Re: Pf on lo0

Luke Small Wed, 18 Jan 2017 00:08:19 -0800

After running a program that interfaces with the two redis instances, from
"luke" to "redis6379" and "redis6380" with the following pf.conf, the pfctl
-vvvs rules shows that the pass rules I set up are not being used (I
suppose I could do inet6 too!:



pf.conf

#
# Rule  0
# anti spoofing rule
antispoof log quick for { lo0, vio0 } label "RULE 0 antispoof "
#
#
anchor "snort2pf"
#
#
# Rule  1a (lo0)
# Allow redis6379 loopback networking to receive on port 6379
pass in quick on lo0 inet proto tcp from any to self port 6379 \
user redis6379 label "Rule 1a"
#
# Rule  1b (lo0)
# Block user loopback networking to receive on port 6379
block in quick on lo0 inet proto { tcp, udp } from any to self port 6379 \
label "Rule 1b"
#
#
# Rule  1c(lo0)
# Allow luke loopback networking to send on port 6379
pass out quick on lo0 inet proto tcp from self port 6379 to any user luke \
label "Rule 1c"
#
# Rule  1d(lo0)
# Block user loopback networking to send on port 6379
block out quick on lo0 inet proto { tcp, udp } from self port 6379 to any \
label "Rule 1d"
#
#
# Rule  1e (lo0)
# Allow redis6380 loopback networking to receive on port 6380
pass in quick on lo0 inet proto tcp from any to self port 6380 user \
redis6380 label "Rule 1e"
#
# Rule  1f (lo0)
# Block loopback networking to receive on port 6380
block in quick on lo0 inet proto { tcp, udp } from any to self \
port 6380 label "Rule 1f"
#
#
# Rule  1g(lo0)
# Allow luke loopback networking to send on port 6380
pass out quick on lo0 inet proto tcp from self port 6380 to any \
user luke label "Rule 1g"
#
# Rule  1h(lo0)
# Block user loopback networking to send on port 6380
block out quick on lo0 inet proto { tcp, udp } from self port 6380 to any \
label "Rule 1h"
#
#
# Rule  1 (lo0)
# Allow all loopback networking
pass quick on lo0 inet  from any  to any  label "RULE 1 -- ACCEPT "

...

@0 block drop in log quick on ! lo0 inet6 from ::1 to any label "RULE 0
antispoof "
  [ Evaluations: 47        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@1 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any label
"RULE 0 antispoof "
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@2 block drop in log quick on ! vio0 inet from 10.0.2.0/24 to any label
"RULE 0 antispoof "
  [ Evaluations: 34        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@3 block drop in log quick inet from 10.0.2.15 to any label "RULE 0
antispoof "
  [ Evaluations: 17        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@4 anchor "snort2pf" all
  [ Evaluations: 47        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@5 pass in quick on lo0 inet proto tcp from any to 127.0.0.1 port = 6379
user = 1001 flags S/SA label "Rule 1a"
  [ Evaluations: 47        Packets: 28        Bytes: 1671        States:
8     ]
  [ Inserted: uid 0 pid 89214 State Creations: 8     ]
@6 pass in quick on lo0 inet proto tcp from any to 10.0.2.15 port = 6379
user = 1001 flags S/SA label "Rule 1a"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@7 block drop in quick on lo0 inet proto tcp from any to 127.0.0.1 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@8 block drop in quick on lo0 inet proto tcp from any to 10.0.2.15 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@9 block drop in quick on lo0 inet proto udp from any to 127.0.0.1 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@10 block drop in quick on lo0 inet proto udp from any to 10.0.2.15 port =
6379 label "Rule 1b"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@11 pass out quick on lo0 inet proto tcp from 127.0.0.1 port = 6379 to any
user = 1000 flags S/SA label "Rule 1c"
  [ Evaluations: 26        Packets: 0         Bytes: 0           States:
0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@12 pass out quick on lo0 inet proto tcp from 10.0.2.15 port = 6379 to any
user = 1000 flags S/SA label "Rule 1c"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@13 block drop out quick on lo0 inet proto tcp from 127.0.0.1 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@14 block drop out quick on lo0 inet proto tcp from 10.0.2.15 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@15 block drop out quick on lo0 inet proto udp from 127.0.0.1 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@16 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 6379
to any label "Rule 1d"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@17 pass in quick on lo0 inet proto tcp from any to 127.0.0.1 port = 6380
user = 1002 flags S/SA label "Rule 1e"
  [ Evaluations: 26        Packets: 519       Bytes: 31009       States:
9     ]
  [ Inserted: uid 0 pid 89214 State Creations: 9     ]
@18 pass in quick on lo0 inet proto tcp from any to 10.0.2.15 port = 6380
user = 1002 flags S/SA label "Rule 1e"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@19 block drop in quick on lo0 inet proto tcp from any to 127.0.0.1 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@20 block drop in quick on lo0 inet proto tcp from any to 10.0.2.15 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@21 block drop in quick on lo0 inet proto udp from any to 127.0.0.1 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@22 block drop in quick on lo0 inet proto udp from any to 10.0.2.15 port =
6380 label "Rule 1f"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@23 pass out quick on lo0 inet proto tcp from 127.0.0.1 port = 6380 to any
user = 1000 flags S/SA label "Rule 1g"
  [ Evaluations: 17        Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@24 pass out quick on lo0 inet proto tcp from 10.0.2.15 port = 6380 to any
user = 1000 flags S/SA label "Rule 1g"
  [ Evaluations: 0         Packets: 0         Bytes: 0   States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@25 block drop out quick on lo0 inet proto tcp from 127.0.0.1 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@26 block drop out quick on lo0 inet proto tcp from 10.0.2.15 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@27 block drop out quick on lo0 inet proto udp from 127.0.0.1 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@28 block drop out quick on lo0 inet proto udp from 10.0.2.15 port = 6380
to any label "Rule 1h"
  [ Evaluations: 0         Packets: 0         Bytes: 0    States: 0     ]
  [ Inserted: uid 0 pid 89214 State Creations: 0     ]
@29 pass quick on lo0 inet all flags S/SA label "RULE 1 -- ACCEPT "
  [ Evaluations: 17   Packets: 547  Bytes: 32680   States: 17    ]
  [ Inserted: uid 0 pid 89214 State Creations: 17    ]
...

On Tue, Jan 17, 2017 at 2:00 AM Luke Small <[email protected]> wrote:

> It doesn't. The "pass in quick on lo0 proto {tcp,udp}from any port 6379 to
> self port 6379 user luke" works.
>
> On Mon, Jan 16, 2017, 23:48 Sebastien Marie <[email protected]> wrote:
>
> On Mon, Jan 16, 2017 at 11:04:48PM +0000, Luke Small wrote:
> > I'm trying to have pf limit sending TCP packets over lo0 from a specific
> > user. I made some rules, but they seem to be ignored when I check on
> pfctl
> > -vvvs rules it goes to the default lo0 pass rule: "pass out quick on lo0
> > proto { tcp, udp } from self port 6379 to any port 6379 user luke" and
> > "block out quick on lo0 proto {tcp,udp} from self to any port 6379"
> > obviously I'm using redis. Redis has authentication, but I think it'd be
> > cool to have that extra layer of protection.
> >
>
> check your /etc/pf.conf if it contains a line like:
>
>         set skip on lo
>
> (it is in default pf.conf file), and remove it.
>
> pf(4) will not skip lo group, so lo0 will be filtered.
> --
> Sebastien Marie

Re: Pf on lo0

Reply via email to