From owner-freebsd-pf@FreeBSD.ORG Thu Feb 14 18:12:18 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id ED7F6716 for ; Thu, 14 Feb 2013 18:12:18 +0000 (UTC) (envelope-from 34.24.34@gmail.com) Received: from mail-qe0-f45.google.com (mail-qe0-f45.google.com [209.85.128.45]) by mx1.freebsd.org (Postfix) with ESMTP id B9090336 for ; Thu, 14 Feb 2013 18:12:18 +0000 (UTC) Received: by mail-qe0-f45.google.com with SMTP id b4so1198941qen.4 for ; Thu, 14 Feb 2013 10:12:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=IoSK6motiZTW7lXCoDTYXiVkm/4+HU/ERbt0OywDNzQ=; b=OTvC0wMso2nWFy1Osx3VTQhVSKTAulZO1bxJHyZNiCAkaJ+arLiOMzTU8zxqPvJzEJ Ge0Ph8UNZKaqO9d3uSfZnqqRXCv5Ikv9uzSuyZlsaWZE0+gjYCUsh4/EmWenWR5dBKrO yhfYCXJE8esojot4Et5Nez2h+wNROXKVFVre47QrYWhYVA+i3e5eYULkD9kQW2JG4nPp pHxl6KzIPY5a8S46mxvqGMCOF5fO8lDDLEFtVB6K/clerTMhUbaPUfpxMYSl1dNPTWb3 KYVO4+bFXnng5YgjUOtGk4b85MKkbBQMqf0B9UDMUQu3za4U2wdd8pfY/A+JUvvfw8Ig P14Q== MIME-Version: 1.0 X-Received: by 10.49.118.38 with SMTP id kj6mr12006855qeb.53.1360865182998; Thu, 14 Feb 2013 10:06:22 -0800 (PST) Received: by 10.49.86.130 with HTTP; Thu, 14 Feb 2013 10:06:22 -0800 (PST) Date: Thu, 14 Feb 2013 18:06:22 +0000 Message-ID: Subject: Releasing all outgoing ports for a particular IP. From: Lisa Muir <34.24.34@gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Feb 2013 18:12:19 -0000 Hi Guys, Hope you might be able to help me with a query. Am a little past the newbie stage with pf, and moderately comfortable with it, but by no means a guru yet, finding my way. Have one firewall which has a public interface with multiple ip's and 5 private lans with the usual private lan space ip's. The machine has been running fine for a year and a bit, and I have various port forwarding things going, internal redirection for dmz hosts being accessed from the lan, port forwarding for public ip aliases's on the external interface. Two things have left me with questions, one is about UDP port forwarding which I got working but am not 100% happy with, and I'll come back to that in another thread, and today's one which is releasing all tcp ports for a particular IP which is in the "DMZ" vlan. In this case, the vlans are implemented at the switches, and a seperate interface on the pf firewall links into each vlan, no kernel based vlan in operation. As a rule, we restrict outgoing ports, we only allow out what we know about and approve, but we're putting in a CCTV transmitter into the DMZ which requires access to every tcp port for outgoing. Here is a cut down version of my pf.conf with the relevant data, starting with the definitions for interfaces, the host in question that I am testing with, and the ports: ##################### # Definitions # # interfaces # Vlan1 is the switch management vlan vlan1_if = "em1" # Vlan2 is the business vlan vlan2_if = "em2" # Vlan3 is the topsec secretary vlan vlan3_if = "em3" # Vlan4 is the "dmz" vlan4_if = "em4" # Vlan5 is the domestic house vlan vlan5_if = "em5" # Wlan is the wireless lan in the building wlan_if = "msk0" # The em0 vlan is a direct cat-5 cable link to wireless broadband kit for public internet ext_if = "em0" # The em0_alias0 is a virtual interface for additional public ip stc_dvr_ext_if = "173.47.184.4" tunnel_if = "gif0" vpn_if = "tun0" # Host that we are testing our rules with emailserver = "10.168.3.99" # Ports that we want to open for this host, all tcp going out all_ports = "{ 1:65535 }" The lans, 1, 2, 3, wireless and are restricted to only trafficing on ports such as 80, 443, 25, 587, 143 etc. But I want my email server to go out on any port, so the following lines were added, which work: pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports pass out on $ext_if proto tcp from $ext_if to any port $all_ports The first line of that is suitably restrictive, it only allows that one single host in the DMZ to traffic out on all tcp ports. its the next pass rule that bothers me. Because all lans nat through to the ext_if, this next line effectively opens up all ports to get out into the wild if any of them are accidently opened to get into the gateway. I'd like to be able to restrict that particular pass rule to a single host. Is that possible? or do I just have to live with the fact that I have it restricted at the pass in stage? When i get more info, I may be able to restrict the outgoing destination to a list of ip's rather than passing out to any, which will help tighten the rule up, but it seems a little unrestricted for my liking as is. Lisa.