I started rewriting my firewall rules and decided to throw in restrictions on
outbound connections based on user/group. I've come across something that
has me stumped, and I've not stumbled on the right choice of search terms to
find anyone with a similar problem to see where I may be going about it
wrong.
In short, my first, and so far unsuccessful attempt has been to allow only
myself to traceroute out of the firewall itself. Because I hadn't been
restricting outbound connections before, rather than block outbound packets
I'm logging them, with more specific, expected traffic passed quickly below
that:
@28 pass out log on ne3 all keep state label "default-out"
[ Evaluations: 95 Packets: 78 Bytes: 3744 States: 0
]
@29 pass out quick on ne3 all keep state tagged LAN_IN
[ Evaluations: 88 Packets: 156 Bytes: 13104 States: 0
]
@36 pass out quick on ne3 inet proto udp from public_ip to any port 33434 ><
33485 user = 0 keep state label "trace-out"
[ Evaluations: 39 Packets: 0 Bytes: 0 States: 0
]
I restricted traceroute to root for now, since it's setuid I wasn't sure which
way it would come through. Anyway, I still see the blocked packets in the
pflog, for example:
Feb 22 13:04:00.018288 rule 28/0(match): pass out on ne3: public_ip.39038 >
216.109.117.206.33437: udp 12 [ttl 1]
Feb 22 13:04:00.026913 rule 28/0(match): pass out on ne3: public_ip.39038 >
216.109.117.206.33438: udp 12
I'm not really sure what else to try, the pf.conf man page shows examples such
as what I was trying initially:
user { root, myself }
but I changed it to "user = root" since I saw that syntax elsewhere, at any
rate the results are always the same =) This is the first time I came across
something in the man page that didn't work exactly as expected, so I joined
this list (I should see any replies).
Any pointers appreciated,
Christopher Kruslicky
