Re: OpenBSD 4.1: pf is not blocking anything
Marcos Laufer wrote: Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine Any ideas? Thanks in advance, Marcos # good guys table goodhosts persist pass in quick on egress from goodhosts to any keep state I'm no pf expert, so here's a simple question. What, if anything, is in table goodhosts? Maybe you're allowing everything in because of that table, or maybe you're testing from an IP defined as OK in that table?
Re: OpenBSD 4.1: pf is not blocking anything
I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Is pf enabled? (pfctl -si) Did your ruleset load ok? (pfctl -sr) What worries me most is that anyone on the outside can see my ssh service . I do different things on different boxes, but my usual setup these days is something like this: PasswordAuthentication no Match Address 192.168.*,10.* PasswordAuthentication yes This allows passwords to work on selected networks and forces keys for the rest of the internet. Allows me to hop from machine to machine on an internal network, access it from anywhere from trusted boxes with keys, and discourages me from typing passwords in from untrusted boxes (reduces risk from keyloggers).
Re: OpenBSD 4.1: pf is not blocking anything
Marcos Laufer [EMAIL PROTECTED] writes: I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Are you sure that your rule set actually does get loaded? pfctl -s rules will show you which rules are loaded (a possible first step), but syntax errors should show up (with line number indicated) when you try to load your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: OpenBSD 4.1: pf is not blocking anything [solved]
Hello , Just found out what was wrong. I knew that the ruleset was allright... I just forgot to activate pf by placing pf=YES in rc.local.conf I'm glad that OpenBSD works just fine, and it's me who needs to be repaired :) I am very sorry for the noise , thanks to everybody for the tips and advice Marcos - Original Message - From: Peter N. M. Hansteen [EMAIL PROTECTED] To: Marcos Laufer [EMAIL PROTECTED] Cc: misc@openbsd.org Sent: Tuesday, May 22, 2007 8:23 AM Subject: Re: OpenBSD 4.1: pf is not blocking anything Marcos Laufer [EMAIL PROTECTED] writes: I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. Are you sure that your rule set actually does get loaded? pfctl -s rules will show you which rules are loaded (a possible first step), but syntax errors should show up (with line number indicated) when you try to load your rules. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ First, we kill all the spammers The Usenet Bard, Twice-forwarded tales delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
OpenBSD 4.1: pf is not blocking anything
Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine Any ideas? Thanks in advance, Marcos --- # set skip on lo scrub in icmp_nets={ 10.10.10.0/24 } block all # good guys table goodhosts persist pass in quick on egress from goodhosts to any keep state # blackhole table badhosts persist block in quick log on egress from badhosts to any # no ipv6 block in quick inet6 all ## # outgoing # dns pass out on egress proto { tcp, udp } from (self)/32 to any port domain flags S/SA keep state # smtp, http , https pass out on egress proto tcp from (self)/32 to any port { smtp, www, https } flags S/SA keep state # ntp ntp_servers={ 10.10.10.4 } pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep state # ssh ssh_friends={ 10.10.10.0/24 } pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags S/SA keep state # mysql pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep state ## # incoming # private friends={ 10.10.10.0/24 } friends_srvs={ ftp, ftp-data, ssh } pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs flags S/SA keep state # MySQL y PgSQL sql_www_apps_srv={ 10.10.10.0/24 } pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306, 5432 } flags S/SA keep state # icmp pass in quick proto icmp from $icmp_nets to self/32 keep state
Re: OpenBSD 4.1: pf is not blocking anything
On 5/21/07, Marcos Laufer [EMAIL PROTECTED] wrote: Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine Any ideas? Thanks in advance, Marcos --- # set skip on lo scrub in icmp_nets={ 10.10.10.0/24 } block all # good guys table goodhosts persist pass in quick on egress from goodhosts to any keep state # blackhole table badhosts persist block in quick log on egress from badhosts to any # no ipv6 block in quick inet6 all ## # outgoing # dns pass out on egress proto { tcp, udp } from (self)/32 to any port domain flags S/SA keep state Marcos, 'keep state' and 'flags S/SA' are now default settings. Did you read about what's new in 4.1[0], as well as the updated FAQ[1], before upgrading your firewall? -Todd [0] http://openbsd.org/41.html#new [1] http://openbsd.org/faq/pf/index.html
Re: OpenBSD 4.1: pf is not blocking anything
check pfctl -sr -vv use log and pflog check pflog via tcpdump and you will find answer On 2007-05-21, at 20:36, Marcos Laufer wrote: Hello, I am testing pf in an OpenBSD 4.1. This same configuration works fine on OpenBSD 3.9, but in 4.1 it is not filtering anything, everything is passing thru, just like as if there was no 'block all'. What worries me most is that anyone on the outside can see my ssh service . Is there anything wrong with the state of my rules? If i didn't misunderstand , this rules should work just fine Any ideas? Thanks in advance, Marcos --- # set skip on lo scrub in icmp_nets={ 10.10.10.0/24 } block all # good guys table goodhosts persist pass in quick on egress from goodhosts to any keep state # blackhole table badhosts persist block in quick log on egress from badhosts to any # no ipv6 block in quick inet6 all ## # outgoing # dns pass out on egress proto { tcp, udp } from (self)/32 to any port domain flags S/SA keep state # smtp, http , https pass out on egress proto tcp from (self)/32 to any port { smtp, www, https } flags S/SA keep state # ntp ntp_servers={ 10.10.10.4 } pass out on egress proto udp from (self)/32 to $ntp_servers port ntp keep state # ssh ssh_friends={ 10.10.10.0/24 } pass out on egress proto tcp from (self)/32 to $ssh_friends port ssh flags S/SA keep state # mysql pass out on egress proto tcp from (self)/32 to any port 3306 flags S/SA keep state ## # incoming # private friends={ 10.10.10.0/24 } friends_srvs={ ftp, ftp-data, ssh } pass in on egress proto tcp from $friends to (self)/32 port $friends_srvs flags S/SA keep state # MySQL y PgSQL sql_www_apps_srv={ 10.10.10.0/24 } pass in quick proto tcp from $sql_www_apps_srv to self/32 port { 3306, 5432 } flags S/SA keep state # icmp pass in quick proto icmp from $icmp_nets to self/32 keep state