Date: Tue, 18 Apr 2017 14:26:52 -0400 From: David Mehler <dave.mehler@gmail.com> To: freebsd-questions <freebsd-questions@freebsd.org> Subject: freebsd 10.3, pf, and openvpn Message-ID: <CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello,
I'm running FreeBSD 10.3 with jails and now an openvpn using pf as the
firewall. I'm having an issue connecting to openvpn from off site and
I have determined it's a firewall issue, when pf is disabled the
connection works. I'm wondering if anyone can spot the error?
My interfaces and networks are as follows, vtnet0 external interface,
lo1 jails 10.0.0.0/8 and tun0 the openvpn interface for routed vpn
traffic, 10.8.0.0/8. Here's my config:
#
# Required order: macros, options, normalization, queueing,
# translation, filtering.
# Note: translation rules are first match while filter rules are last match=
.
# Macros
ext_if=3D"vtnet0"
int_if =3D "lo1"
vpn_if =3D "tun0"
jailnet =3D "10.0.0.0/8"
vpnnet=3D"10.8.0.0/8"
icmp_types=3D"{echoreq, unreach}"
#IPV6 ICMP types:
# packet to big and echo request type ping
# Neighbor Discovery Protocol (NDP) (types 133-137):
# Router Solicitation (RS), Router Advertisement (RA)
# Neighbor Solicitation (NS), Neighbor Advertisement (NA)
# Route Redirection
icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }"
#synstate=3D"flags S/SA synproxy state (max-src-conn 15,
max-src-conn-rate 5/3, overload <bruteforce> flush global)"
tcpstate =3D"flags S/SA modulate state"
udpstate =3D"keep state"
voipports =3D "{5060, 5061, 10000:10500}"
# allowed traffic
tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, imap, https, submission, imaps, 2703}"
udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277,
24441, 4500, 500, 50, 51}"
# Name and IP of jails
webmail=3D"10.0.0.15"
# Name and IP of jailed ssh servers
jssh1=3D"10.0.0.15"
jssh2=3D"10.0.0.16"
jssh3=3D"10.0.0.17"
jssh4=3D"10.0.0.18"
# The Asterisk Server
asterisk=3D"10.0.0.17"
# The vpn server
vpn=3D"10.8.0.1"
# Options
# block-policy can be either drop or return
set block-policy drop
set optimization conservative
#set skip on tun0
# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behi=
nd
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
# NAT
nat on $ext_if from $jailnet to any -> ($ext_if) static-port
nat on $ext_if from $vpnnet to any -> ($ext_if)
# Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
jailed ssh servers
# External redirect
rdr on $ext_if inet proto tcp from any to any port 2220 -> $jssh1 port 2220
# reflect for internal hosts
rdr on $int_if inet proto tcp from any to any port 2220 -> $jssh1 port 2220
# External redirect
rdr on $ext_if inet proto tcp from any to any port 2221 -> $jssh2 port 2221
# reflect for internal hosts
rdr on $int_if inet proto tcp from any to any port 2221 -> $jssh2 port 2221
# External redirect
rdr on $ext_if inet proto tcp from any to any port 2222 -> $jssh3 port 2222
# reflect for internal hosts
rdr on $int_if inet proto tcp from any to any port 2222 -> $jssh3 port 2222
# External redirect
rdr on $ext_if inet proto tcp from any to any port 2223 -> $jssh4 port 2223
# reflect for internal hosts
rdr on $int_if inet proto tcp from any to any port 2223 -> $jssh4 port 2223
# Redirect traffic to the vpn server
# External redirect
rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port 1194
rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port 1194
# reflect for internal hosts
rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port 1194
rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port 1194
# Redirect traffic to the asterisk server
# SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
rdr on $ext_if inet proto udp from any to any port 5060 -> $asterisk port 5=
060
rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk port 5=
060
rdr on $ext_if inet proto tcp from any to any port 5061 -> $asterisk port 5=
061
# RTSP ports 10000 to 10500
rdr on $ext_if inet proto udp from any to any port 10000:10500 ->
$asterisk port 10000:10500
# Tables
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"
table <martians> persist file "/etc/pf/martians"
# The ZeuS blocklist of c&c servers
table <ZeuS> persist file "/etc/pf/ZeuS"
# The malwaredomain ip block list
table <malwaredomain> persist file "/etc/pf/malwaredomain"
# Table of selected country IP addresses
table <blocked_countries> persist file "/etc/pf/blocked_countries"
# Table of apache mod_evasive blocks
table <evasive> persist file "/etc/pf/evasive"
antispoof for $ext_if
antispoof for $int_if
# Start by blocking by default
block all
# Block anything in the blocked_countries table first
block in quick from <blocked_countries>
# Block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
# Explicitly block unroutable addresses
block drop in quick on $ext_if from <martians> to any
block drop out quick on $ext_if from any to <martians>
# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>
# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>
# Explicitly block anything in the droplasso table
block in quick from <droplasso>
# Explicitly block anything in the ZeuS table
block in quick from <ZeuS>
# Explicitly block anything in the malwaredomain table
block in quick from <malwaredomain>
# Block anything in the evasive table
block in quick from <evasive>
# pass everything on the loopback interface
pass quick on lo0 all
# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state
# Traceroute
# allow out the default range for traceroute(8):
# =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4
# Pass out only the desired ports from host and jails
pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
$tcp_services $tcpstate
pass inet proto udp from {self, $jailnet, $vpnnet} to port
$udp_services $udpstate
# Allow ssh connections in from the internet
pass in inet proto tcp from any to $ext_if port ssh flags S/SA keep
state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
# Pass in ssh traffic to the jails
# pass rules for nat redirect
pass in inet proto tcp from any to $jssh1 port 2220 flags S/SA keep
state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
pass inet proto tcp from any to $jssh1 port 2220 flags S/SA keep state
pass in inet proto tcp from any to $jssh2 port 2221 flags S/SA keep
state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
pass inet proto tcp from any to $jssh2 port 2221 flags S/SA keep state
pass in inet proto tcp from any to $jssh3 port 2222 flags S/SA keep
state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
pass inet proto tcp from any to $jssh3 port 2222 flags S/SA keep state
pass in inet proto tcp from any to $jssh4 port 2223 flags S/SA keep
state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce>
flush global)
pass inet proto tcp from any to $jssh4 port 2223 flags S/SA keep state
# Pass traffic to the vpn
pass in inet proto udp from any to $vpn port 1194 $udpstate
pass in inet proto tcp from any to $vpn port 1194 $udpstate
pass inet proto udp from any to $vpn port 1194 $udpstate
pass inet proto tcp from any to $vpn port 1194 $udpstate
pass quick on tun0 all keep state
# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
(max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
global)
# pass traffic from the asterisk server
pass inet proto {udp, tcp} from any to $asterisk port $voipports keep state
I've tried enabling the set skip on tun0 no good, changing my nat
vpnnet line to vpn_if no good, and commenting out the pass rules and
doing rdr pass on the 1194 rdr lines, all have not worked.
Any help appreciated.
Thanks.
Dave.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPORhP5eEoUC46taW9WKzBoxSEerDp-t0XrH=MPNYE8FNtLXyg>