Date: Fri, 22 Jan 2010 10:18:03 +0000 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: kalin m <kalin@el.net> Cc: freebsd-security@freebsd.org Subject: Re: pf rules Message-ID: <4B597B5B.6030802@infracaninophile.co.uk> In-Reply-To: <4B5958E2.9010509@el.net> References: <4B5958E2.9010509@el.net>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig90A062888294AAA1D5DD4010
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
kalin m wrote:
>=20
>=20
> hi all...
>=20
> doing testing with pf...
>=20
> how is it possible that if i have these rules below in pf.conf if i do:=
> telnet that.host.org 25
>=20
> i get:
> Trying xx.xx.xx.xx...
> Connected to that.host.org.
> Escape character is '^]'.
> ........... etc .......
>=20
>=20
> pf.conf contetns:
>=20
> tcp_in =3D "{ www, https }"
> ftp_in =3D "{ ftp }"
> udp =3D "{ domain, ntp }"
> ping =3D "echoreq"
>=20
> set skip on lo
> scrub in
>=20
> antispoof for eth0 inet
>=20
> block in all
> pass out all keep state
> pass proto udp to any port $udp
> pass inet proto icmp all icmp-type $ping keep state
> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state
> pass proto tcp to any port ssh
Did your ruleset actually load into pf? If you run:
# pfctl -nf pf.conf
then any output indicates a problem with your pf.conf. Also,
you can examine the loaded rule set by:
# pfctl -sr
This is generated from the pf.conf, but with all the list structures
expanded into separate rules.
You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me:
'eth0' is a linuxism. There's no such network interface driver
under FreeBSD, and you should probably replace that with the actual name
of the interface out of the list returned by 'ifconfig -l' You don't rea=
lly
need the 'inet' bit either -- that will be added automatically, as well a=
s
matching 'inet6' rules if your system is IPv6 capable. Also, your=20
antispoof rules should come /after/ your generic 'block all' rule.
Handy hint: it's good practice when writing pf.conf to define a macro
with the interface name:
$ext_if =3D "em0"
and then use that macro liberally in your rules.
Hmmm... I suppose pf is actually enabled on your system? You'ld need
to put:
pf_enable=3D"YES"
pflog_enable=3D"YES"
into /etc/rc.conf to have it start automatically, or if you want to start=
things manually, do:
# kldload pf
# pfctl -e
(but be careful with that if you aren't logged into the console, as you
can lock yourself out)
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig90A062888294AAA1D5DD4010
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAktZe2EACgkQ8Mjk52CukIw/aACfSWoSKDZq4kowGkyeHucVJYJY
qXMAoIE4cHa3VIbo8wHmrUlkzV+SOGoi
=7QFW
-----END PGP SIGNATURE-----
--------------enig90A062888294AAA1D5DD4010--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4B597B5B.6030802>