surfing from behind the firewall, pf rules

Stephen Gutknecht (OBSD-PF) Tue, 26 Nov 2002 15:35:09 -0800

Hello all,

Windows XP / Windows 2000 / OpenBSD systems behind a OpenBSD 3.2-stable
firewall with PF.


During "heavy web surfing sessions", especially when loading a lot over a
slower (90Kbps link)... I see my "block in rule" stopping a few packets from
port 80 servers.

A good example is a web page like this:
http://forums.fark.com/cgi/fark/comments.pl?IDLink=363417 from a Windows XP
SP1 client.  On that particular page, each image is loaded from a different
server, so you have a lot of connections going out from a single machine to
multiple servers.

Outbound Surfing rules
===============================
The OpenBSD FAQ currently suggests:

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out log on $ExtIF                 all
pass  out on $ExtIF inet proto tcp  all flags S/SA keep state
pass  out on $ExtIF inet proto udp  all            keep state
pass  out on $ExtIF inet proto icmp all            keep state

Is this still the "ideal" config for pf on OpenBSD 3.2?  Isn't the "shorter
form" now:

# and let out-going traffic out and maintain state on established
connections
# pass out all protocols, including TCP, UDP and ICMP, and create state,
# so that external DNS servers can reply to our own DNS requests (UDP).
block out log on $ExtIF all
pass  out     on $ExtIF all keep state

Or am I giving something up?

FYI: In the same section, the openbsd.org FAQ still says use "pfctl -R
/etc/pf.conf" to update rules, the new 3.2 syntax is "pfctl -R -f
/etc/pf.conf" correct?  Can someone feed that to appropriate person who
maintains FAQ.


My Rules
====================
ExtIF="tun0"            # External Interface
ExtIFIP="(tun0)"        # External Interface IP Address
IntIF1="fxp0"           # Internal Interface 1
IntIF2="wi0"            # Internal Interface 2 wireless

IntNet1="192.168.148.0/24"   # Our internal network Ethernet
IntNet2="192.168.146.0/24"   # Our internal network Wireless
NoRouteIPs="{ 0.0.0/32, 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8 }"
Services="{ www, https }"

scrub in all

nat on $ExtIF from $IntNet1  to any -> $ExtIFIP
nat on $ExtIF from $IntNet2  to any -> $ExtIFIP

block in  log quick on $ExtIF from $NoRouteIPs to any
block out log quick on $ExtIF from any         to $NoRouteIPs
block in  log       on $ExtIF                  all

# only allow our inside interface  to connect via ssh
pass  in on $IntIF1 inet proto tcp from $IntNet1 to any port 22 \
        flags S/SA keep state
pass  in on $IntIF2 inet proto tcp from $IntNet2 to any port 22 \
        flags S/SA keep state

# are we hosting any servers?
# allow others to use http and https
pass  in on $ExtIF inet proto tcp from any to any port $Services \
      flags S/SA keep state

block out log on $ExtIF all
pass  out     on $ExtIF all keep state


As for the blocks when surfing web sites.  They are always port 80 traffic
going to my clients from servers they are surfing.  I see hits on my rule
#11 (block in log on $ExtIF all).  These are signs that my rule #17 (pass
out on $ExtIF all keep state) is not always keeping state?  Servers with
problems?

Block examples from log:

Nov 26 07:02:37.572369 rule 11/0(match): block in on tun0: 216.77.188.41.80
> 166.154.128.190.55349: R 2093:2093(0) ack 1 win 0
Nov 26 07:03:08.300311 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:04:11.700187 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:05:16.044624 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:06:20.042119 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:07:23.641847 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:08:28.045226 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:09:32.072133 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:10:36.052234 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:11:40.082263 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: . 0:1460(1460) ack 1 win 17520 (DF)
Nov 26 07:12:43.517003 rule 11/0(match): block in on tun0: 66.79.10.212.80 >
166.154.128.190.56084: R 4891:4891(0) ack 1 win 17520 (DF)

My web browser (Internet Explorer) on the Windows XP box is still requesting
one of the graphics to load from the HTML on
http://forums.fark.com/cgi/fark/comments.pl?IDLink=363417 page.

Thank you.

  Stephen Gutknecht
  currently in Port Orchard, Washington USA

surfing from behind the firewall, pf rules

Reply via email to