Date: Sat, 22 Apr 2017 18:32:45 -0400 From: Ultima <ultima1252@gmail.com> To: David Mehler <dave.mehler@gmail.com> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>, freebsd-pf@freebsd.org Subject: Re: freebsd 10.3, pf, and openvpn Message-ID: <CANJ8om5PZXk0NEiU%2BdDEDyrk%2BBgAVcT2_9q0LkvZvg3z54y9tw@mail.gmail.com> In-Reply-To: <CAPORhP6QcWp1CrxqNic30f%2Bi1MuvevhAkMB0i46ePfD6uHDDBQ@mail.gmail.com> References: <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com> <CANJ8om6Aab3tnf%2BVNo1N8owU462XoawbGghJxwA6aH3p9_bLpg@mail.gmail.com> <CAPORhP4_n-Gkzf-WgeEZHqzbPXnMgW3jKxe=stX2zcRHq7bN%2Bw@mail.gmail.com> <CANJ8om6FX9QvdP5vxMLdRU6P8ML-dY_yw%2BqB3u3BfYJLrGfGrg@mail.gmail.com> <CAPORhP5UEyW9Cz21PN5Bnt_7V-yBNHCJkpPad6PstDS-5DLwGQ@mail.gmail.com> <CANJ8om4H5PgPF8L72NQCNGf_OBAKt--rgm65A9D7iJF3Wrx-Eg@mail.gmail.com> <CANJ8om7MxW_x%2BKi8SKha0XB5eHRUpSJS6FiQXCGx0Z9boeh8zw@mail.gmail.com> <CAPORhP7v8%2Ba%2BzdiLAeohe364QT0MMmvBmj6Ux7qPLechQD2cig@mail.gmail.com> <CAPORhP6QcWp1CrxqNic30f%2Bi1MuvevhAkMB0i46ePfD6uHDDBQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Bravo, I am glad you are still working on this and starting simple.
> The bad news is I have it by accident, I'm not sure how or why it is
> working. I don't think it should be. Below I've placed the relevant
> portions of my before (non-working) and after (working) pf
> configuration files In the working configuration there's no rdr lines,
> shouldn't there be?
rdr rule is only necessary when a packet should be routed to a different
destination. In this case, openvpn looks to be listening on ext_if, because
of this no rdr rule required. One thing you must ask yourself on the
Non-working pf configuration is, because there are no block rules, how is
it not working?
> Non-working pf configuration:
> ext_if=3D"vtnet0"
> vpn_if =3D "tun0"
> vpnnet=3D"192.168.0.0/24"
> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441}" # This
line is required for dns, removing the 1194 from this line did not effect
the outcome
> vpn=3D"192.168.0.1"
> set skip on tun0
> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble # Are these values correct?
If by correct, you are asking will it work, It should yes. I wouldn't worry
so much about optimizing the scrub values unless you are running into a
specific issue. If you're really interested find "scrub" in this section to
read more about it.
https://www.freebsd.org/cgi/man.cgi?query=3Dpf.conf&sektion=3D5
> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
> rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194
All traffic on port 1194 is being redirected to the vpn ip. It is highly
unlikely openvpn is listening on that port to initiate a connection. That
address pool is created for the outgoing traffic of a connected vpn client.
> pass inet proto tcp from { self, $jailnet, $vpnnet } to any port
$tcp_services $tcpstate
> pass inet proto udp from { self, $jailnet, $vpnnet } to port
$udp_services $udpstate
> # Pass traffic to the vpn
> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
> Working pf configuration:
> ext_if=3D"vtnet0"
> vpn_if =3D "tun0"
> vpnnet=3D"192.168.0.0/24"
> vpn=3D"192.168.0.1"
> set skip on tun0
> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
> nat on $ext_if inet from $vpnnet to any -> $ext_if
> # Pass traffic to the vpn
> pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep
state
This is beautifully simple and precisely what is needed if any block rules
were in place. If you plan to not jail openvpn, this is an ideal starting
place. From here I would remove the skip on tun0 and apply some rules to
your internal vpn connections.
Also, don't forget by default pf blocks nothing, so without a block rule
nothing will be dropped.
> I'm also curious as to whether my tls configuration is correct, using
> the most secure ciphers and protocols and pfs for both the control and
> data channels? Do I also need to uncomment the lz4 lines? Here's the
> relevant portions of my client and server configs:
I would suggest using compression for the performance boost. lz4 is fast,
but always consider that its another layer, and that could possibly be
compromised like other compression related performance boosting attacks.
I'm no expert on this however just note it _may_ or _maynot_ be another
vector in the future, and hopefully not present. Check out BEAST, BREACH,
and CRIME vulns which are other compression based attacks.
> tls-auth ta.key 1
Starting with Openvpn 2.4.0, tls-crypt was added and includes
authentication. It is an improved version of tls-auth and replaces it. I
think tls-auth is still present for compatibility purposes for older
clients.
This is a basic config for my desktop, very simple.
This is my desktop config:
set block-policy drop
set skip on lo
scrub all no-df max-mss 1440 random-id reassemble tcp
block all
pass in inet proto icmp all icmp-type echoreq
pass in inet6 proto ipv6-icmp all icmp6-type { 128, 129, 133, 134, 135,
136, 137 }
pass in inet proto tcp to any port { 22 }
pass out all keep state
This is a host with some jails, the jails are all using the same interface,
with alias ip's. This is on a lan network.
host=3D"192.168.1.8"
host_tcp=3D"22, 53, 5902"
host_udp=3D"53, 69"
j1_jail=3D"192.168.1.9"
j1_tcp=3D"80, 443, 42837"
j1_udp=3D"42837"
j2_jail=3D"192.168.1.10"
j2_tcp=3D"2400"
test_jail=3D"192.168.1.33"
test_tcp=3D"80, 443, 12001"
test_udp=3D""
set block-policy drop
# Bridge1 and tap1 added for bhyve, pf + bhyve do not mix well.
set skip on { lo, bridge1, tap1 }
scrub all no-df max-mss 1440 random-id reassemble tcp
block all
pass in inet proto icmp all icmp-type echoreq
pass in inet6 proto ipv6-icmp all icmp6-type { 1, 2, 3, 4, 128, 129, 133,
134, 135, 136, 137 }
pass in proto tcp to $host port { $host_tcp } keep state
pass in proto udp to $host port { $host_udp } keep state
pass in proto tcp to $j1_jail port { $j1_tcp } keep state
pass in proto udp to $j1_jail port { $j1_udp } keep state
pass in proto tcp to $j2_jail port { $j2_tcp } keep state
pass in proto tcp to $test_jail port { $test_tcp } keep state
pass in proto udp to $test_jail port { $test_udp } keep state
pass out all keep state
This is not what I suggest unless you aren't worried too much about
segregation, and most def not suggested if its attached to WAN like in your
case. Having loopback for jails like you had before is better. Enabling
icmp6-type 1 2 3 4 are not super important, more for errors. If you want
more information on them check out this page:
https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol_version_6
but the important ones to enable are 128, 129, 133, 134, 135, 136, 137.
The important thing I want to suggest is to make a variable or table for
everything that way if/when the config gets complicated it is much easier
to read. I can also post a config of a decommissioned router but I would
need time to get it, if you're interested.
I hope this helps,
Ultima
On Sat, Apr 22, 2017 at 2:35 PM, David Mehler <dave.mehler@gmail.com> wrote=
:
> Hello,
>
> First of all my thanks to everyone who has been helping me with my
> FreeBSD, pf, and Openvpn issue over the past few days. It is much
> appreciated.
>
> The good news is I have it, FreeBSD, pf, and Openvpn with the external
> Windows client now working, that is I can connect. I can ping the
> 192.168.0.1 vpn server address, as well as from server to client I
> haven't done much else but it is working.
>
> The bad news is I have it by accident, I'm not sure how or why it is
> working. I don't think it should be. Below I've placed the relevant
> portions of my before (non-working) and after (working) pf
> configuration files In the working configuration there's no rdr lines,
> shouldn't there be?
>
> Non-working pf configuration:
> ext_if=3D"vtnet0"
> vpn_if =3D "tun0"
> vpnnet=3D"192.168.0.0/24"
> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
> bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277,
> 24441}" # This line is required for dns, removing the 1194 from this
> line did not effect the outcome
> vpn=3D"192.168.0.1"
> set skip on tun0
> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
> fragment reassemble # Are these values correct?
> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
> rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194
> pass inet proto tcp from { self, $jailnet, $vpnnet } to any port
> $tcp_services $tcpstate
> pass inet proto udp from { self, $jailnet, $vpnnet } to port
> $udp_services $udpstate
> # Pass traffic to the vpn
> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
>
> Working pf configuration:
> ext_if=3D"vtnet0"
> vpn_if =3D "tun0"
> vpnnet=3D"192.168.0.0/24"
> vpn=3D"192.168.0.1"
> set skip on tun0
> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
> fragment reassemble
> nat on $ext_if inet from $vpnnet to any -> $ext_if
> # Pass traffic to the vpn
> pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep sta=
te
>
> I'm wondering why my second config works? Are my scrub values right.
> Here's my server's network device configurations:
>
> vtnet0: flags=3D8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu
> 1500
> options=3D6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_
> MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_
> IPV6,TXCSUM_IPV6>
> ether EthernetAddress
> inet6 fe80::f03c:91ff:fedf:6fc%vtnet0 prefixlen 64 scopeid 0x1
> inet6 inet6Address autoconf
> inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255
> nd6 options=3D23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
> media: Ethernet 10Gbase-T <full-duplex>
> status: active
> tun0: flags=3D8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
> options=3D80000<LINKSTATE>
> inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
> inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
> nd6 options=3D21<PERFORMNUD,AUTO_LINKLOCAL>
> Opened by PID 81855
> pflog0: flags=3D141<UP,RUNNING,PROMISC> metric 0 mtu 33160
>
> I'm also curious as to whether my tls configuration is correct, using
> the most secure ciphers and protocols and pfs for both the control and
> data channels? Do I also need to uncomment the lz4 lines? Here's the
> relevant portions of my client and server configs:
>
> server configuration:
> local xxx.xxx.xxx.xxxport 1194
> proto udp4
> dev tun0
> ca /usr/local/etc/openvpn/keys/ca.crt
> cert /usr/local/etc/openvpn/keys/openvpn-server.crt
> key /usr/local/etc/openvpn/keys/openvpn-server.key # This file should
> be kept secret
> dh /usr/local/etc/openvpn/keys/dh.pem
> topology subnet
> server 192.168.0.0 255.255.255.0
> ifconfig-pool-persist ipp.txt
> ;client-config-dir ccd
> ;route 10.9.0.0 255.255.255.252
> # Then add this line to ccd/Thelonious:
> # ifconfig-push 10.9.0.1 10.9.0.2
> ;push "redirect-gateway def1 bypass-dhcp"
> push "dhcp-option DNS 208.67.222.222"
> push "dhcp-option DNS 208.67.220.220"
> ;client-to-client
> keepalive 10 120
> tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
> cipher AES-256-GCM
> ;compress lz4-v2
> ;push "compress lz4-v2"
> max-clients 16
> user nobody
> group nobody
> persist-key
> persist-tun
> status /var/log/openvpn/openvpn-status.log
> log /var/log/openvpn/openvpn.log
> verb 4
> mute 20
> mute-replay-warnings
> remote-cert-tls client
> tls-version-min 1.2
> auth SHA512
> tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-
> WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-
> SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
> explicit-exit-notify 1
>
> client configuration:
> client
>
> dev tun
>
> proto udp4
>
> tun-mtu 1500
>
> remote xxx.xxx.xxx.xxx 1194
>
> resolv-retry infinite
>
> nobind
>
> persist-key
>
> persist-tun
>
> mute-replay-warnings
>
> ca ca.crt
>
> cert client1.crt
>
> key client1.key
>
> tls-auth ta.key 1
>
> remote-cert-tls server
>
> cipher AES-256-GCM
>
> verb 4
>
> tls-version-min 1.2
>
> tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-
> WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-
> SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
>
> auth SHA512
>
> route-method exe
>
> route-delay 5
>
> route-metric 550
>
> Thanks again.
> Dave.
>
> PS, Ultima can I get a look at your pf configuration?
>
> On 4/19/17, David Mehler <dave.mehler@gmail.com> wrote:
> > Hello,
> >
> > I commented out the rules indicated and still nothing.
> >
> > Thanks.
> > DAve.
> >
> > On 4/19/17, Ultima <ultima1252@gmail.com> wrote:
> >> I forgot to mention, make sure the ext_gateway variable changed to the
> >> correct gateway.
> >>
> >> On Wed, Apr 19, 2017 at 8:24 PM, Ultima <ultima1252@gmail.com> wrote:
> >>
> >>> I keep looking at the rules and finally decided to rewrite some of
> them.
> >>> This may not fix the issue you are having with openvpn tho. The issue
> >>> with
> >>> that is most likely the passing out rules. This rule is kinda written
> >>> wierd
> >>> and I suggest just removing it and passing everything out and verifyi=
ng
> >>> if
> >>> that is the cause. The problem is many connections that the host will
> >>> open
> >>> is opened at the high end ports, I believe it was around 40000:65535.=
I
> >>> could be wrong tho and hope someone corrects my errors if so.
> >>>
> >>> > # Pass out only the desired ports from host and jails
> >>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> >>> $tcp_services $tcpstate
> >>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
> >>> > $udp_services
> >>> $udpstate
> >>>
> >>> If ur still having issues with openvpn, with this ruleset, then first=
,
> >>> try
> >>> changing the block all rule to block on ext_if. This will determine i=
f
> a
> >>> pass rule internally is the cause.
> >>>
> >>> > block all
> >>> block on $ext_if all
> >>>
> >>> Going to CC freebsd-pf@freebsd.org I hope this helps
> >>>
> >>> Ultima
> >>>
> >>>
> >>> #
> >>> # Required order: macros, options, normalization, queueing,
> >>> # translation, filtering.
> >>> # Note: translation rules are first match while filter rules are last
> >>> match.
> >>>
> >>> # Macros
> >>> ext_if=3D"vtnet0"
> >>> ext_gateway=3D"10.0.0.1"
> >>> int_if =3D "lo1"
> >>> vpn_if =3D "tun0"
> >>> jailnet =3D "10.0.0.0/8"
> >>> vpnnet=3D"10.8.0.0/8"
> >>> icmp_types=3D"{echoreq, unreach}"
> >>> #IPV6 ICMP types:
> >>> # packet to big and echo request type ping
> >>> # Neighbor Discovery Protocol (NDP) (types 133-137):
> >>> # Router Solicitation (RS), Router Advertisement (RA)
> >>> # Neighbor Solicitation (NS), Neighbor Advertisement (NA)
> >>> # Route Redirection
> >>> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
> >>> #synstate=3D"flags S/SA synproxy state (max-src-conn 15,
> max-src-conn-rate
> >>> 5/3, overload <bruteforce> flush global)"
> >>> tcpstate=3D"flags S/SA modulate state"
> >>> udpstate=3D"keep state"
> >>>
> >>> # allowed traffic
> >>> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, boo=
tpc,
> >>> http, imap, https, submission, imaps, 2703}"
> >>> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, boo=
tpc,
> >>> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441,
> >>> 4500,
> >>> 500, 50, 51}"
> >>>
> >>> # Name and IP of jails
> >>> webmail=3D"10.0.0.15"
> >>> # Name and IP of jailed ssh servers
> >>> jssh1=3D"10.0.0.15"
> >>> jssh2=3D"10.0.0.16"
> >>> jssh3=3D"10.0.0.17"
> >>> jssh4=3D"10.0.0.18"
> >>> jssh1_tcp=3D"2220"
> >>> jssh2_tcp=3D"2221"
> >>> jssh3_tcp=3D"2222"
> >>> jssh4_tcp=3D"2223"
> >>> # The Asterisk Server
> >>> asterisk=3D"10.0.0.17"
> >>> asterisk_tcp=3D"5060:5061"
> >>> asterisk_udp=3D"5060, 10000:10500"
> >>> # The vpn server
> >>> vpn=3D"10.8.0.1"
> >>>
> >>> # Options
> >>> # block-policy can be either drop or return
> >>> set block-policy drop
> >>> set optimization conservative
> >>> set skip on lo0
> >>>
> >>> # Normalization
> >>> # normalize all incoming traffic. Set ttl 254: limits mapping of host=
s
> >>> behind
> >>> # firewall. Set random-id to help same.
> >>> # Set mss to ATM network frame size for easy splitting upstream.
> >>> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tc=
p
> >>> fragment reassemble
> >>>
> >>> # NAT
> >>> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
> >>> nat on $ext_if from $vpnnet to any -> ($ext_if)
> >>>
> >>> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
> >>> jailed ssh servers
> >>> # External redirect & reflect for internal hosts
> >>> # Note, the -> $ip port $port is only required for port triggering.
> >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) =
}
> >>> port { $jssh1_tcp } tag jssh1 -> $jssh1
> >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) =
}
> >>> port { $jssh2_tcp } tag jssh2 -> $jssh2
> >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) =
}
> >>> port { $jssh3_tcp } tag jssh3 -> $jssh3
> >>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) =
}
> >>> port { $jssh4_tcp } tag jssh4 -> $jssh4
> >>>
> >>> # Redirect traffic to the vpn server
> >>> # External redirect
> >>> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if),
> >>> ($int_if) } port 1194 tag vpn -> $vpn
> >>>
> >>> # Redirect traffic to the asterisk server
> >>> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
> >>> # RTSP ports 10000 to 10500
> >>> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag
> >>> asterisk_udp -> $asterisk
> >>> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag
> >>> asterisk_tcp -> $asterisk
> >>>
> >>> # Tables
> >>> table <bruteforce> persist file "/etc/pf/bruteforce"
> >>> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
> >>> table <fail2ban> persist file "/etc/pf/fail2ban"
> >>> table <martians> persist file "/etc/pf/martians"
> >>> # The ZeuS blocklist of c&c servers
> >>> table <ZeuS> persist file "/etc/pf/ZeuS"
> >>> # The malwaredomain ip block list
> >>> table <malwaredomain> persist file "/etc/pf/malwaredomain"
> >>> # Table of selected country IP addresses
> >>> table <blocked_countries> persist file "/etc/pf/blocked_countries"
> >>> # Table of apache mod_evasive blocks
> >>> table <evasive> persist file "/etc/pf/evasive"
> >>>
> >>> antispoof for { $ext_if, $int_if }
> >>>
> >>> # Start by blocking by default
> >>> block all
> >>>
> >>> # Block anything in the blocked_countries table first
> >>> block in quick from <blocked_countries>
> >>>
> >>> # Block nmap scans
> >>> block in quick on $ext_if inet proto tcp from any to any flags FUP/FU=
P
> >>>
> >>> # Explicitly block unroutable addresses
> >>> block drop in quick on $ext_if from <martians> to any
> >>> block drop out quick on $ext_if from any to <martians>
> >>>
> >>> # Explicitly block anything in the bruteforce table
> >>> block in quick from <bruteforce>
> >>>
> >>> # Explicitly block anything in the fail2ban table
> >>> block in quick from <fail2ban>
> >>>
> >>> # Explicitly block anything in the droplasso table
> >>> block in quick from <droplasso>
> >>>
> >>> # Explicitly block anything in the ZeuS table
> >>> block in quick from <ZeuS>
> >>>
> >>> # Explicitly block anything in the malwaredomain table
> >>> block in quick from <malwaredomain>
> >>>
> >>> # Block anything in the evasive table
> >>> block in quick from <evasive>
> >>>
> >>> # allow ping and host unreach
> >>> pass inet proto icmp icmp-type $icmp_types keep state
> >>>
> >>> # Traceroute
> >>> # allow out the default range for traceroute(8):
> >>> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
> >>> pass inet proto udp to port 33433:33626 # For IPv4
> >>>
> >>> # Pass out only the desired ports from host and jails
> >>> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> >>> $tcp_services $tcpstate
> >>> pass inet proto udp from {self, $jailnet, $vpnnet} to port
> $udp_services
> >>> $udpstate
> >>>
> >>> # Allow ssh connections in from the internet
> >>> pass in inet proto tcp from any to ($ext_if) port ssh \
> >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo=
ad
> >>> <bruteforce> flush global)
> >>> # Pass in ssh traffic to the jails
> >>> # pass rules for nat redirect
> >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged
> >>> jssh1 jssh2 jssh3 jssh4 \
> >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo=
ad
> >>> <bruteforce> flush global)
> >>> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flag=
s
> >>> S/SA keep state
> >>>
> >>> # Pass traffic to the vpn
> >>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp=
}
> >>> tagged vpn $udpstate
> >>> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate
> >>> pass out on tun0 keep state
> >>> #pass quick on tun0 all keep state
> >>>
> >>> # Pass in smtp, http, https, submission, imaps traffic from the
> internet
> >>> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \
> >>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overlo=
ad
> >>> <bruteforce> flush global)
> >>>
> >>> # pass traffic from the asterisk server
> >>> pass inet proto tcp tagged asterisk_tcp keep state
> >>> pass inet proto udp tagged asterisk_udp keep state
> >>>
> >>> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler <dave.mehler@gmail.com=
>
> >>> wrote:
> >>>
> >>>> Hi,
> >>>>
> >>>> Thanks. Still no go on the vpn.In answer to your questions:
> >>>>
> >>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> >>>>
> >>>> > $tcp_services $tcpstate
> >>>>
> >>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
> >>>>
> >>>> > $udp_services $udpstate
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> I've got only a selected list of ports that I want in or out,
> >>>> everything else should be blocked.
> >>>>
> >>>> I tried commenting out the pass quick on tun0 all and replaced it wi=
th
> >>>> set skip on tun0 no joy.
> >>>>
> >>>> I took out the second nat line on the vpnnet as of now I'm wanting t=
o
> >>>> keep the jailnet and the vpnnet ranges the same, though if this issu=
e
> >>>> doesn't soon resolve I might change that idea.
> >>>>
> >>>>
> >>>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> >>>>
> >>>>
> >>>>
> >>>> global)
> >>>>
> >>>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>>
> >>>>
> >>>> What I wanted to achieve with this was nat reflection, external
> >>>> connections to these hosts worked fine on the desired ports, but on
> >>>> the host itself if I tried to do an ssh to one of my jails port 2220
> >>>> it failed, these rules corrected that.
> >>>>
> >>>> Right now I'll settle for working.
> >>>>
> >>>> Thanks.
> >>>> Dave.
> >>>>
> >>>> On 4/19/17, Ultima <ultima1252@gmail.com> wrote:
> >>>> > After a full look, I suspect this being a problem entry.
> >>>> >
> >>>> >> # Pass out only the desired ports from host and jails
> >>>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
> >>>> >> $tcp_services $tcpstate
> >>>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port
> >>>> >> $udp_services $udpstate
> >>>> >
> >>>> > Try commenting them and adding pass out all or pass inet proto {
> tcp,
> >>>> udp }
> >>>> > any and see if that works.
> >>>> >
> >>>> >
> >>>> >> pass quick on tun0 all keep state
> >>>> > This is another problem area, but probably not the cause. The quic=
k
> >>>> > is
> >>>> > probably not handled as you are expecting. Pf reads the filtering
> >>>> > rules
> >>>> in
> >>>> > priority from bottom to top bottom being highest priority to top
> >>>> > being
> >>>> > lowest priority. When quick is added, this is more or less reverse=
d
> >>>> > for
> >>>> the
> >>>> > rule and because its near the bottom it has a lower priority. In
> >>>> > general
> >>>> > the "quick" directive can make pf very confusing and a ruleset
> harder
> >>>> > to
> >>>> > read so other than the top blocking entires with quick, I suggest
> >>>> > never
> >>>> > using it, or use it for all filters and make it simple the opposit=
e
> >>>> > way.
> >>>> >
> >>>> >
> >>>> >> jailnet =3D "10.0.0.0/8"
> >>>> >> vpnnet=3D"10.8.0.0/8"
> >>>> > One thing I noticed is that the subnet chosen is an /8 subnet.
> >>>> > Because
> >>>> of
> >>>> > this, the entire 10.* address space applies to jailnet making all
> >>>> jailnet +
> >>>> > vpnnet entries redundant. This also allows all addresses to
> >>>> communicate, at
> >>>> > least if pf isn't filtering them. Usually segmenting the subnet is
> >>>> desired
> >>>> > to limit communication between them.
> >>>> >
> >>>> >> pass quick on lo0 all
> >>>> > Why not just skip on lo0?
> >>>> >
> >>>> >
> >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>> > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flu=
sh
> >>>> > global)
> >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>> > Why does this nearly duplicate rules exist?
> >>>> >
> >>>> >
> >>>> > Optimizing pf is fun, but one thing that is important to remember =
is
> >>>> > the
> >>>> > more rules added, the more cycles used per packet. This is typical=
ly
> >>>> > not
> >>>> > noticed on a small deployments but it can become huge issue if
> grown.
> >>>> >
> >>>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler <
> dave.mehler@gmail.com>
> >>>> > wrote:
> >>>> >
> >>>> >> Hello Ultima,
> >>>> >>
> >>>> >> Thank you for your reply. Thanks for the information, I'm liking
> the
> >>>> >> new way the rules are looking. Unfortunately, still no go on the
> >>>> >> vpn.
> >>>> >> Everything else is working, just not the vpn.
> >>>> >>
> >>>> >> Thanks.
> >>>> >> Dave.
> >>>> >> PS, here's my rules as they stand now.
> >>>> >>
> >>>> >> pf.conf:
> >>>> >> #
> >>>> >> # Required order: macros, options, normalization, queueing,
> >>>> >> # translation, filtering.
> >>>> >> # Note: translation rules are first match while filter rules are
> >>>> >> last
> >>>> >> match.
> >>>> >>
> >>>> >> # Macros
> >>>> >> ext_if=3D"vtnet0"
> >>>> >> int_if =3D "lo1"
> >>>> >> vpn_if =3D "tun0"
> >>>> >> jailnet =3D "10.0.0.0/8"
> >>>> >> vpnnet=3D"10.8.0.0/8"
> >>>> >> icmp_types=3D"{echoreq, unreach}"
> >>>> >> #IPV6 ICMP types:
> >>>> >> # packet to big and echo request type ping
> >>>> >> # Neighbor Discovery Protocol (NDP) (types 133-137):
> >>>> >> # Router Solicitation (RS), Router Advertisement (RA)
> >>>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA)
> >>>> >> # Route Redirection
> >>>> >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
> >>>> >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15,
> >>>> >> max-src-conn-rate 5/3, overload <bruteforce> flush global)"
> >>>> >> tcpstate =3D"flags S/SA modulate state"
> >>>> >> udpstate =3D"keep state"
> >>>> >> voipports =3D "{5060, 5061, 10000:10500}"
> >>>> >>
> >>>> >> # allowed traffic
> >>>> >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
> >>>> >> bootpc, http, imap, https, submission, imaps, 2703}"
> >>>> >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
> >>>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277,
> >>>> >> 24441,
> >>>> >> 4500, 500, 50, 51}"
> >>>> >>
> >>>> >> # Name and IP of jails
> >>>> >> webmail=3D"10.0.0.15"
> >>>> >> # Name and IP of jailed ssh servers
> >>>> >> jssh1=3D"10.0.0.15"
> >>>> >> jssh2=3D"10.0.0.16"
> >>>> >> jssh3=3D"10.0.0.17"
> >>>> >> jssh4=3D"10.0.0.18"
> >>>> >> # The Asterisk Server
> >>>> >> asterisk=3D"10.0.0.17"
> >>>> >> # The vpn server
> >>>> >> vpn=3D"10.8.0.1"
> >>>> >>
> >>>> >> # Options
> >>>> >> # block-policy can be either drop or return
> >>>> >> set block-policy drop
> >>>> >> set optimization conservative
> >>>> >> set skip on tun0
> >>>> >>
> >>>> >> # Normalization
> >>>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of
> >>>> >> hosts
> >>>> >> behind
> >>>> >> # firewall. Set random-id to help same.
> >>>> >> # Set mss to ATM network frame size for easy splitting upstream.
> >>>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassembl=
e
> >>>> >> tcp
> >>>> >> fragment reassemble
> >>>> >>
> >>>> >> # NAT
> >>>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
> >>>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
> >>>> >>
> >>>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223
> to
> >>>> >> jailed ssh servers
> >>>> >> # External redirect
> >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port
> >>>> >> 2220
> >>>> >> # reflect for internal hosts
> >>>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port
> >>>> >> 2220
> >>>> >>
> >>>> >> # External redirect
> >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port
> >>>> >> 2221
> >>>> >> # reflect for internal hosts
> >>>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port
> >>>> >> 2221
> >>>> >>
> >>>> >> # External redirect
> >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port
> >>>> >> 2222
> >>>> >> # reflect for internal hosts
> >>>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port
> >>>> >> 2222
> >>>> >>
> >>>> >> # External redirect
> >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port
> >>>> >> 2223
> >>>> >> # reflect for internal hosts
> >>>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port
> >>>> >> 2223
> >>>> >>
> >>>> >> # Redirect traffic to the vpn server
> >>>> >> # External redirect
> >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $v=
pn
> >>>> port
> >>>> >> 1194
> >>>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 ->
> $vpn
> >>>> port
> >>>> >> 1194
> >>>> >> # reflect for internal hosts
> >>>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $v=
pn
> >>>> port
> >>>> >> 1194
> >>>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 ->
> $vpn
> >>>> port
> >>>> >> 1194
> >>>> >>
> >>>> >> # Redirect traffic to the asterisk server
> >>>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
> >>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
> >>>> >> $asterisk port 5060
> >>>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 ->
> >>>> >> $asterisk
> >>>> >> port
> >>>> >> 5060
> >>>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk
> port
> >>>> 5061
> >>>> >> # RTSP ports 10000 to 10500
> >>>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 ->
> >>>> >> $asterisk
> >>>> >> port 10000:10500
> >>>> >>
> >>>> >> # Tables
> >>>> >> table <bruteforce> persist file "/etc/pf/bruteforce"
> >>>> >> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
> >>>> >> table <fail2ban> persist file "/etc/pf/fail2ban"
> >>>> >> table <martians> persist file "/etc/pf/martians"
> >>>> >> # The ZeuS blocklist of c&c servers
> >>>> >> table <ZeuS> persist file "/etc/pf/ZeuS"
> >>>> >> # The malwaredomain ip block list
> >>>> >> table <malwaredomain> persist file "/etc/pf/malwaredomain"
> >>>> >> # Table of selected country IP addresses
> >>>> >> table <blocked_countries> persist file "/etc/pf/blocked_countries=
"
> >>>> >> # Table of apache mod_evasive blocks
> >>>> >> table <evasive> persist file "/etc/pf/evasive"
> >>>> >>
> >>>> >> # for the spamd greylist/blacklist service
> >>>> >> # (not related to spamassassin's spamd daemon)
> >>>> >> #table <spamd> persist
> >>>> >> #table <spamd-white> persist
> >>>> >>
> >>>> >> antispoof for $ext_if
> >>>> >> antispoof for $int_if
> >>>> >>
> >>>> >> # Start by blocking by default
> >>>> >> block all
> >>>> >>
> >>>> >> # Block anything in the blocked_countries table first
> >>>> >> block in quick from <blocked_countries>
> >>>> >>
> >>>> >> # Block nmap scans
> >>>> >> block in quick on $ext_if inet proto tcp from any to any flags
> >>>> >> FUP/FUP
> >>>> >>
> >>>> >> # Explicitly block unroutable addresses
> >>>> >> block drop in quick on $ext_if from <martians> to any
> >>>> >> block drop out quick on $ext_if from any to <martians>
> >>>> >>
> >>>> >> # Explicitly block anything in the bruteforce table
> >>>> >> block in quick from <bruteforce>
> >>>> >>
> >>>> >> # Explicitly block anything in the fail2ban table
> >>>> >> block in quick from <fail2ban>
> >>>> >>
> >>>> >> # Explicitly block anything in the droplasso table
> >>>> >> block in quick from <droplasso>
> >>>> >>
> >>>> >> # Explicitly block anything in the ZeuS table
> >>>> >> block in quick from <ZeuS>
> >>>> >>
> >>>> >> # Explicitly block anything in the malwaredomain table
> >>>> >> block in quick from <malwaredomain>
> >>>> >>
> >>>> >> # Block anything in the evasive table
> >>>> >> block in quick from <evasive>
> >>>> >>
> >>>> >> # pass everything on the loopback interface
> >>>> >> pass quick on lo0 all
> >>>> >>
> >>>> >> # allow ping and host unreach
> >>>> >> pass inet proto icmp icmp-type $icmp_types keep state
> >>>> >>
> >>>> >> # Traceroute
> >>>> >> # allow out the default range for traceroute(8):
> >>>> >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
> >>>> >> pass inet proto udp to port 33433:33626 # For IPv4
> >>>> >>
> >>>> >> # Pass out only the desired ports from host and jails
> >>>> >> pass inet proto tcp from { self, $jailnet } to any port
> >>>> >> $tcp_services
> >>>> >> $tcpstate
> >>>> >> pass inet proto udp from { self, $jailnet } to port $udp_services
> >>>> >> $udpstate
> >>>> >>
> >>>> >> # Allow ssh connections in from the internet
> >>>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >> # Pass in ssh traffic to the jails
> >>>> >> # pass rules for nat redirect
> >>>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
> >>>> >>
> >>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
> >>>> >>
> >>>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
> >>>> >>
> >>>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
> >>>> >>
> >>>> >> # Pass traffic to the vpn
> >>>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
> >>>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate
> >>>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
> >>>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate
> >>>> >>
> >>>> >> # Pass in http traffic from the internet
> >>>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >>
> >>>> >> # Pass in https traffic from the internet
> >>>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >>
> >>>> >> # Pass in smtp traffic from the internet
> >>>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >>
> >>>> >> # Pass in submission traffic from the internet
> >>>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >>
> >>>> >> # Pass in imaps traffic from the internet
> >>>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
> >>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
> flush
> >>>> >> global)
> >>>> >>
> >>>> >> # pass traffic from the asterisk server
> >>>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep
> state
> >>>> >>
> >>>> >>
> >>>> >> On 4/18/17, Ultima <ultima1252@gmail.com> wrote:
> >>>> >> > I didn't have time to read and look through this entire post, b=
ut
> >>>> >> > I
> >>>> >> think I
> >>>> >> > know the issue you're running into and this suggestion should
> push
> >>>> you
> >>>> >> > in
> >>>> >> > the right direction.
> >>>> >> >
> >>>> >> > this rule for example,
> >>>> >> >
> >>>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> > # reflect for internal hosts
> >>>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> >
> >>>> >> > This is probably not giving you the results you desire. Basical=
ly
> >>>> >> > because
> >>>> >> > no from or to ip is specified ALL and I quite literally mean AL=
L
> >>>> >> > packets
> >>>> >> > using port 1194 are being sent to $vpn port 1194. Usually you
> want
> >>>> >> > to
> >>>> >> make
> >>>> >> > it something like,
> >>>> >> >
> >>>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 ->
> >>>> >> > $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 ->
> >>>> >> > $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> >
> >>>> >> > Now the traffic will be passed only when the packet is going to
> >>>> >> > the
> >>>> >> > host,
> >>>> >> > not all traffic on a specific port. Another thing you may want =
to
> >>>> >> > do
> >>>> is
> >>>> >> > combined many of these rules you have.
> >>>> >> >
> >>>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 ->
> >>>> >> > $vpn
> >>>> >> > port
> >>>> >> > 1194
> >>>> >> >
> >>>> >> > Also note the above, because we are specifying any for from, we
> >>>> >> > can
> >>>> >> remove
> >>>> >> > the form rule entirely and make it shorter.
> >>>> >> >
> >>>> >> > Hope this helps
> >>>> >> >
> >>>> >> > Ultima
> >>>> >> >
> >>>> >>
> >>>> >
> >>>>
> >>>
> >>>
> >>
> >
>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANJ8om5PZXk0NEiU%2BdDEDyrk%2BBgAVcT2_9q0LkvZvg3z54y9tw>