The problem was partially the RDR rules. The syntax needed to be
changed, removing the "pass" directive.
What was happening is after that, http packets would be blocked. The
problem ended up being the BLOCK rules.
Where I had:
block in quick on $ext_if proto { tcp, udp } from <geoip> \
to $ext_ad port 25
and it should be:
block in quick on $ext_if proto { tcp, udp } from <geoip> \
to $server port 25
Because translation occurs BEFORE filtering here, the filter sees the
translated packet - so here, the packet would be changed to my internal
RFC address space.
I think it might be more efficient to block based on the /24 rather than
the /32, in case the internal address changes. (?)
Thanks.
Cédric Berger wrote:
Forrest Aldrich wrote:
Cédric Berger wrote:
Forrest Aldrich wrote:
I've a few geoip orientated tables for which I want to block
certain traffic.
I'm able to match the addresses via pfctl, though the connections
from these IP spaces are still getting through, and I'm puzzled.
I rdr inbound connections to an RFC addressed server. All mail
and web are working fine, but these tables are not blocking. I
confirm this by watching the logs for rejected messages (I augment
the filter with an MTA access list).
[...]
tcp_services = "imap, imaps, smtp, smtps"
[...]
# REDIRECTION
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
port { $tcp_services } -> $server
Here, in the "nat step", by using "rdr PASS ..." you tell PF that
there is no
need to evaluate further the packet in the following "filter step".
Packet
matching the rdr condition here will just PASS.
[...]
# HERE ARE THE TABLE/BLOCK RULES I MENTIONED
block in quick on $ext_if proto { tcp, udp } from { <geoip-apnic>,
<geoip-lacnic>, <geoip-afrinic>, <geoip-ripe> } \
to $ext_ad port 25
block in quick on $ext_if from <abuse>
block in quick on $ext_if proto { tcp, udp } from <spammers> to
$ext_ad port 25
So these rules are never evaluated for packets matching the early RDR.
You should remove the "pass" on the RDR rule, this "pass" attribute is
very convenient for small rulesets or quick-n-dirty tests, but in more
complex rulesets like this one, they are usually not used.
Cedric
I combined the geoip list into one table, to make this easier.
I have the following in place:
rdr on $ext_if inet proto tcp from any to ($ext_if) \
port { $tcp_services } -> $server
rdr pass on $ext_if inet proto tcp from any to ($ext_if) \
port 80 -> $server
rdr pass on $ext_if inet proto tcp from any to
($ext_if) \
port 443 -> $server
nat on $ext_if inet from ($int_if:network)
to any -> ($ext_if) Note I removed "pass" from the first rdr and that
appears to work.
However, if I remove "pass" from the http redirects, it does NOT
work, and I'm stumped as to why.
Ok, now that you've removed the "pass", that mean that you need to
explicitely "pass" these packets on the filter step.
Something like:
"pass on $ext_if inet proto tcp from any to $server port {
$tcp_services }"
Is needed somewhere, maybe with a quick.
Cedric
