Date: Sat, 23 Jan 2010 13:08:21 -0800 From: Doug Hardie <bc979@lafn.org> To: Erik Norgaard <norgaard@locolomo.org> Cc: freebsd-questions - <freebsd-questions@freebsd.org> Subject: Re: pf rules Message-ID: <9E94EB55-A094-4E65-9820-C74EAF44E3EA@lafn.org> In-Reply-To: <4B5AE8FB.1030901@locolomo.org> References: <4B594FC0.3010200@el.net> <4B5973AD.8070603@locolomo.org> <772FAD6A-C534-4217-9AA7-274561879E86@lafn.org> <4B59887E.30301@locolomo.org> <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org> <4B5AE8FB.1030901@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 23 January 2010, at 04:18, Erik Norgaard wrote:
> Doug Hardie wrote:
>=20
>> This is quite interesting. I can't figure out the rules on my =
system.=20
>=20
> Maybe try to simplify, clean up and structure your rules :)
>=20
>> Here is the pf.conf file with all comments removed:
>> table <blackhole> persist file "/etc/blackhole"
>> table <spamd> persist
>> table <spamd-white> persist
>> table <spamd-white-local> persist file "/etc/mail/whitelist"
>> MAILHOSTS =3D "{zool.lafn.org}"
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> no rdr inet proto tcp from <spamd-white> to any port smtp
>> rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 =
port spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any =
to any port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
>=20
> 1. pf allows short cuts, but these also makes it more difficult to =
debug. I'd separate NAT from filtering,
Ok. I guess you want some white space between them? Here it is with =
the white space and comments:
ext_if=3D"dc0" =20
table <blackhole> persist file "/etc/blackhole"
table <spamd> persist
table <spamd-white> persist
table <spamd-white-local> persist file "/etc/mail/whitelist"
MAILHOSTS =3D "{zool.lafn.org}"
# NAT/RDR Rules
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from <spamd-white-local> to any port smtp
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port =
spamd
# Filter Rules
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to =
any port 75 keep state
block in quick log on $ext_if from <blackhole> to any
Other than the comments I don't see the difference.
> that is never use "rdr pass" even though pf allows it. You also need =
to understand when rdr takes place to write your filtering rules.
That would be really helpful if that information were available =
somewhere it could be found. I have not been able to find that =
anywhere. =20
>=20
> 2. you can deploy one of two policies: Default block with a whitelist =
or default pass with a black list. Mixing these is a bad idea.
>=20
> 3. $ext_if =3D dc0?
I added that back in above. Somehow it got deleted with the comments.
> 4. rdr needs an interface, I'm surprised that pf will parse the above, =
and have no idea what it does with it. pfctl -sn should show you the nat =
rules.
zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port =3D smtp
no rdr inet proto tcp from <spamd-white> to any port =3D smtp
rdr pass log inet proto tcp from any to any port =3D smtp -> 127.0.0.1 =
port 8025
It seems to understand it just fine and it works properly. See man =
spamd:
The following pf.conf(5) example is suggested:
table <spamd-white> persist
rdr pass inet proto tcp from !<spamd-white> to any \
port smtp -> 127.0.0.1 port spamd
> 5. Organize your rules as scetched in last mail, grouping rules for =
each interface, it really helps locating where things go wrong. =20
Other than the whitespace and comments they are.
>=20
> I have log statements and catch all rules to ensure that if these are =
triggered there is something in my ruleset I haven't taken into account. =
I avoid using "any" except in default rules.
>=20
>> Note: the blackhole file is empty as is the whitelist file. There =
is an entry for 216.54.240.150 in spamd database. This is a test =
system.
>> Here is the output of tcpdump where I have only taken one entry for =
each rule. I have listed the rule number at the front of each line:
>> Rule 0: 14:01:27.133320 rule 0/0(match): pass in on dc0: =
216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win =
65535 <mss 1460,nop,nop,sackOK>
>> Rule 1: 02:26:44.755650 rule 1/0(match): pass in on sis0: =
71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win =
65535 <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]>
>> Rule 2: 10:44:45.037918 rule 2/0(match): block in on dc0: =
71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535 =
<nop,nop,timestamp 705571170 1951648775>
>> Rule 4: 13:51:16.022700 rule 4/0(match): rdr in on dc0: =
216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win =
65535 <mss 1460,nop,nop,sackOK>
>>=20
>> I found no entries for rule 3. There is virtually no traffic on this =
system other than from me.
>> As I look at pf.conf and tie the rules to the entries I get (rule =
number at beginning of line):
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> 0 - no rdr inet proto tcp from <spamd-white> to any port smtp
>> 4 - rdr pass log inet proto tcp from any to any port smtp -> =
127.0.0.1 port spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from =
any to any port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
>> I have no clue which one is rule 2. The only block is the last entry =
but that should never be used because the blackhole file is empty. =
pfctl shows the table is empty also.
>> The ordering seems to make no sense either. I also note that the man =
page for pf.conf indicates in the BNF grammar for pf.conf that log is a =
valid entry for no rdr. However, that always generates a syntax error. =
Apparently there is no way to log the use of no rdr rules.
>=20
> see, things seems to have been swapped around somehow, that rule 4 rdr =
is really rule 0 again only now matches for the rdr action, in rule 0 it =
matches pass action. or so it appears.
>=20
> anyway, to interpret the output of pflog, you need the output from =
pfctl -sr and pfctl -sn rather than your config file.
zool# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass in log inet proto tcp from any to 206.117.18.7 port =3D smtp flags =
S/SA keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) inet proto tcp from any =
to any port =3D 75 flags S/SA keep state
block drop in log quick on dc0 from <blackhole> to any
zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port =3D smtp
no rdr inet proto tcp from <spamd-white> to any port =3D smtp
rdr pass log inet proto tcp from any to any port =3D smtp -> 127.0.0.1 =
port 8025
>=20
> So, to solve your problem, separate first NAT and filtering. Things =
becomes so much more clear.
>=20
> Regards, Erik
>=20
> --=20
> Erik N=F8rgaard
> Ph: +34.666334818/+34.915211157 =
http://www.locolomo.org
>=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E94EB55-A094-4E65-9820-C74EAF44E3EA>