Re: PF RULES! But mine doesn't ...
It's a question of letting DNS traffic _in_ to your nameserver: pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. Hello again, Jan! Well, I tried applying what you said now as well as last time you said it -- but the problem is still there. Unless I uncomment the default deny policy nothing seems to work. The problem must lie elsewhere in my ruleset: int_if=ep0 ext_if=lnc0 # *** Options # set block-policy drop # *** Scrub incoming packets # scrub in all # *** NAT # nat on $ext_if from $int_if:network to any - ($ext_if) rdr on $int_if proto tcp from any to any \ port 21 - 127.0.0.1 port 8021 # *** Default deny policy # # block drop log all # *** Pass loopback traffic # passquick on { lo0 $int_if } # *** Outgoing # passout on $ext_if inet proto { tcp, udp, icmp } \ from ($ext_if) to any keep state # *** DNS # passin on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 passout on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any # *** NTP # passout on $ext_if inet proto udp \ from ($ext_if) to any port { 53, 123 } keep state # *** SSH, HTTP and Ident # passin on $ext_if inet proto tcp \ from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state # *** Active FTP # passin on $ext_if inet proto tcp \ from port 20 to ($ext_if) user proxy flags S/SA keep state # *** Private FTP # passin on $ext_if proto tcp \ from any to any port 31337 keep state passin on $ext_if proto tcp \ from any to any port 5:5 -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
Correction: Unless I COMMENT the default deny policy nothing seems to work. -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
It's a question of letting DNS traffic _in_ to your nameserver: pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. Ok, after having added that it seems that my DNS works. The same goes for my WWW and mail server. SSH servers are all OK to connect to. I have to wait like 5 minutes after booting my computer before I can connect to those certain FTP sites. What's that all about? If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. What do you mean by that? Anyway, it's pretty close to perfection now :) Jan, any idea how I can simplify my ruleset? Also, I'm wondering if I can move the NAT part down below the Outgoing so I can combine it with the Active FTP ruleset so they don't have to be spread troughout the conf. Thanks! -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
On Tue, 10 May 2005, Fafa Hafiz Krantz wrote: Ok, after having added that it seems that my DNS works. The same goes for my WWW and mail server. SSH servers are all OK to connect to. I have to wait like 5 minutes after booting my computer before I can connect to those certain FTP sites. What's that all about? If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. What do you mean by that? The rules I suggested are so that external machines can talk to your DNS server (querying about the domain it is authoritative for), and so that responses can get back to those machines. Your nameserver, however, may also be trying to get requests out. When it does this, by default, it will use a random source-port. By specifying options { query-source address * port 53; } in your named.conf, your nameserver will _also_ use port 53 as the source port on any requests _that it originates_. (That's the distinction). If you do this, then you won't need port 53 mentioned in your other keep state rule. I suspect that this might actually be the cause of your transient FTP concern; you should try modifying your nameserver config before you go any further. (This assumes that your resolv.conf is configured to use the local machine as a nameserver in the first instance. If that is not the case, then you will still need the port 53 clause in your DNS and NTP section, because other programs will use random ports in an attempt to get DNS queries out into the wild.) Anyway, it's pretty close to perfection now :) Jan, any idea how I can simplify my ruleset? Also, I'm wondering if I can move the NAT part down below the Outgoing so I can combine it with the Active FTP ruleset so they don't have to be spread troughout the conf. Thanks! Your ruleset looks pretty simple, to be honest. I'm afraid that where the specifics of PF are concerned, I know nothing: the advice I've given you is just generic firewall stuff :-/ It looks to me like your PF config is set up to use some kind of FTP proxy running on localhost:8021. On the other hand, I could be barking up the wrong tree completely; I've pretty much run out of useful things to say about this config. Cheers, jan -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/ Prolog in JavaScript: http://ioctl.org/logic/prolog-latest ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
On 2005-05-10 05:09, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote: It's a question of letting DNS traffic _in_ to your nameserver: pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. Hello again, Jan! Well, I tried applying what you said now as well as last time you said it -- but the problem is still there. Unless I uncomment the default deny policy nothing seems to work. The problem must lie elsewhere in my ruleset: Show us the output of: # pfctl -sr [snip ruleset] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
- Original Message - From: Giorgos Keramidas [EMAIL PROTECTED] To: Fafa Hafiz Krantz [EMAIL PROTECTED], Jan Grant [EMAIL PROTECTED] Subject: Re: PF RULES! But mine doesn't ... Date: Tue, 10 May 2005 13:50:27 +0300 On 2005-05-10 05:09, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote: It's a question of letting DNS traffic _in_ to your nameserver: pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. Hello again, Jan! Well, I tried applying what you said now as well as last time you said it -- but the problem is still there. Unless I uncomment the default deny policy nothing seems to work. The problem must lie elsewhere in my ruleset: Show us the output of: # pfctl -sr [snip ruleset] Hello! # pfctl -sr No ALTQ support in kernel ALTQ related functions disabled scrub in all fragment reassemble block drop log all pass quick on lo0 all pass quick on ep0 all pass out on lnc0 inet proto tcp from (lnc0) to any keep state pass out on lnc0 inet proto udp from (lnc0) to any keep state pass out on lnc0 inet proto icmp from (lnc0) to any keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = domain pass in on lnc0 inet proto udp from any to (lnc0) port = domain pass out on lnc0 inet proto tcp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep state pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62 flags S/SA keep state pass in on lnc0 proto tcp from any to any port = 31337 keep state pass in on lnc0 proto tcp from any to any port 5:5 About the ALTQ thing, it should be in the kernel. I just recompiled it with: # *** Internet family options # device pf # OpenBSD PF firewall device pflog # Logging support interface device altq# Alternate queuing device gif # IPv6 and IPv4 tunneling device faith # IPv6-to-IPv4 translation device bpf # Berkeley Packet Filter Thanks! -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
The rules I suggested are so that external machines can talk to your DNS server (querying about the domain it is authoritative for), and so that responses can get back to those machines. Your nameserver, however, may also be trying to get requests out. When it does this, by default, it will use a random source-port. By specifying options { query-source address * port 53; } in your named.conf, your nameserver will _also_ use port 53 as the source port on any requests _that it originates_. (That's the distinction). If you do this, then you won't need port 53 mentioned in your other keep state rule. I suspect that this might actually be the cause of your transient FTP concern; you should try modifying your nameserver config before you go any further. Great :) Thanks man, I'll try that. Isn't this something that ought to be in every named.conf? What ports do it go to by default? (This assumes that your resolv.conf is configured to use the local machine as a nameserver in the first instance. If that is not the case, then you will still need the port 53 clause in your DNS and NTP section, because other programs will use random ports in an attempt to get DNS queries out into the wild.) No, my resolv.conf contains my ISP's nameservers. Your ruleset looks pretty simple, to be honest. I've heard many experts say 'your ruleset looks like shit', maybe because they're jealous of my nice headers ;) Ok, so now my named.conf's option looks like this: options { directory /etc/namedb; pid-file /var/run/named/pid; query-source address * port 53; }; Should I specify where to log to? Because it doesn't log. I'm afraid that where the specifics of PF are concerned, I know nothing: the advice I've given you is just generic firewall stuff :-/ It looks to me like your PF config is set up to use some kind of FTP proxy running on localhost:8021. On the other hand, I could be barking up the wrong tree completely; I've pretty much run out of useful things to say about this config. Well you do seem to me like a jack of all trades. Have a wonderful day! :) -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf -- ___ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
On 2005-05-10 07:19, Fafa Hafiz Krantz [EMAIL PROTECTED] wrote: Giorgos Keramidas [EMAIL PROTECTED] wrote: Show us the output of: # pfctl -sr [snip ruleset] Hello! # pfctl -sr scrub in all fragment reassemble block drop log all pass quick on lo0 all pass quick on ep0 all Good so far. pass out on lnc0 inet proto tcp from (lnc0) to any keep state pass out on lnc0 inet proto udp from (lnc0) to any keep state pass out on lnc0 inet proto icmp from (lnc0) to any keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = domain pass in on lnc0 inet proto udp from any to (lnc0) port = domain pass out on lnc0 inet proto tcp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep state pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep state pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62 flags S/SA keep state pass in on lnc0 proto tcp from any to any port = 31337 keep state pass in on lnc0 proto tcp from any to any port 5:5 There are at least two problems with the above rules: 1. You are using (lnc0) on all the rules below. 2. There are no address mapping rules (nar or binat). The reason why (1) may cause problems is that they assume that all packets that come *in* on the lc0 interface have as their source or destination address one of the IP addresses of that interface. This may not be true if you have packet forwarding enabled. Especially when NAT is not enabled; which is not, in your ruleset. Even if NAT _is_ enabled, I think that packets that come in on ep0 will still have the same source address as they go in lnc0 and will only change their source address en route through lnc0, as the NAT rules are applied. Pay very close attention to the following example from the pf.conf manpage itself. It may help a bit to explain what I said above: In the example below, the machine sits between a fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. The no nat rule excludes protocol AH from being translated. # NO NAT no nat on $ext_if proto ah from 144.19.74.0/24 to any nat on $ext_if from 144.19.74.0/24 to any - 204.92.77.100 Both number (1) and (2) are not problems if you have public, routable IP addresses on all the hosts visible through the ep0 interface. The fact that you do have a problem suggests that the IP addresses of the ep0 interface (not visible above) are all parts of unroutable, private address blocks. Another problem that is easily noticed is that you have lots of redundant rules that serve only as a waste of CPU cycles. For instance, these sets of rules will match a common set of IP packets. You may find it useful to note that the *first* rule of each group matches a superset of the packets that the rest match, so you can keep just the first rule of each group for exactly the same effect! pass out on lnc0 inet proto tcp from (lnc0) to any keep state pass out on lnc0 inet proto tcp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any keep state pass out on lnc0 inet proto udp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state - Giorgos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
On Sun, 8 May 2005, Fafa Hafiz Krantz wrote: Hello. My ruleset is all twisted. Unless I disable the default deny policy, this is what happens: * My nameserver setup goes disfunctional. * My web, mail and fileserver goes disfunctional. * I cannot SSH and FTP into certain servers. * I cannot ping my IP from the outside. Can anyone tell what's wrong? And maybe also how I can simplify my ruleset? It's a question of letting DNS traffic _in_ to your nameserver: int_if=ep0 ext_if=lnc0 # *** Options # set block-policy drop # *** Scrub incoming packets # scrub in all # *** NAT # nat on $ext_if from $int_if:network to any - ($ext_if) rdr on $int_if proto tcp from any to any \ port 21 - 127.0.0.1 port 8021 # *** Default deny policy # # block drop log all # *** Pass loopback traffic # passquick on { lo0 $int_if } # *** Outgoing # passout on $ext_if inet proto { tcp, udp, icmp } \ from ($ext_if) to any keep state # *** Bootstrap # passout on $ext_if inet proto udp \ from any port 68 to any port 67 keep state # *** DNS and NTP # passout on $ext_if inet proto udp \ from ($ext_if) to any port { 53, 123 } keep state # *** SSH, HTTP and Ident # passin on $ext_if inet proto tcp \ from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. If you add the query-source address * port 53; to your named.conf options section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. # *** Active FTP # passin on $ext_if inet proto tcp \ from port 20 to ($ext_if) user proxy flags S/SA keep state -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/ Usenet: The separation of content AND presentation - simultaneously. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
Fafa Hafiz Krantz wrote: Hello. My ruleset is all twisted. Unless I disable the default deny policy, this is what happens: * My nameserver setup goes disfunctional. * My web, mail and fileserver goes disfunctional. * I cannot SSH and FTP into certain servers. * I cannot ping my IP from the outside. Can anyone tell what's wrong? And maybe also how I can simplify my ruleset? int_if=ep0 ext_if=lnc0 # *** Options # set block-policy drop # *** Scrub incoming packets # scrub in all # *** NAT # nat on $ext_if from $int_if:network to any - ($ext_if) rdr on $int_if proto tcp from any to any \ port 21 - 127.0.0.1 port 8021 # *** Default deny policy # # block drop log all # *** Pass loopback traffic # passquick on { lo0 $int_if } # *** Outgoing # passout on $ext_if inet proto { tcp, udp, icmp } \ from ($ext_if) to any keep state # *** Bootstrap # passout on $ext_if inet proto udp \ from any port 68 to any port 67 keep state # *** DNS and NTP # passout on $ext_if inet proto udp \ from ($ext_if) to any port { 53, 123 } keep state # *** SSH, HTTP and Ident # passin on $ext_if inet proto tcp \ from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state # *** Active FTP # passin on $ext_if inet proto tcp \ from port 20 to ($ext_if) user proxy flags S/SA keep state Thank you so much. Keep in touch! -- Fafa Hafiz Krantz Research Designer @ http://www.bleed.no Perhaps you should check the archives. :) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: PF RULES! But mine doesn't ...
Fafa Hafiz Krantz wrote: Perhaps you should check the archives. :) What do you mean? There are many archives out there ... Please tell me which one? Thanks! -- Fafa Hafiz Krantz Research Designer @ http://www.home.no/barbershop Enlightened @ http://www.home.no/barbershop/smart/sharon.pdf Did you happen to notice the smile [ :) ] at the end of my post. That was my weak attempt at humor. Some actually found it humorous. Perhaps you need to lighten up and work on your sense of humor. It would go a long way on this list and elsewhere in this world. On that note, I think the entire world and especially the politicians need to lighten up and try to have some fun. If we can not laugh at ourselves then we have no right to laugh at all. Robert ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]