From owner-freebsd-pf@FreeBSD.ORG Fri Apr 9 17:13:26 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B93A106566B for ; Fri, 9 Apr 2010 17:13:26 +0000 (UTC) (envelope-from dave.list@pixelhammer.com) Received: from smtp2.tls.net (smtp2.tls.net [65.124.104.105]) by mx1.freebsd.org (Postfix) with ESMTP id DD1298FC08 for ; Fri, 9 Apr 2010 17:13:25 +0000 (UTC) Received: (qmail 36468 invoked from network); 9 Apr 2010 16:46:44 -0000 Received: by simscan 1.4.0 ppid: 36411, pid: 36464, t: 0.2165s scanners: attach: 1.4.0 clamav: 0.95.3/m:52/d:10718 spam: 3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on smtp-2.tls.net X-Spam-Level: * X-Spam-Status: No, score=1.6 required=7.0 tests=ALL_TRUSTED,TVD_RCVD_IP autolearn=disabled version=3.2.1 Received: from 208-70-40-225.bb.hrtc.net (HELO ?192.168.1.46?) (ldg@tls.net@208.70.40.225) by ssl-smtp2.tls.net with ESMTPA; 9 Apr 2010 16:46:44 -0000 Message-ID: <4BBF59E2.80303@pixelhammer.com> Date: Fri, 09 Apr 2010 12:46:26 -0400 From: DAve User-Agent: Thunderbird 2.0.0.12 (Windows/20080213) MIME-Version: 1.0 To: freebsd-pf@freebsd.org X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Apr 2010 17:13:26 -0000 Good afternoon. I've been working to enable pf on all our servers in preparation for moving them outside the PIXs we currently use. The first server I tackled was our ftp server, it currently is only used to support VOIP phones via ftp, http, and tftp. I used ipfilter extensively but that was 10? years ago. Everything is working at this point except snmp. Cacti connects to the server to query snmp and gets part of a result, then snmp stops and takes 80% of the CPU. Cacti is on the network. I am at a loss to understand what is wrong with my ruleset. ### Macros ### # define common values, so they can be referenced and changed easily. ext_if="dc0" # replace with actual external interface name i.e., dc0 int_if="dc1" loop_if="lo0" ### Tables ### table persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } table persist { 192.168.32.0/24, 10.0.241.0/24 } table persist ### Normalization ### # reassemble fragments and resolve or reduce traffic ambiguities. scrub all random-id ### Default Filtering ### block in log all block out log all # Lets make certain localhost and the private network is unrestricted set skip on $loop_if set skip on $int_if # Now lets start hammering anything obvious block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to block in quick on $ext_if inet proto tcp from to any port 22 label "ssh bruteforce" antispoof for $ext_if # Lets pass ssh, time and dns, we always need those. Also connections from the office and monitoring pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 53 keep state pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state pass in quick on $ext_if inet proto { tcp, udp, icmp } from to $ext_if keep state ### Server Specific rules ### # We gotta support those FTP users, that's why we are here and not a kiosk in a mall pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep state pass in quick on $ext_if inet proto tcp from any to $ext_if port 65000:65500 keep state # Yep, Cisco phones still using tftp, we do not understand what internet they use at Cisco. pass in quick on $ext_if inet proto udp from any to $ext_if port 69 # We use www to serve config files as well pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep state I would think the line allowing tcp,udp,icmp would allow snmp to work from the monitoring server, but snmp is certainly not behaving. here is the relevant pflog entry. 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] Thanks for any help. DAve -- "Posterity, you will know how much it cost the present generation to preserve your freedom. I hope you will make good use of it. If you do not, I shall repent in heaven that ever I took half the pains to preserve it." John Adams http://appleseedinfo.org