Hi all
I am trying to create a very restrictive ruleset for my firewall (OBSD 3.2)
in a NAT enviroment, what is confusing me is:
A packet matches this rule when I telnet from a clitent to a webserver's
port 80:
pass out log on rl0 inet proto tcp from any to any port = www modulate
state
Note that all traffic is allowed in the internal and loopback interfaces,
and nat should be working just fine, I just did a copy/paste from my
standard ruleset.
The packet logs like this on pflog0:
Jun 29 08:19:54.483958 rule 39/0(match): pass out on rl0: 192.168.1.12.1330
> 213.228.128.63.80: S 2009984860:2009984860(0) win 64240 <mss 1460> (DF)
but no more, the connection just times out....
Can any of you point me the correct rule to establish such a connection? I
think that once I get where I made the mistake I will be able to create the
remainder of the ruleset with no big problems....
Here is the draft of the pf.conf that is generating this. Most of it,
especially the part regarding the tcp flags is copyed from some tutorials I
found online, if there is any big mistake or some stupid rule, please do
not
flame me, I am still in the process of learning tcp...
Thank you all
Tiago
# pf.conf for OpenBSD 3.2 running quimica-ua.dhs.org
# Outside ip address of nat firewall is dhcp
# Inside network is 192.168.1.0
#### Variables ####
ext_if="rl0"
int_if="rl1"
SpoofIP="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1"
DOUBLECLICK="204.253.104.0/24, 205.138.3.0/24, 206.65.183.0/24,
208.184.29.0/24"
Services="www"
int_net="192.168.1.0/24"
int_ip="192.168.1.1/32"
ext_ip="rl0/32" # this may need changing
Abusers="192.168.1.13"
open_ports_tcp="{ ftp, ssh, smtp, www, pop3, nntp, https }" #
,6346,6347,49151 >< 65535 }"
open_ports_udp="{ domain }"
#### Optimization ####
set optimization aggressive
set timeout tcp.established 3600
set timeout { tcp.opening 30, tcp.closing 120 }
set limit { states 10000, frags 1000 }
# statistics logging on external interface
set loginterface $ext_if
# Normalization
scrub in on $ext_if all fragment reassemble
scrub in on $int_if all fragment reassemble
#### Begin Nat Translation Rules ####
# Redirect for tircproxy in transparent mode!
# need to add a line for each port an irc server runs in
rdr on $int_if proto tcp from $int_ip to any port 6667 -> 127.0.0.1 port
7666
rdr on $int_if proto tcp from $int_ip to any port 7000 -> 127.0.0.1 port
7666
# Redirect for ftp-proxy
# see bellow rules regarding data connections
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Nat external interface to internal network
nat on $ext_if from $int_ip to any -> ($ext_if)
#### BEGIN Filtering Rules ####
# Antispoof rules
block in log quick on $ext_if from { $SpoofIP } to any
block out log quick on $ext_if from any to { $SpoofIP }
# Lets stop those hax0rz
block in log quick on $ext_if proto tcp from any to any flags FUP
block in log quick on $ext_if proto tcp from any to any flags SAFRPU
block in log quick on $ext_if proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
# Block anything coming form source we have no back routes for
block in log quick from no-route to any
# We do not need ipv6, right?
block in log quick inet6 all
block out log quick inet6 all
# Pass everything on the loopback device,
# should be after the antispoof and antihack rules
pass in quick on lo0 all
pass out quick on lo0 all
# block and log everything by default
block out log-all on $ext_if all
block in log-all on $ext_if all
# silently drop broadcasts (cable modem noise)
block in log on $ext_if from any to 255.255.255.255
# Deny doubleclick ads here...
#block out log on $ext_if from any to { $DOUBLECLICK }
#block in log on $ext_if from { $DOUBLECLICK } to any
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out log-all on $ext_if inet proto icmp all icmp-type 8 code 0 keep
state
#pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# From here we add services on a need to use basis.
pass out log on $ext_if inet proto udp from any to any port $open_ports_udp
keep state
pass out log-all on $ext_if inet proto tcp from any to any port
$open_ports_tcp flags S/SA modulate state
