Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 23 Jan 2010 13:18:03 +0100
From:      Erik Norgaard <norgaard@locolomo.org>
To:        Doug Hardie <bc979@lafn.org>
Cc:        freebsd-questions - <freebsd-questions@freebsd.org>
Subject:   Re: pf rules
Message-ID:  <4B5AE8FB.1030901@locolomo.org>
In-Reply-To: <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org>
References:  <4B594FC0.3010200@el.net> <4B5973AD.8070603@locolomo.org> <772FAD6A-C534-4217-9AA7-274561879E86@lafn.org> <4B59887E.30301@locolomo.org> <4D14E7C8-DFFD-4580-8CD0-99BB3C4EB051@lafn.org>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Doug Hardie wrote:

> This is quite interesting.  I can't figure out the rules on my system. 

Maybe try to simplify, clean up and structure your rules :)

> Here is the pf.conf file with all comments removed:
> 
> table <blackhole> persist file "/etc/blackhole"
> table <spamd> persist
> table <spamd-white> persist
> table <spamd-white-local> persist file "/etc/mail/whitelist"
> MAILHOSTS = "{zool.lafn.org}"
> 
> no rdr on { lo0, lo1 } from any to any
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
> no rdr inet proto tcp from <spamd-white> to any port smtp
> rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
> pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state
> block in quick log on $ext_if from <blackhole> to any

1. pf allows short cuts, but these also makes it more difficult to 
debug. I'd separate NAT from filtering, that is never use "rdr pass" 
even though pf allows it. You also need to understand when rdr takes 
place to write your filtering rules.

2. you can deploy one of two policies: Default block with a whitelist or 
default pass with a black list. Mixing these is a bad idea.

3. $ext_if = dc0?

4. rdr needs an interface, I'm surprised that pf will parse the above, 
and have no idea what it does with it. pfctl -sn should show you the nat 
rules.

5. Organize your rules as scetched in last mail, grouping rules for each 
interface, it really helps locating where things go wrong.

I have log statements and catch all rules to ensure that if these are 
triggered there is something in my ruleset I haven't taken into account. 
I avoid using "any" except in default rules.

> Note:  the blackhole file is empty as is the whitelist file.  There is an entry for 216.54.240.150 in spamd database.  This is a test system.
> 
> Here is the output of tcpdump where I have only taken one entry for each rule.  I have listed the rule number at the front of each line:
> 
> Rule 0:  14:01:27.133320 rule 0/0(match): pass in on dc0: 216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win 65535 <mss 1460,nop,nop,sackOK>
> Rule 1:  02:26:44.755650 rule 1/0(match): pass in on sis0: 71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]>
> Rule 2:  10:44:45.037918 rule 2/0(match): block in on dc0: 71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535 <nop,nop,timestamp 705571170 1951648775>
> Rule 4:  13:51:16.022700 rule 4/0(match): rdr in on dc0: 216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win 65535 <mss 1460,nop,nop,sackOK>
>
> I found no entries for rule 3.  There is virtually no traffic on this system other than from me.
> 
> As I look at pf.conf and tie the rules to the entries I get (rule number at beginning of line):
> 
> no rdr on { lo0, lo1 } from any to any
> no rdr inet proto tcp from <spamd-white-local> to any port smtp
> 0 - no rdr inet proto tcp from <spamd-white> to any port smtp
> 4 - rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
> 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state
> block in quick log on $ext_if from <blackhole> to any
> 
> I have no clue which one is rule 2.  The only block is the last entry but that should never be used because the blackhole file is empty.  pfctl shows the table is empty also.
> 
> The ordering seems to make no sense either.  I also note that the man page for pf.conf indicates in the BNF grammar for pf.conf that log is a valid entry for no rdr.  However, that always generates a syntax error.  Apparently there is no way to log the use of no rdr rules.

see, things seems to have been swapped around somehow, that rule 4 rdr 
is really rule 0 again only now matches for the rdr action, in rule 0 it 
matches pass action. or so it appears.

anyway, to interpret the output of pflog, you need the output from pfctl 
-sr and pfctl -sn rather than your config file.

So, to solve your problem, separate first NAT and filtering. Things 
becomes so much more clear.

Regards, Erik

-- 
Erik Nørgaard
Ph: +34.666334818/+34.915211157                  http://www.locolomo.org



Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?4B5AE8FB.1030901>