Date: Thu, 18 Jul 2024 19:07:35 +0300 From: Odhiambo Washington <odhiambo@gmail.com> To: FreeBSD virtualization <freebsd-virtualization@freebsd.org> Subject: Re: Suddenly unable to access VMs Message-ID: <CAAdA2WNszrUJfYbpT8_37iCC2yz2w-bLhstC-Romhhh2uyV=mg@mail.gmail.com> In-Reply-To: <CAAdA2WPp=nnRwMrsnyBPeBHmKqxERK_GzGDGAYjsbgPEJ1YNMw@mail.gmail.com> References: <CAAdA2WMaO8PPnFErZa0gcN-VPD6My4RtJB3u27BYi=8CWMZK=A@mail.gmail.com> <202407111449.46BEnLoP051380@gndrsh.dnsmgr.net> <CAAdA2WPp=nnRwMrsnyBPeBHmKqxERK_GzGDGAYjsbgPEJ1YNMw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--00000000000011efcf061d87c97a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
On Thu, Jul 11, 2024 at 6:23=E2=80=AFPM Odhiambo Washington <odhiambo@gmail=
.com>
wrote:
>
>
> On Thu, Jul 11, 2024 at 5:49=E2=80=AFPM Rodney W. Grimes <
> freebsd-rwg@gndrsh.dnsmgr.net> wrote:
>
>> > My bhyve VMs have been all fine until now.
>> > I can't ping them and can't SSH into them. However, I can connect to
>> them
>> > with VNCViewer from a remote host (my PC from my house) :-(
>> >
>> > I haven't done any changes on the host at all.
>> > dnsmasq is running, but seems like the VMs aren't getting the IPs for
>> some
>> > reason.
>> >
>> > ```
>> > cloned_interfaces=3D"bridge0 tap0 tap1 tap2 tap3 tap4 tap5"
>> > ifconfig_bridge0_name=3D"vmbridge"
>> > ifconfig_vmbridge=3D"addm em1 addm tap0 addm tap1 addm tap2 addm tap3 =
addm
>> > tap4 addm tap5 up"
>> > ifconfig_vmbridge_alias0=3D"inet 172.16.0.1 netmask 255.255.255.0"
>> > ```
>> > What might have happened?
>> >
>> >
>> > root@gw:/home/wash # ifconfig vmbridge
>> > vmbridge: flags=3D1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER=
_UP>
>> > metric 0 mtu 1500
>> > options=3D0
>> > ether 58:9c:fc:10:df:1d
>> > inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
>> > id 00:00:00:00:00:00 priority 32768 hellotime 2 fwddelay 15
>> > maxage 20 holdcnt 6 proto rstp maxaddr 2000 timeout 1200
>> > root id 00:00:00:00:00:00 priority 32768 ifcost 0 port 0
>> > member: tap5 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 10 priority 128 path cost 2000000
>> > member: tap4 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 9 priority 128 path cost 2000000
>> > member: tap3 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 8 priority 128 path cost 2000000
>> > member: tap2 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 7 priority 128 path cost 2000000
>> > member: tap1 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 6 priority 128 path cost 2000000
>> > member: tap0 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 5 priority 128 path cost 2000000
>> > member: em1 flags=3D143<LEARNING,DISCOVER,AUTOEDGE,AUTOPTP>
>> > ifmaxaddr 0 port 2 priority 128 path cost 55
>> > groups: bridge
>> > nd6 options=3D9<PERFORMNUD,IFDISABLED>
>> > root@gw:/home/wash # ssh 172.16.0.99
>> > ssh: connect to host 172.16.0.99 port 22: Permission denied
>> > root@gw:/home/wash # ssh 172.16.0.100
>> > ssh: connect to host 172.16.0.100 port 22: Permission denied
>> > root@gw:/home/wash # ping 172.16.0.100
>> > PING 172.16.0.100 (172.16.0.100): 56 data bytes
>> > ping: sendto: Permission denied
>> > ping: sendto: Permission denied
>> > ping: sendto: Permission denied
>> > ping: sendto: Permission denied
>> > ^C
>> > --- 172.16.0.100 ping statistics ---
>> > 4 packets transmitted, 0 packets received, 100.0% packet loss
>> > root@gw:/home/wash # ping 172.16.0.99
>> > PING 172.16.0.99 (172.16.0.99): 56 data bytes
>> > ping: sendto: Permission denied
>> > ping: sendto: Permission denied
>> > ping: sendto: Permission denied
>> > ^C
>> > --- 172.16.0.99 ping statistics ---
>> > 3 packets transmitted, 0 packets received, 100.0% packet loss
>> > root@gw:/home/wash # service dnsmasq status
>> > dnsmasq is running as pid 4190.
>> > root@gw:/home/wash #
>>
>> Permission denied is almost certainly coming from firewall,
>> either ipfw or pf.
>>
>
> I haven't changed anything in my pf.conf either.
> What also baffles me is that the VMs are not obtaining IP addresses from
> dnsmasq.
>
Is anyone able to spot something obvious from the following pf.conf that
could be causing the problem I am having?
Thanking you in advance.
```
#--------------------------------------------------------------------------=
-----
# PF: List and Macros
#--------------------------------------------------------------------------=
-----
# Interfaces
ext_if =3D "em0" # macro for external interface - use tun0 for PPPoE
int_if =3D "em1" # macro for internal interface
jail_if =3D "lo1" # the interface we chose for communication between jails
#
# bhyve
bhyve_net=3D"172.16.0.0/24"
int_addr =3D "192.168.55.254" # Internal IPv4 address (i.e.,
gateway for private network)
int_network =3D "192.168.54.0/23" # Internal IPv4 network
# External services - port 25214 is used instead of 514 for syslog
ext_tcp_services =3D "{ 21 22 25 26 53 80 110 123 143 443 465 587 2222 2525
2587 25214 993 995 3000 5000><5100 6276 6277 8000 8069 8080 8081 8082 8083
8999 10000 5900><6000 30000><50000 1024><6277 8765 }"
ext_udp_services =3D "{ ntp, 1194 }"
# Internal services
int_tcp_services =3D "{ domain, bootps, dhcpv6-server, ntp, http, https,
http-alt, \
smtp, smtps, pop3, pop3s, imap, imaps, ftp-data, ftp, ssh, svn,
2222, 2232, 4444, \
3128, 3129, 13128, 13129, 23129, 9050, 8123, 8056, 2199, 8191, 82,
2087, 8333, 1157, \
2083, 8030, 10443, 3389, 8080, 8081, 9091, 81, 8086, 8000, 8001,
8002, 8005, 8006, 8090, 8100, 8800, 443, 465, 587, 8444, 8443, 9443, \
18082, 18087, 18092, 18093, 9447, 7005, 115, 8030, 18090, 18083,
18084, 15001, 15002, 15003, 2082 }"
int_udp_services =3D "{ domain, bootps, dhcpv6-server, ntp, 1194, svn, sip,
8056, 500, 1000, 10000 }"
# The martians table denotes the RFC 1918 addresses and a few other ranges
which
# are mandated by various RFCs not to be in circulation on the open
Internet.
martians =3D "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
#--------------------------------------------------------------------------=
-----
# PF: Tables
#--------------------------------------------------------------------------=
-----
table <whatsapp-cidr> persist file "/etc/firewall/whatsapp-cidr.txt"
table <bruteforce> file "/etc/firewall/bruteforce_attackers" persist
table <f2b> persist file "/etc/firewall/f2b"
table <fail2ban> persist
table <sshguard> persist
#--------------------------------------------------------------------------=
-----
# PF: Options
#--------------------------------------------------------------------------=
-----
# No restrictions on jail network
set skip on $jail_if
set skip on lo
#--------------------------------------------------------------------------=
-----
# PF: Scrub (Packet Normalization)
#--------------------------------------------------------------------------=
-----
set limit { states 40000, frags 20000, src-nodes 20000 }
set timeout { adaptive.start 18000, adaptive.end 39000 }
#--------------------------------------------------------------------------=
-----
# PF: Packet Queueing and Priorization
#--------------------------------------------------------------------------=
-----
#--------------------------------------------------------------------------=
-----
# PF: Netkwork Address Translation (NAT) and Packet Redirection
#--------------------------------------------------------------------------=
-----
# Network address translation
# Internet
nat on $ext_if inet from any to any -> $ext_if
# Bhyve
nat on $ext_if from $bhyve_net to any -> ($ext_if)
# Traccar
rdr pass on $ext_if inet proto { tcp, udp } from any to port 5055 ->
127.0.0.1 port 5055
# Nominatim Test
rdr pass on $ext_if inet proto { tcp, udp } from any to port 8089 ->
127.0.0.1 port 8089
#--------------------------------------------------------------------------=
-----
# PF: Packet Filtering
#--------------------------------------------------------------------------=
-----
# Restrictive default rules
block all
# Block packets and reply with a TCP RST or ICMP Unreachable response
block return
# FTP-Proxy
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
# Anchor for fail2ban
anchor "f2b/*"
# Anchor for blacklistd
# This makes sure that the rules within blacklistd are only used for
incoming data on ext_if
anchor "blacklistd/*" in on $ext_if
# Blocking Spoofed Packets
#--------------------------------------------------------------------------=
-----
# Filter rules for $ext_if inbound
# Temporarily let go everything, do not leave active!
#pass in on $ext_if inet
#pass in on $ext_if inet6
# Allow ping
pass in on $ext_if inet proto icmp all
pass in on $ext_if inet6 proto icmp6 all
# External services
pass in on $ext_if inet proto tcp to port $ext_tcp_services
pass in on $ext_if inet proto udp to port $ext_udp_services
block drop in quick on $ext_if inet from <bruteforce> to any
block drop in quick on $ext_if inet from <f2b> to any
block in quick from <fail2ban>
# Custom blocks
block drop in quick on $ext_if inet from 31.130.184.0/24 to any
block in proto tcp from <sshguard> to any
# Now block the ssh bruteforce
block drop in quick on $ext_if inet from <ssh-bruteforce>
block drop in quick on $ext_if inet6 from <ssh-bruteforce>
# PF "Self-Protecting" an FTP Server (passive)
pass in on $ext_if inet proto tcp from any to any port { ftp, > 49151 }
pass in on $ext_if inet6 proto tcp from any to any port { ftp, > 49151 }
# Traccar
pass in on $ext_if inet proto tcp from any to any port { 5000><5100 }
pass in on $ext_if inet6 proto tcp from any to any port { 5000><5100 }
# Nominatim Test
pass in on $ext_if inet proto tcp from any to any port 8089
#--------------------------------------------------------------------------=
-----
# Filter rules for $ext_if outbound
pass out on $ext_if inet
pass out on $ext_if inet6
#--------------------------------------------------------------------------=
-----
# Filter rules for $int_if inbound
# block drop in quick on $int_if inet from 192.168.55.x to any port { 443
993 }
#block drop in quick on $int_if from 192.168.54.190 to any
#block drop in quick on $int_if from any to 13.107.4.50
# Temporarily let go everything, do not leave active!
#pass in on $int_if inet
#pass in on $int_if inet6
# Internal services
pass in on $int_if inet proto tcp to port $int_tcp_services
pass in on $int_if inet proto udp to port $int_udp_services
# Filter rules for $int_if outbound
pass out on $int_if inet
pass out on $int_if inet6
#--------------------------------------------------------------------------=
-----
# DEBUG: RULES FOR VMM
pass in quick on bridge0 all keep state
pass in quick on tap0 all keep state
pass in quick on tap1 all keep state
pass in quick on tap2 all keep state
pass in quick on tap3 all keep state
pass out quick on bridge0 all keep state
pass out quick on tap0 all keep state
pass out quick on tap1 all keep state
pass out quick on tap2 all keep state
pass out quick on tap3 all keep state
# Bhyve hosts
pass in on tap0
pass in on tap1
pass in on tap2
pass in on tap3
```
--=20
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254 7 3200 0004/+254 7 2274 3223
In an Internet failure case, the #1 suspect is a constant: DNS.
"Oh, the cruft.", egrep -v '^$|^.*#' =C2=AF\_(=E3=83=84)_/=C2=AF :-)
[How to ask smart questions:
http://www.catb.org/~esr/faqs/smart-questions.html]
--00000000000011efcf061d87c97a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail_quote">=
<div dir=3D"ltr" class=3D"gmail_attr">On Thu, Jul 11, 2024 at 6:23=E2=80=AF=
PM Odhiambo Washington <<a href=3D"mailto:odhiambo@gmail.com">odhiambo@g=
mail.com</a>> wrote:<br></div><blockquote class=3D"gmail_quote" style=3D=
"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-le=
ft:1ex"><div dir=3D"ltr"><div dir=3D"ltr"><br></div><br><div class=3D"gmail=
_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Jul 11, 2024 at 5:49=
=E2=80=AFPM Rodney W. Grimes <<a href=3D"mailto:freebsd-rwg@gndrsh.dnsmg=
r.net" target=3D"_blank">freebsd-rwg@gndrsh.dnsmgr.net</a>> wrote:<br></=
div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;bor=
der-left:1px solid rgb(204,204,204);padding-left:1ex">> My bhyve VMs hav=
e been all fine until now.<br>
> I can't ping them and can't SSH into them. However, I can conn=
ect to them<br>
> with VNCViewer from a remote host (my PC from my house) :-(<br>
> <br>
> I haven't done any changes on the host at all.<br>
> dnsmasq is running, but seems like the VMs aren't getting the IPs =
for some<br>
> reason.<br>
> <br>
> ```<br>
> cloned_interfaces=3D"bridge0 tap0 tap1 tap2 tap3 tap4 tap5"<=
br>
> ifconfig_bridge0_name=3D"vmbridge"<br>
> ifconfig_vmbridge=3D"addm em1 addm tap0 addm tap1 addm tap2 addm =
tap3 addm<br>
> tap4 addm tap5 up"<br>
> ifconfig_vmbridge_alias0=3D"inet 172.16.0.1 netmask 255.255.255.0=
"<br>
> ```<br>
> What might have happened?<br>
> <br>
> <br>
> root@gw:/home/wash # ifconfig vmbridge<br>
> vmbridge: flags=3D1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LO=
WER_UP><br>
> metric 0 mtu 1500<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0options=3D0<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ether 58:9c:fc:10:df:1d<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0inet 172.16.0.1 netmask 0xffffff00 br=
oadcast 172.16.0.255<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0id 00:00:00:00:00:00 priority 32768 h=
ellotime 2 fwddelay 15<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0maxage 20 holdcnt 6 proto rstp maxadd=
r 2000 timeout 1200<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0root id 00:00:00:00:00:00 priority 32=
768 ifcost 0 port 0<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap5 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 10 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap4 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 9 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap3 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 8 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap2 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 7 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap1 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 6 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: tap0 flags=3D143<LEARNING,=
DISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 5 priority 128 path cost 2000000<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0member: em1 flags=3D143<LEARNING,D=
ISCOVER,AUTOEDGE,AUTOPTP><br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0ifmaxaddr=
0 port 2 priority 128 path cost 55<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0groups: bridge<br>
>=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0nd6 options=3D9<PERFORMNUD,IFDISAB=
LED><br>
> root@gw:/home/wash # ssh 172.16.0.99<br>
> ssh: connect to host 172.16.0.99 port 22: Permission denied<br>
> root@gw:/home/wash # ssh 172.16.0.100<br>
> ssh: connect to host 172.16.0.100 port 22: Permission denied<br>
> root@gw:/home/wash # ping 172.16.0.100<br>
> PING 172.16.0.100 (172.16.0.100): 56 data bytes<br>
> ping: sendto: Permission denied<br>
> ping: sendto: Permission denied<br>
> ping: sendto: Permission denied<br>
> ping: sendto: Permission denied<br>
> ^C<br>
> --- 172.16.0.100 ping statistics ---<br>
> 4 packets transmitted, 0 packets received, 100.0% packet loss<br>
> root@gw:/home/wash # ping 172.16.0.99<br>
> PING 172.16.0.99 (172.16.0.99): 56 data bytes<br>
> ping: sendto: Permission denied<br>
> ping: sendto: Permission denied<br>
> ping: sendto: Permission denied<br>
> ^C<br>
> --- 172.16.0.99 ping statistics ---<br>
> 3 packets transmitted, 0 packets received, 100.0% packet loss<br>
> root@gw:/home/wash # service dnsmasq status<br>
> dnsmasq is running as pid 4190.<br>
> root@gw:/home/wash #<br>
<br>
Permission denied is almost certainly coming from firewall,<br>
either ipfw or pf.<br></blockquote><div><br></div><div>I haven't change=
d anything in my pf.conf either.</div><div>What also baffles me is that the=
VMs are not obtaining IP addresses from dnsmasq.=C2=A0</div></div></div></=
blockquote><div><br></div><div>Is anyone able to spot something obvious fro=
m the following pf.conf that could be causing the problem I am having?</div=
><div>Thanking you in advance.</div><div><br></div><div>```</div><div><br>#=
---------------------------------------------------------------------------=
----<br># PF: List and Macros<br>#-----------------------------------------=
--------------------------------------<br><br># Interfaces<br>ext_if =3D &q=
uot;em0" # macro for external interface - use tun0 for PPPoE<br>int=
_if =3D "em1" # macro for internal interface<br><br>jail_if =
=3D "lo1" # the interface we chose for communication between j=
ails<br>#<br># bhyve<br>bhyve_net=3D"<a href=3D"http://172.16.0.0/24">=
172.16.0.0/24</a>"<br><br>int_addr =3D "192.168.55.254" =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 # Internal IPv4 address (i.e., gatew=
ay for private network)<br>int_network =3D "<a href=3D"http://192.168.=
54.0/23">192.168.54.0/23</a>" =C2=A0 =C2=A0 =C2=A0 =C2=A0 # Internal I=
Pv4 network<br><br># External services - port 25214 is used instead of 514 =
for syslog<br>ext_tcp_services =3D "{ 21 22 25 26 53 80 110 123 143 44=
3 465 587 2222 2525 2587 25214 993 995 3000 5000><5100 6276 6277 8000=
8069 8080 8081 8082 8083 8999 10000 5900><6000 30000><50000 10=
24><6277 8765 }"<br>ext_udp_services =3D "{ ntp, 1194 }&quo=
t;<br><br># Internal services<br>int_tcp_services =3D "{ domain, bootp=
s, dhcpv6-server, ntp, http, https, http-alt, \<br>=C2=A0 =C2=A0 =C2=A0 =C2=
=A0 smtp, smtps, pop3, pop3s, imap, imaps, ftp-data, ftp, ssh, svn, 2222, 2=
232, 4444, \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 3128, 3129, 13128, 13129, 23129=
, 9050, 8123, 8056, 2199, 8191, 82, 2087, 8333, 1157, \<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A0 2083, 8030, 10443, 3389, 8080, 8081, 9091, 81, 8086, 8000, 80=
01, 8002, 8005, 8006, 8090, 8100, 8800, 443, 465, 587, 8444, 8443, 9443, \<=
br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 18082, 18087, 18092, 18093, 9447, 7005, 115,=
8030, 18090, 18083, 18084, 15001, 15002, 15003, 2082 }"<br>int_udp_se=
rvices =3D "{ domain, bootps, dhcpv6-server, ntp, 1194, svn, sip, 8056=
, 500, 1000, 10000 }"<br><br># The martians table denotes the RFC 1918=
addresses and a few other ranges which<br># are mandated by various RFCs n=
ot to be in circulation on the open Internet.<br>martians =3D "{ <a hr=
ef=3D"http://127.0.0.0/8">127.0.0.0/8</a>, <a href=3D"http://192.168.0.0/16=
">192.168.0.0/16</a>, <a href=3D"http://172.16.0.0/12">172.16.0.0/12</a>, \=
<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D"http://10.0.0.0/8">10.0.0.0/8</a=
>, <a href=3D"http://169.254.0.0/16">169.254.0.0/16</a>, <a href=3D"http://=
192.0.2.0/24">192.0.2.0/24</a>, \<br>=C2=A0 =C2=A0 =C2=A0 =C2=A0 <a href=3D=
"http://0.0.0.0/8">0.0.0.0/8</a>, <a href=3D"http://240.0.0.0/4">240.0.0.0/=
4</a> }"<br><br>#-----------------------------------------------------=
--------------------------<br># PF: Tables<br>#----------------------------=
---------------------------------------------------<br><br>table <whatsa=
pp-cidr> persist file "/etc/firewall/whatsapp-cidr.txt"<br>tab=
le <bruteforce> file "/etc/firewall/bruteforce_attackers" p=
ersist<br>table <f2b> persist file "/etc/firewall/f2b"<br>t=
able <fail2ban> persist<br>table <sshguard> persist<br><br>#---=
---------------------------------------------------------------------------=
-<br># PF: Options<br>#----------------------------------------------------=
---------------------------<br><br># No restrictions on jail network<br>set=
skip on $jail_if<br>set skip on lo<br><br>#-------------------------------=
------------------------------------------------<br># PF: Scrub (Packet Nor=
malization)<br>#-----------------------------------------------------------=
--------------------<br><br>set limit { states 40000, frags 20000, src-node=
s 20000 }<br>set timeout { adaptive.start 18000, adaptive.end 39000 }<br><b=
r>#------------------------------------------------------------------------=
-------<br># PF: Packet Queueing and Priorization<br>#---------------------=
----------------------------------------------------------<br><br>#--------=
-----------------------------------------------------------------------<br>=
# PF: Netkwork Address Translation (NAT) and Packet Redirection<br>#-------=
------------------------------------------------------------------------<br=
><br># Network address translation<br># Internet<br>nat on $ext_if inet fro=
m any to any -> $ext_if<br><br># Bhyve<br>nat on $ext_if from $bhyve_net=
to any -> ($ext_if)<br><br># Traccar<br>rdr pass on $ext_if inet proto =
{ tcp, udp } from any to port 5055 -> 127.0.0.1 port 5055<br># Nominatim=
Test<br>rdr pass on $ext_if inet proto { tcp, udp } from any to port 8089 =
-> 127.0.0.1 port 8089<br><br><br>#-------------------------------------=
------------------------------------------<br># PF: Packet Filtering<br>#--=
---------------------------------------------------------------------------=
--<br><br># Restrictive default rules<br>block all<br><br># Block packets a=
nd reply with a TCP RST or ICMP Unreachable response<br>block return<br><br=
># FTP-Proxy<br># We need to have an anchor for ftp-proxy<br>anchor "f=
tp-proxy/*"<br><br># Anchor for fail2ban<br>anchor "f2b/*"<b=
r><br># Anchor for blacklistd<br># This makes sure that the rules within bl=
acklistd are only used for incoming data on ext_if<br>anchor "blacklis=
td/*" in on $ext_if<br><br># Blocking Spoofed Packets<br><br>#--------=
-----------------------------------------------------------------------<br>=
# Filter rules for $ext_if inbound<br><br># Temporarily let go everything, =
do not leave active!<br>#pass in on $ext_if inet<br>#pass in on $ext_if ine=
t6<br><br># Allow ping<br>pass in on $ext_if inet =C2=A0proto icmp =C2=A0al=
l<br>pass in on $ext_if inet6 proto icmp6 all<br><br># External services<br=
>pass in on $ext_if inet =C2=A0proto tcp to port $ext_tcp_services<br>pass =
in on $ext_if inet =C2=A0proto udp to port $ext_udp_services<br><br>block d=
rop in quick on $ext_if inet from <bruteforce> to any<br>block drop i=
n quick on $ext_if inet from <f2b> to any<br>block in quick from <=
fail2ban><br><br># Custom blocks<br>block drop in quick on $ext_if inet =
from <a href=3D"http://31.130.184.0/24">31.130.184.0/24</a>; to any<br><br><=
br>block in proto tcp from <sshguard> to any<br><br># Now block the s=
sh bruteforce=C2=A0<br>block drop in quick on $ext_if inet =C2=A0from <s=
sh-bruteforce><br>block drop in quick on $ext_if inet6 from <ssh-brut=
eforce><br><br># PF "Self-Protecting" an FTP Server (passive)<=
br>pass in on $ext_if inet =C2=A0proto tcp from any to any port { ftp, >=
49151 }<br>pass in on $ext_if inet6 proto tcp from any to any port { ftp, =
> 49151 }<br><br># Traccar<br>pass in on $ext_if inet proto tcp from any=
to any port { 5000><5100 }<br>pass in on $ext_if inet6 proto tcp fro=
m any to any port { 5000><5100 }<br># Nominatim Test<br>pass in on $e=
xt_if inet proto tcp from any to any port 8089<br><br>#--------------------=
-----------------------------------------------------------<br># Filter rul=
es for $ext_if outbound<br><br>pass out on $ext_if inet<br>pass out on $ext=
_if inet6<br><br>#---------------------------------------------------------=
----------------------<br># Filter rules for $int_if inbound<br><br># block=
drop in quick on $int_if inet from 192.168.55.x to any port { 443 993 }<br=
>#block drop in quick on $int_if from 192.168.54.190 to any<br>#block drop =
in quick on $int_if from any to 13.107.4.50<br><br><br># Temporarily let go=
everything, do not leave active!<br>#pass in on $int_if inet<br>#pass in o=
n $int_if inet6<br><br><br># Internal services<br>pass in on $int_if inet =
=C2=A0proto tcp to port $int_tcp_services<br>pass in on $int_if inet =C2=A0=
proto udp to port $int_udp_services<br><br><br># Filter rules for $int_if o=
utbound<br><br>pass out on $int_if inet<br>pass out on $int_if inet6<br><br=
>#-------------------------------------------------------------------------=
------<br><br># DEBUG: RULES FOR VMM<br><br>pass in quick on bridge0 all ke=
ep state<br>pass in quick on tap0 all keep state<br>pass in quick on tap1 a=
ll keep state<br>pass in quick on tap2 all keep state<br>pass in quick on t=
ap3 all keep state<br>pass out quick on bridge0 all keep state<br>pass out =
quick on tap0 all keep state<br>pass out quick on tap1 all keep state<br>pa=
ss out quick on tap2 all keep state<br>pass out quick on tap3 all keep stat=
e<br><br># Bhyve hosts<br>pass in on tap0<br>pass in on tap1<br>pass in on =
tap2<br>pass in on tap3<br></div><div>```</div></div><div><br></div><span c=
lass=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"gma=
il_signature"><div dir=3D"ltr"><div dir=3D"ltr"><div>Best regards,<br>Odhia=
mbo WASHINGTON,<br>Nairobi,KE<br>+254 7 3200 0004/+254 7 2274 3223</div><di=
v><span style=3D"color:rgb(34,34,34)">=C2=A0In=C2=A0</span><span style=3D"c=
olor:rgb(34,34,34)">an Internet failure case, the #1 suspect is a constant:=
DNS.</span><br>"<span style=3D"font-size:12.8px">Oh, the cruft.</span=
><span style=3D"font-size:12.8px">",=C2=A0</span><span style=3D"font-s=
ize:12.8px">egrep -v '^$|^.*#'=C2=A0</span><span style=3D"backgroun=
d-color:rgb(34,34,34);color:rgb(238,238,238);font-family:"Lucida Conso=
le",Consolas,"Courier New",monospace;font-size:13.6px">=C2=
=AF\_(=E3=83=84)_/=C2=AF</span><span style=3D"font-size:12.8px">=C2=A0:-)</=
span></div><div><span style=3D"font-size:12.8px">[How to ask smart question=
s:=C2=A0</span><span style=3D"font-size:12.8px"><a href=3D"http://www.catb.=
org/~esr/faqs/smart-questions.html" target=3D"_blank">http://www.catb.org/~=
esr/faqs/smart-questions.html</a>]</span></div></div></div></div></div>
--00000000000011efcf061d87c97a--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAAdA2WNszrUJfYbpT8_37iCC2yz2w-bLhstC-Romhhh2uyV=mg>