more oddness: I show that rule 24/0 pass in quick is reading first then it is being blocked by rule 9/0 that is just a block with no quick on it
Aug 27 11:49:53.562476 rule 24/0(match): pass in on rl1: 192.168.1.42.58341 > 192.168.1.182.22: S 2738012913:2738012913(0) win 32768 <mss 1460,nop,wscale 0,nop,nop,timestamp 34370 0> (DF) Aug 27 11:49:53.563843 rule 9/0(match): block in on rl1: 192.168.1.42.58341 > 192.168.1.182.22: . ack 7430552 win 33304 <nop,nop,timestamp 34370 1154145286> (DF) I am at a loss now? On Tue, 27 Aug 2002, Jason Houx wrote: > Hi list, > > I have a issue with a openbsd machine running 3.1 -stable. I have > this unit running NAT for our help-desk center. > > --------- > 2600 - pix -----> $if_ext | My Box | $if_int1 <----- help desk network > ---------- > > I have a machine that is inside the $if_int network that I want to have > access to the openbsd box for testing when I am working on stuff inside > their network. I want no other machine to have access to the obsd box > from the tech network > > I have this rule to allow the workstation [192.168.1.42] > $ rl1 = if_int > > @24 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to > 192.168.1.182/32 port = ssh flags S/FSRA > > In order to stop the rest of the tech network from accessing 22 I have > > @9 block in log on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = ssh > > ---------------------------------------------------------------------------- > *My understanding* > > For each packet processed by the packet filter, the filter rules are > evaluated in sequential order, from first to last. Each rule either > matches the packet or doesn't. The last matching rule decides what action > is taken. Unless a *quick* is used then If a packet matches a rule which > has the `quick' option set, this rule is considered the last matching > rule, and evaluation of subsequent rules is skipped. > > > I have applied a *quick* statement to the rule to pass in session on > protocol 22 to allow ssh from 192.168.1.42/32 and just a block with no > quick on the other statement denying the 192.168.1.0/24 network. With > this understanding all packets comming from 192.168.1.42/32 should be > allowed to the int_if of 192.168.1.182 (obsd ip address on help-desk > network) and block all other machines. > > Its not working like that and from the logs i don't know why. looking at > my logs I show that the rule without the quick is being read first and it > is not reading the *quick* rule. > > Aug 27 10:22:51.793061 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: . ack 2336820352 win 33304 > <nop,nop,timestamp 23931 1154134843> (DF) > Aug 27 10:22:53.291169 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: . ack 1 win 33304 > <nop,nop,timestamp 23934 1154134846> (DF) > Aug 27 10:22:55.291100 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: . ack 1 win 33304 > <nop,nop,timestamp 23938 1154134850> (DF) > Aug 27 10:22:56.553263 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: F 0:0(0) ack 1 win 33304 > <nop,nop,timestamp 23940 1154134850> (DF) > Aug 27 10:22:57.683212 rule 9/0(match): block in on rl1: > 192.168.1.42.58327 > 192.168.1.182.22: F 0:0(0) ack 1 win 33304 > <nop,nop,timestamp 23942 1154134850> (DF) > > > I have pasted my whole pf.conf below any help with what i am missing > would be appriceated. > > Thanks in advance!! > > tech# pfctl -s rules > @0 scrub in on rl0 all > @1 block out on rl0 all > @2 block in on rl0 all > @3 block return-rst out on rl0 proto tcp all > @4 block return-rst in on rl0 proto tcp all > @5 block return-icmp out on rl0 proto udp all > @6 block return-icmp in on rl0 proto udp all > @7 block in from no-route to any > @8 block in log on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.30/32 port = ssh > @9 block in log on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = ssh > @10 block in quick on rl1 inet proto udp from 192.168.1.0/24 to > 192.168.1.182/32 port = daytime > @11 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = daytime > @12 block in quick on rl1 inet proto udp from 192.168.1.0/24 to > 192.168.1.182/32 port = time > @13 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = time > @14 block in quick on rl1 inet proto udp from 192.168.1.0/24 to > 192.168.1.182/32 port = sunrpc > @15 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = sunrpc > @16 block in quick on rl1 inet proto udp from 192.168.1.0/24 to > 192.168.1.182/32 port = 113 > @17 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 192.168.1.182/32 port = auth > @18 block in log quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.24/32 port = 21 > @19 block in log quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.24/32 port = ftp > @20 block in log-all quick on rl1 inet proto udp from any to any port = > kazza > @21 block in log-all quick on rl1 inet proto tcp from any to any port = > kazza > @22 block in quick on rl1 inet proto udp from 192.168.1.41/32 to > 10.0.1.1/32 > @23 block in quick on rl1 inet proto tcp from 192.168.1.41/32 to > 10.0.1.1/32 > @24 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to > 192.168.1.182/32 port = ssh flags S/FSRA > @25 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to > 216.255.50.30/32 port = ssh flags S/FSRA > @26 pass in log quick on rl0 inet proto udp from any to any port = www > flags S/SA > @27 pass in log quick on rl0 inet proto tcp from any to any port = www > flags S/SA > @28 pass in log quick on rl0 inet proto udp from any to any port = 3306 > flags S/SA > @29 pass in log quick on rl0 inet proto tcp from any to any port = mysql > flags S/SA > @30 pass in log quick on rl0 inet proto udp from any to any port = 2022 > flags S/SA > @31 pass in log quick on rl0 inet proto tcp from any to any port = 2022 > flags S/SA > @32 pass in log quick on rl0 inet proto udp from any to any port = 21 > flags S/SA > @33 pass in log quick on rl0 inet proto tcp from any to any port = ftp > flags S/SA > @34 pass in log quick on rl0 inet proto udp from 216.255.50.16/32 to any > port = www flags S/SA > @35 pass in log quick on rl0 inet proto tcp from 216.255.50.16/32 to any > port = www flags S/SA > @36 pass in log quick on rl0 inet proto udp from 216.255.50.16/32 to any > port = ssh flags S/SA > @37 pass in log quick on rl0 inet proto tcp from 216.255.50.16/32 to any > port = ssh flags S/SA > @38 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.255.50.23/32 port = www > @39 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.23/32 port = www > @40 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.255.50.23/32 port = pop3 > @41 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.23/32 port = pop3 > @42 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.15/32 port = www > @43 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.15/32 port = www > @44 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.18/32 port = www > @45 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.18/32 port = www > @46 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.5/32 port = pop3 > @47 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.5/32 port = pop3 > @48 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.201.8.130/32 port = pop3 > @49 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.201.8.130/32 port = pop3 > @50 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.255.50.6/32 port = www > @51 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.6/32 port = www > @52 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.10/32 port = domain > @53 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.10/32 port = domain > @54 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.255.50.23/32 port = domain > @55 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.23/32 port = domain > @56 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 216.255.50.6/32 port = www > @57 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 216.255.50.6/32 port = www > @58 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to > 209.143.0.20/32 port = 443 > @59 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to > 209.143.0.20/32 port = https > @60 pass in log on rl0 inet proto tcp from 216.255.50.23/32 to > 216.255.50.30/32 port = ssh > @61 pass in log on rl0 inet proto tcp from 216.255.50.20/32 to > 216.255.50.30/32 port = ssh > @62 pass in log on rl0 inet proto tcp from 216.255.50.35/32 to > 216.255.50.30/32 port = ssh > @63 pass in log on rl0 inet proto tcp from 24.210.153.224/32 to > 216.255.50.30/32 port = ssh > @64 block out quick on rl0 inet from ! 216.255.50.30/32 to any > @65 block in quick on rl0 inet from any to 255.255.255.255/32 > @66 pass in log-all quick on rl1 inet proto udp from any port = bootpc to > 255.255.255.255/32 port = bootps > @67 pass in log-all quick on rl1 inet proto tcp from any port = bootpc to > 255.255.255.255/32 port = bootps > @68 block in quick on rl1 inet proto udp from any port 1 >< 66 to > 255.255.255.255/32 port 1 >< 66 > @69 block in quick on rl1 inet proto tcp from any port 1 >< 66 to > 255.255.255.255/32 port 1 >< 66 > @70 block in quick on rl1 inet proto udp from any port 69 >< 65000 to > 255.255.255.255/32 port 69 >< 65000 > @71 block in quick on rl1 inet proto tcp from any port 69 >< 65000 to > 255.255.255.255/32 port 69 >< 65000 > @72 block in quick on rl0 inet from 255.255.255.255/32 to any > @73 block in quick on rl0 inet from 192.168.0.0/16 to any > @74 block in quick on rl0 inet from 172.16.0.0/12 to any > @75 block in quick on rl0 inet from 10.0.0.0/8 to any > @76 pass out on rl0 inet proto icmp all icmp-type echoreq code 0 keep > state > @77 block in log on rl0 inet proto icmp all icmp-type echoreq code 0 keep > state > @78 pass out on rl0 proto udp all flags S/A keep state > @79 pass out on rl0 proto tcp all modulate state > @80 block in quick on rl1 inet proto udp from any port = netbios-dgm to > any port = netbios-dgm > @81 block in quick on rl1 inet proto tcp from any port = netbios-dgm to > any port = netbios-dgm > @82 block in quick on rl1 inet proto udp from any port = netbios-ns to any > port = netbios-ns > @83 block in quick on rl1 inet proto tcp from any port = netbios-ns to any > port = netbios-ns > @84 pass in log on rl1 inet proto tcp from 192.168.1.0/24 to any flags > S/SA keep state > @85 pass in log on rl1 inet proto udp from 192.168.1.0/24 to any > tech# > >
