From owner-freebsd-pf@FreeBSD.ORG Thu Jul 5 13:12:03 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EF03C16A469 for ; Thu, 5 Jul 2007 13:12:02 +0000 (UTC) (envelope-from linux@giboia.org) Received: from mu-out-0910.google.com (mu-out-0910.google.com [209.85.134.190]) by mx1.freebsd.org (Postfix) with ESMTP id 7526913C48C for ; Thu, 5 Jul 2007 13:11:59 +0000 (UTC) (envelope-from linux@giboia.org) Received: by mu-out-0910.google.com with SMTP id w9so2733500mue for ; Thu, 05 Jul 2007 06:11:58 -0700 (PDT) Received: by 10.82.174.20 with SMTP id w20mr20163401bue.1183641118400; Thu, 05 Jul 2007 06:11:58 -0700 (PDT) Received: by 10.82.134.16 with HTTP; Thu, 5 Jul 2007 06:11:58 -0700 (PDT) Message-ID: <6e6841490707050611l66b7b705h2889dcaf8a2fc784@mail.gmail.com> Date: Thu, 5 Jul 2007 10:11:58 -0300 From: "Gilberto Villani Brito" To: "FreeBSD (PF)" In-Reply-To: <20070705062546.BF688267E13@mx.levier.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20070705062546.BF688267E13@mx.levier.org> Subject: Re: Issue with PF on FreeBSD 6.2.5? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Jul 2007 13:12:03 -0000 On 05/07/07, Laurent LEVIER wrote: > Hi All, > > I am currently setting up a ChilliSpot server using the conup/condown command. > Since the LAN will also be publicly available, I am using Chilli as UAM. > > These con* scripts are launched with additional arguments (IP > address, device) when a user is authenticated ont he HotSpot > This way, I can update firewall rules dynamically to allow the > authenticated user to pass...or to no longer pass when session is over. > > Apparently, best way to solve this with pf is to use tables, since an > anchor permits to add a rule, but not to delete the added rule (at > least I did not find how to). > > But it seems it does not fully work for me. > If you read at my pf.conf file at the end of this email, you will see > I created a table "public_granted" that is associated with 2 rules: > 1) a rdr to redirect to Squid transparently (rule is before the one > redirecting transparently to Chilli authentication server) > 2) a pass in quick rule to allow new user to pass through. > > The problem I have is: > - When the public_granted table is updated with a new IP address, pf > let the user pass through. > - But when I delete this @IP from the table, pf keeps allowing the > user to pass through. > > I appreciate all advices to help me solving this weird situation. > > Thanks in advance > > My pf.conf: > ### Options > # pf configuration > set block-policy return > set state-policy if-bound > > # localhost > set skip on lo0 > > ### Declarations > # Interface declaration > if_ext="nve0" # Internet Interface > if_int="bge0" # Public access Interface > if_wifi="tun0" # WiFi Hotspot Interface > > # Subnets declaration > net_public= "192.168.254.0/24" > net_wifi_admin="192.168.253.252/30" > > # IP declaration > ip_ext_me="192.168.0.100" > ip_wifi_me="192.168.254.1" > ip_wifi_admin_me="192.168.253.253" > ip_hotspot="192.168.253.254" > > ### Tables! > table > > ### Redirections > # Squid redirection for authenticated users on Public > rdr on $if_int proto tcp from to 0.0.0.0/0 port 80 > -> localhost port 8080 > rdr on $if_wifi proto tcp from to 0.0.0.0/0 port 80 > -> localhost port 8080 > # Authentication portal for Public > rdr on $if_int proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > rdr on $if_wifi proto tcp from $net_public to any port 80 -> > $ip_wifi_me port 3990 > > ### NAT > # Public to me on Internet side > nat on $if_ext from $net_public to any -> $ip_ext_me > > ### Filtering > # Hotspot is a typical network client > pass out quick from any to any keep state > > # Who can admin me? > pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22 > > ## Logs from Public access side > # Syslog from access point sent to me > pass in log quick on $if_int proto udp from $ip_hotspot to > $ip_wifi_admin_me port = 514 > > # DHCP > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 67 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 68 > > # DNS for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_int proto udp from $net_public to > $ip_wifi_me port = 53 > # DNS for WiFi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 53 > pass in log quick on $if_wifi proto udp from $net_public to > $ip_wifi_me port = 53 > > # Authentication portal for Public > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_int proto tcp from $net_public to > $ip_wifi_me port = 443 > # Authentication portal for Wifi > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 3990 > pass in log quick on $if_wifi proto tcp from $net_public to > $ip_wifi_me port = 443 > > # Ping is granted to authenticated users (public_granted table) > pass in log quick on $if_wifi proto icmp from to > $ip_wifi_me keep state > > # Closing rule for Public & WiFi > block in log quick from any to $ip_wifi_me > block in log quick from any to $ip_wifi_admin_me > > ## HotSpot LAN configuration > # Table public_granted: contains granted users on Radius > pass in log quick on $if_int from to any keep state > pass in log quick on $if_wifi from to any keep state > > # Finally block & log everything > block in log from any to any > > Laurent LEVIER > Systems & Networks Senior Security Expert, CISSP CISM > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > Hi Laurent, I have the same problem, but this is because PF works with sessions, on end of a session it will block the next session. -- Gilberto Villani Brito System Administrator Londrina - PR Brazil gilbertovb(a)gmail.com