Date: Thu, 14 Feb 2013 18:06:22 +0000 From: Lisa Muir <34.24.34@gmail.com> To: freebsd-pf@freebsd.org Subject: Releasing all outgoing ports for a particular IP. Message-ID: <CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi Guys,
Hope you might be able to help me with a query. Am a little past the
newbie stage with pf, and moderately comfortable with it, but by no
means a guru yet, finding my way.
Have one firewall which has a public interface with multiple ip's and
5 private lans with the usual private lan space ip's. The machine has
been running fine for a year and a bit, and I have various port
forwarding things going, internal redirection for dmz hosts being
accessed from the lan, port forwarding for public ip aliases's on the
external interface. Two things have left me with questions, one is
about UDP port forwarding which I got working but am not 100% happy
with, and I'll come back to that in another thread, and today's one
which is releasing all tcp ports for a particular IP which is in the
"DMZ" vlan. In this case, the vlans are implemented at the switches,
and a seperate interface on the pf firewall links into each vlan, no
kernel based vlan in operation.
As a rule, we restrict outgoing ports, we only allow out what we know
about and approve, but we're putting in a CCTV transmitter into the
DMZ which requires access to every tcp port for outgoing. Here is a
cut down version of my pf.conf with the relevant data, starting with
the definitions for interfaces, the host in question that I am testing
with, and the ports:
#####################
# Definitions
#
# interfaces
# Vlan1 is the switch management vlan
vlan1_if = "em1"
# Vlan2 is the business vlan
vlan2_if = "em2"
# Vlan3 is the topsec secretary vlan
vlan3_if = "em3"
# Vlan4 is the "dmz"
vlan4_if = "em4"
# Vlan5 is the domestic house vlan
vlan5_if = "em5"
# Wlan is the wireless lan in the building
wlan_if = "msk0"
# The em0 vlan is a direct cat-5 cable link to wireless broadband kit
for public internet
ext_if = "em0"
# The em0_alias0 is a virtual interface for additional public ip
stc_dvr_ext_if = "173.47.184.4"
tunnel_if = "gif0"
vpn_if = "tun0"
# Host that we are testing our rules with
emailserver = "10.168.3.99"
# Ports that we want to open for this host, all tcp going out
all_ports = "{ 1:65535 }"
The lans, 1, 2, 3, wireless and are restricted to only trafficing on
ports such as 80, 443, 25, 587, 143 etc.
But I want my email server to go out on any port, so the following
lines were added, which work:
pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports
pass out on $ext_if proto tcp from $ext_if to any port $all_ports
The first line of that is suitably restrictive, it only allows that
one single host in the DMZ to traffic out on all tcp ports.
its the next pass rule that bothers me. Because all lans nat through
to the ext_if, this next line effectively opens up all ports to get
out into the wild if any of them are accidently opened to get into the
gateway. I'd like to be able to restrict that particular pass rule to
a single host.
Is that possible? or do I just have to live with the fact that I have
it restricted at the pass in stage?
When i get more info, I may be able to restrict the outgoing
destination to a list of ip's rather than passing out to any, which
will help tighten the rule up, but it seems a little unrestricted for
my liking as is.
Lisa.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACX=3hOwVgoZLu79JQ5LcBKNhkgaXOck3Dts9QG5k4wvMpG6zA>