisk port 5060 >>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asteris= k >>> >> port >>> >> 5060 >>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port >>> 5061 >>> >> # RTSP ports 10000 to 10500 >>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> >>> >> $asterisk >>> >> port 10000:10500 >>> >> >>> >> # Tables >>> >> table persist file "/etc/pf/bruteforce" >>> >> table persist file "/etc/pf/pf.drop.lasso.conf" >>> >> table persist file "/etc/pf/fail2ban" >>> >> table persist file "/etc/pf/martians" >>> >> # The ZeuS blocklist of c&c servers >>> >> table persist file "/etc/pf/ZeuS" >>> >> # The malwaredomain ip block list >>> >> table persist file "/etc/pf/malwaredomain" >>> >> # Table of selected country IP addresses >>> >> table persist file "/etc/pf/blocked_countries" >>> >> # Table of apache mod_evasive blocks >>> >> table persist file "/etc/pf/evasive" >>> >> >>> >> # for the spamd greylist/blacklist service >>> >> # (not related to spamassassin's spamd daemon) >>> >> #table persist >>> >> #table persist >>> >> >>> >> antispoof for $ext_if >>> >> antispoof for $int_if >>> >> >>> >> # Start by blocking by default >>> >> block all >>> >> >>> >> # Block anything in the blocked_countries table first >>> >> block in quick from >>> >> >>> >> # Block nmap scans >>> >> block in quick on $ext_if inet proto tcp from any to any flags >>> >> FUP/FUP >>> >> >>> >> # Explicitly block unroutable addresses >>> >> block drop in quick on $ext_if from to any >>> >> block drop out quick on $ext_if from any to >>> >> >>> >> # Explicitly block anything in the bruteforce table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the fail2ban table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the droplasso table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the ZeuS table >>> >> block in quick from >>> >> >>> >> # Explicitly block anything in the malwaredomain table >>> >> block in quick from >>> >> >>> >> # Block anything in the evasive table >>> >> block in quick from >>> >> >>> >> # pass everything on the loopback interface >>> >> pass quick on lo0 all >>> >> >>> >> # allow ping and host unreach >>> >> pass inet proto icmp icmp-type $icmp_types keep state >>> >> >>> >> # Traceroute >>> >> # allow out the default range for traceroute(8): >>> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) >>> >> pass inet proto udp to port 33433:33626 # For IPv4 >>> >> >>> >> # Pass out only the desired ports from host and jails >>> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_service= s >>> >> $tcpstate >>> >> pass inet proto udp from { self, $jailnet } to port $udp_services >>> >> $udpstate >>> >> >>> >> # Allow ssh connections in from the internet >>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> # Pass in ssh traffic to the jails >>> >> # pass rules for nat redirect >>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state >>> >> >>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state >>> >> >>> >> # Pass traffic to the vpn >>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate >>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate >>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate >>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate >>> >> >>> >> # Pass in http traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in https traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in smtp traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in submission traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # Pass in imaps traffic from the internet >>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state >>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush >>> >> global) >>> >> >>> >> # pass traffic from the asterisk server >>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state >>> >> >>> >> >>> >> On 4/18/17, Ultima wrote: >>> >> > I didn't have time to read and look through this entire post, but = I >>> >> think I >>> >> > know the issue you're running into and this suggestion should push >>> you >>> >> > in >>> >> > the right direction. >>> >> > >>> >> > this rule for example, >>> >> > >>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > # reflect for internal hosts >>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn >>> >> > port >>> >> > 1194 >>> >> > >>> >> > This is probably not giving you the results you desire. Basically >>> >> > because >>> >> > no from or to ip is specified ALL and I quite literally mean ALL >>> >> > packets >>> >> > using port 1194 are being sent to $vpn port 1194. Usually you want >>> >> > to >>> >> make >>> >> > it something like, >>> >> > >>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > >>> >> > Now the traffic will be passed only when the packet is going to th= e >>> >> > host, >>> >> > not all traffic on a specific port. Another thing you may want to >>> >> > do >>> is >>> >> > combined many of these rules you have. >>> >> > >>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vp= n >>> >> > port >>> >> > 1194 >>> >> > >>> >> > Also note the above, because we are specifying any for from, we ca= n >>> >> remove >>> >> > the form rule entirely and make it shorter. >>> >> > >>> >> > Hope this helps >>> >> > >>> >> > Ultima >>> >> > >>> >> >>> > >>> >> >> >