From owner-freebsd-pf@FreeBSD.ORG Mon Apr 19 01:28:02 2010 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1681B106564A for ; Mon, 19 Apr 2010 01:28:02 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f199.google.com (mail-qy0-f199.google.com [209.85.221.199]) by mx1.freebsd.org (Postfix) with ESMTP id BA1208FC12 for ; Mon, 19 Apr 2010 01:28:01 +0000 (UTC) Received: by qyk37 with SMTP id 37so3846274qyk.8 for ; Sun, 18 Apr 2010 18:28:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=vFpieZOrdL0t/LByVoYvtpHaL8moxR8JoZHSHE5GhrI=; b=bfe4lLuIdf9W2dd40VDZOljnTTN64v88QQ++s6rUdcebcoMrBYMKeisbyQdgmC38Z8 CRqWCL9OgvyZvT35e6oH5PaSMUdATXx6oJKymdZmm6qhwt5DnUeg5NcM4Gn49LALOC51 9QK3wWsiRTdcbQoyDJl5FsucbkbUz6HfxM1RM= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=Tqr5nOFIVsAS14EgQ0WwVySSYNYeMAf0vZ61IiCilVezkAGQ5akdwu0IBmCGVkz81K /UChBAOxd+/Gn2+99lIiAr8bVRZv/uOD4YmSjmEECzL6IeEx4yE952/WHrD6l9Emjlq8 jLfqWnQmGcRg3vgUy0YfyHpcHsBIGRbljR3zs= Received: by 10.229.88.193 with SMTP id b1mr5417234qcm.27.1271640480790; Sun, 18 Apr 2010 18:28:00 -0700 (PDT) Received: from centel.dataix.local (c-71-205-129-194.hsd1.mi.comcast.net [71.205.129.194]) by mx.google.com with ESMTPS id 20sm3627002qyk.12.2010.04.18.18.27.58 (version=SSLv3 cipher=RC4-MD5); Sun, 18 Apr 2010 18:27:59 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4BCBB19D.7090206@dataix.net> Date: Sun, 18 Apr 2010 21:27:57 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.1.9) Gecko/20100331 Thunderbird/3.0.4 MIME-Version: 1.0 To: DAve References: <4BBF59E2.80303@pixelhammer.com> In-Reply-To: <4BBF59E2.80303@pixelhammer.com> X-Enigmail-Version: 1.0.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-pf@freebsd.org Subject: Re: Issues with pf and snmp X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Apr 2010 01:28:02 -0000 On 04/09/2010 12:46, DAve wrote: > Good afternoon. > > I've been working to enable pf on all our servers in preparation for > moving them outside the PIXs we currently use. The first server I > tackled was our ftp server, it currently is only used to support VOIP > phones via ftp, http, and tftp. I used ipfilter extensively but that was > 10? years ago. > > Everything is working at this point except snmp. Cacti connects to the > server to query snmp and gets part of a result, then snmp stops and > takes 80% of the CPU. Cacti is on the network. I am at a > loss to understand what is wrong with my ruleset. > > ### Macros ### > # define common values, so they can be referenced and changed easily. > ext_if="dc0" # replace with actual external interface name i.e., dc0 > int_if="dc1" > loop_if="lo0" > > ### Tables ### > table persist { 127.0.0.0/8, 172.16.0.0/12, 169.254.0.0/16, > 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } > table persist { 192.168.32.0/24, 10.0.241.0/24 } > table persist > > ### Normalization ### > # reassemble fragments and resolve or reduce traffic ambiguities. > scrub all random-id > > ### Default Filtering ### > block in log all > block out log all > > # Lets make certain localhost and the private network is unrestricted > set skip on $loop_if > set skip on $int_if > > # Now lets start hammering anything obvious > block drop in quick on $ext_if from to any > block drop out quick on $ext_if from any to > block in quick on $ext_if inet proto tcp from to any port 22 > label "ssh bruteforce" > antispoof for $ext_if > > # Lets pass ssh, time and dns, we always need those. Also connections > from the office and monitoring > pass in quick on $ext_if inet proto tcp from any to $ext_if port 22 keep > state > pass out quick on $ext_if inet proto udp from $ext_if to any port 53 > keep state > pass out quick on $ext_if inet proto udp from $ext_if to any port 123 > keep state > pass in quick on $ext_if inet proto { tcp, udp, icmp } from > to $ext_if keep state > > ### Server Specific rules ### > # We gotta support those FTP users, that's why we are here and not a > kiosk in a mall > pass in quick on $ext_if inet proto tcp from any to $ext_if port 21 keep > state > pass in quick on $ext_if inet proto tcp from any to $ext_if port > 65000:65500 keep state > # Yep, Cisco phones still using tftp, we do not understand what internet > they use at Cisco. > pass in quick on $ext_if inet proto udp from any to $ext_if port 69 > # We use www to serve config files as well > pass in quick on $ext_if inet proto tcp from any to $ext_if port 80 keep > state > > I would think the line allowing tcp,udp,icmp would allow snmp to work > from the monitoring server, but snmp is certainly not behaving. here is > the relevant pflog entry. > > 480683 rule 0/0(match): block in on dc0: 10.0.241.28.39107 > > 10.0.241.41.161: C=SECRET GetNextRequest(21) .0.1[|snmp] > > Thanks for any help. > > DAve > Hi DAve, Could you try adding a rule specifically for SNMP traffic? Ports 161,162,1993(cisco-tcp) Also could you possibly try adding "no-df" to your scrub all rule with the random-id and report back if it helped ? Relevant man page section from pf.conf(5) on the "no-df" scrub option: http://tinyurl.com/y242jpa Regards, -- jhell