hi all...
doing testing with pf...
how is it possible that if i have these rules below in pf.conf if i do:
telnet that.host.org 25
i get:
Trying xx.xx.xx.xx...
Connected to that.host.org.
Escape character is '^]'.
........... etc .......
pf.conf contetns:
tcp_in = "{ www, https }"
ftp_in = "{ ftp }"
udp = "{ domain, ntp }"
ping = "echoreq"
set skip on lo
scrub in
antispoof for eth0 inet
block in all
pass out all keep state
pass proto udp to any port $udp
pass inet proto icmp all icmp-type $ping keep state
pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
pass proto tcp to any port ssh
thanks....
If I guess your idea right, you should specify direction like this: pass in proto udp to any port $udp "pass proto udp to any port $udp" passes traffic in any direction (ingoing and outgoing). 2010/1/22 kalin m <kalin@el.net>:> > > hi all... > > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: > > tcp_in = "{ www, https }" > ftp_in = "{ ftp }" > udp = "{ domain, ntp }" > ping = "echoreq" > > set skip on lo > scrub in > > antispoof for eth0 inet > > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > > > thanks.... > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
On 22 janv. 10, at 08:50, kalin m wrote:> how is it possible that if i have these rules below in pf.conf if i > do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc .......quite strange. What does `pfctl -s all` return? patpro
On Fri, Jan 22, 2010 at 02:50:58AM -0500, kalin m wrote:> doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns:...> set skip on lo.... You are in a jail and/or that.host.org is a local ip routed via lo0 ? -- Laurent Frigault | <url:http://www.agneau.org/>
kalin m wrote:> > > hi all... > > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: > > tcp_in = "{ www, https }" > ftp_in = "{ ftp }" > udp = "{ domain, ntp }" > ping = "echoreq" > > set skip on lo > scrub in > > antispoof for eth0 inet > > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port sshDid your ruleset actually load into pf? If you run: # pfctl -nf pf.conf then any output indicates a problem with your pf.conf. Also, you can examine the loaded rule set by: # pfctl -sr This is generated from the pf.conf, but with all the list structures expanded into separate rules. You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me: 'eth0' is a linuxism. There's no such network interface driver under FreeBSD, and you should probably replace that with the actual name of the interface out of the list returned by 'ifconfig -l' You don't really need the 'inet' bit either -- that will be added automatically, as well as matching 'inet6' rules if your system is IPv6 capable. Also, your antispoof rules should come /after/ your generic 'block all' rule. Handy hint: it's good practice when writing pf.conf to define a macro with the interface name: $ext_if = "em0" and then use that macro liberally in your rules. Hmmm... I suppose pf is actually enabled on your system? You'ld need to put: pf_enable="YES" pflog_enable="YES" into /etc/rc.conf to have it start automatically, or if you want to start things manually, do: # kldload pf # pfctl -e (but be careful with that if you aren't logged into the console, as you can lock yourself out) Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 259 bytes Desc: OpenPGP digital signature Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20100122/537ead4b/signature.pgp
Others have already given some good feedback (and asked some good questions), but:> pass out all keep stateYou're allowing out the initial TCP SYN, and creating a state entry for the connection here. You should be able to make outgoing connections anywhere with this rule. Once a state entry gets created, the state table will match on the traffic for the session, and the rules list won't have to be evaluated. J. -- Jason V. Miller
# pfctl -s rules scrub in all fragment reassemble block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any block drop in inet from xxx.xxx.xxx.xxx to any block drop in all pass out all flags S/SA keep state pass out inet proto udp from any to any port 33433 >< 33626 keep state pass proto udp from any to any port = domain keep state pass proto udp from any to any port = ntp keep state pass inet proto icmp all icmp-type echoreq keep state pass in inet proto tcp from any to any port = http flags S/FSA synproxy state pass in inet proto tcp from any to any port = https flags S/FSA synproxy state pass proto tcp from any to any port = ssh flags S/SA keep state R?mi LAURENT wrote:> Hi, > > Maybe you can give us the result of a pfctl -s rules because i don't see > how you can have this connection. > >> hi all... >> >> doing testing with pf... >> >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... >> >> >> pf.conf contetns: >> >> tcp_in = "{ www, https }" >> ftp_in = "{ ftp }" >> udp = "{ domain, ntp }" >> ping = "echoreq" >> >> set skip on lo >> scrub in >> >> antispoof for eth0 inet >> >> block in all >> pass out all keep state >> pass proto udp to any port $udp >> pass inet proto icmp all icmp-type $ping keep state >> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state >> pass proto tcp to any port ssh >> >> >> >> thanks.... >> >> >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> >> > > >