On 2021/02/25 12:57, Steffen Fritz wrote:
> Sure.
Any difference if you change "modulate state" to "keep state"?
> BR,
>
> Steffen
>
> ##############################
>
> set reassemble yes
> set block-policy return
> set loginterface egress
> set skip on lo
>
> match in all scrub (no-df random-id max-mss 1440)
>
> table <bruteforce> persist
> table <blacklist> persist
> table <spamd> persist
> table <spamd-white> persist
> table <company-white> persist file "/etc/mail/company_whitelist"
>
> block in log
> block in quick from urpf-failed label uRPF
> block quick from <bruteforce>
>
> pass out all modulate state
>
> pass in quick inet proto icmp icmp-type { echoreq, unreach }
> pass in quick inet proto tcp from <company-white> to egress port smtp flags
> S/SA synproxy state rdr-to lo0
>
> # ssh
> pass in quick proto tcp from any \
> to (egress) port 2222 \
> flags S/SA modulate state \
> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
> global)
>
>
> # imaps
> pass in quick proto tcp from any \
> to (egress) port imaps \
> flags S/SA modulate state \
> (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush
> global)
>
>
>
> pass in log on egress inet proto tcp from <spamd-white> to egress port smtp
> keep state rdr-to lo0
> pass in log on egress inet proto tcp from <spamd-white> to egress port 465
> keep state rdr-to lo0
> pass in log on egress inet proto tcp from !<spamd-white> to egress port smtp
> keep state rdr-to lo0 port spamd
> pass in log on egress inet proto tcp from !<spamd-white> to egress port 465
> keep state rdr-to lo0 port spamd
>
>
> pass in proto tcp from any \
> to (egress) port { submission } \
> flags S/SA modulate state \
> (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush
> global)
>
>
> pass in quick proto tcp from any \
> to (egress) port { http, https } \
> flags S/SA modulate state \
> (max-src-conn 50, max-src-conn-rate 25/5, overload <bruteforce> flush
> global)
>
>
> ################
>
>
>
> Am Thu, Feb 25, 2021 at 11:40:26AM +0100 schrieb Landry Breuil:
> > On Thu, Feb 25, 2021 at 10:31:59AM +0000, Mikolaj Kucharski wrote:
> > > On Thu, Feb 25, 2021 at 10:07:32AM +0100, [email protected] wrote:
> > > > >Synopsis: After installing OpenBSD 6.8 errata 014 pf allows no
> > > > >connections and knows no tables
> > > > >Category: kernel
> > > > >Environment:
> > > > System : OpenBSD 6.8
> > > > Details : OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST
> > > > 2021
> > > >
> > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
> > > >
> > > > Architecture: OpenBSD.amd64
> > > > Machine : amd64
> > > > >Description:
> > > > After patching my system with syspatch to 6.8-014 no
> > > > connections to the server where possible, no ssh, no smtp, https, imap.
> > > > Disabling pf allowed connections.
> > > >
> > > >
> > > > >How-To-Repeat:
> > > >
> > > > Patch system using syspatch.
> > > >
> > > > >Fix:
> > > > I had to revert the most recently installed patch with syspatch
> > > > -r.
> > > >
> > > >
> > > > dmesg:
> > > > OpenBSD 6.8 (GENERIC) #4: Mon Jan 11 10:34:36 MST 2021
> > > >
> > > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
> > >
> > > Can you show your pf.conf? I don't see that problem here.
> > >
> > > # syspatch | wc -l
> > > 0
> > >
> > > # sysctl -n kern.version
> > > OpenBSD 6.8 (GENERIC.MP) #5: Mon Feb 22 04:36:10 MST 2021
> > > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
> >
> > no problem either on a VM doing dns/dhcp, i can connect over ssh and it
> > correctly does dns/dhcp:
> >
> > furka# pfctl -sr
> > block drop in all
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echorep
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type echoreq
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type timex
> > pass in on vio0 inet proto icmp from any to 172.20.97.3 icmp-type unreach
> > pass out all flags S/SA
> > pass in log on vio0 inet proto tcp from <__automatic_1e5c56b2_0> to
> > 172.20.97.3 port = 22 flags S/SA
> > pass in log on vio0 inet proto tcp from 172.20.97.21 to 172.20.97.3 port =
> > 2812 flags S/SA
> > pass in log on vio0 inet proto udp from <__automatic_1e5c56b2_1> to
> > 172.20.97.3 port = 53
> > pass in log on vio0 inet proto udp from any to any port = 67
> >
> > furka# sysctl kern.version
> > kern.version=OpenBSD 6.8 (GENERIC) #5: Mon Feb 22 04:04:49 MST 2021
> >
> > [email protected]:/usr/src/sys/arch/amd64/compile/GENERIC
>
> --
> Steffen Fritz
>
> T: +49 7141 505 36 12
> W: https://fritz.wtf
>
