Date: Wed, 23 Jul 2008 13:43:09 -0400 From: FreeBSD <freebsd@optiksecurite.com> To: Ivan Petrushev <ivanatora@gmail.com> Cc: freebsd-pf@freebsd.org Subject: Re: Why this rule doesn't score a match? Message-ID: <48876DAD.9080100@optiksecurite.com> In-Reply-To: <d39744a20807231025w42fc4a99ha1e99be5fd5c76b0@mail.gmail.com> References: <d39744a20807231025w42fc4a99ha1e99be5fd5c76b0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ivan Petrushev a écrit :
> Hello,
> I'm trying very simple 'block all, allow a few' firewall, but
> something doesn't seem right.
> As far as I remember 'the right matched rule' is taken and executed -
> this doesn't seem working here.
> Here is my firewall:
> #####################
> #macros
> if = "re0"
> ext_ip = "10.10.10.21"
> tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}"
> udp_services = "{domain, 5190, 5222, ftp}"
>
> #filter
> block in log on $if
> pass on $if proto tcp from any port $tcp_services
> pass on $if proto udp from any port $udp_services
> ####################
> The point here is that if a packet for some of the listed service is
> matching against the rules, it will match the block rule, but after
> that will match some of the last two and get passed. Instead it gets
> blocked and I see it into the log:
> tcpdump -n -i pflog0
> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111: tcp 24
> [bad hdr length 0 - too short, < 20]
> (there are many of these, including on the other ports)
>
> Now, there is something different. I tried removing the block rule,
> and added logging for the 'pass' rules. In that case a packet
> traveling down the rules should match only on the 'pass' rules and get
> logged.
> ####################
> #filter
> #block in log on $if
> pass log on $if proto tcp from any port $tcp_services
> pass log on $if proto udp from any port $udp_services
> ####################
>
> Well, it doesn't get logged. The only thing I see into the log is:
> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain]
> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80...
>
> What could be wrong here - it is fairly simple ruleset?
>
You should try "pass in on $if proto tcp from any to $ext_ip port
$tcp_services flags S/SA keep state" and "pass in on $if proto udp from
any to $ext_ip port $udp_services keep state"
Your rule expect the traffic to came FROM $tcp_services but it is goint
TO those ports.
You can omit the "flags S/SA keep state" and the "keep state" if you're
using FreeBSD 7, it is added automatically.
I would also suggest you to use "block all log" instead of "block in
log" and specifiy rules for your outgoing traffic too.
Good luck
Martin
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?48876DAD.9080100>