Re: Tables and filter blocks not working as expected...

Thu, 01 Dec 2005 02:01:57 -0800 

Forrest Aldrich wrote:



Cédric Berger wrote:

Forrest Aldrich wrote:

I've a few geoip orientated tables for which I want to block certain 
traffic.



I'm able to match the addresses via pfctl, though the connections 
from these IP spaces are still getting through, and I'm puzzled.



I rdr inbound connections to an RFC addressed server.   All mail and 
web are working fine, but these tables are not blocking.  I confirm 
this by watching the logs for rejected messages (I augment the 
filter with an MTA access list).

[...]
tcp_services = "imap, imaps, smtp, smtps"
[...]
# REDIRECTION
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
    port { $tcp_services } -> $server

Here, in the "nat step", by using "rdr PASS ..." you tell PF that 
there is no
need to evaluate further the packet in the following "filter step". 
Packet

matching the rdr condition here will just PASS.

[...]
# HERE ARE THE TABLE/BLOCK RULES I MENTIONED

block in quick on $ext_if proto { tcp, udp } from { <geoip-apnic>, 
<geoip-lacnic>, <geoip-afrinic>, <geoip-ripe> } \

    to $ext_ad port 25

block in quick on $ext_if from <abuse>


block in quick on $ext_if proto { tcp, udp } from <spammers> to 
$ext_ad port 25


So these rules are never evaluated for packets matching the early RDR.

You should remove the "pass" on the RDR rule, this "pass" attribute is
very convenient for small rulesets or quick-n-dirty tests, but in more
complex rulesets like this one, they are usually not used.

Cedric


I combined the geoip list into one table, to make this easier.

I have the following in place:

rdr on $ext_if inet proto tcp from any to ($ext_if) \
   port { $tcp_services } -> $server

rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
   port 80 -> $server

                rdr pass on $ext_if inet proto tcp from any to 
($ext_if) \

   port 443 -> $server

                         nat on $ext_if inet from ($int_if:network) to 
any -> ($ext_if) 
Note I removed "pass" from the first rdr and that appears to work.



However, if I remove "pass" from the http redirects, it does NOT work, 
and I'm stumped as to why.

Ok, now that you've removed the "pass", that mean that you need to
explicitely "pass" these packets on the filter step.

Something like:

  "pass on $ext_if inet proto tcp from any to $server port { 
$tcp_services }"


Is needed somewhere, maybe with a quick.
Cedric























					Reply via email to