Re: pf commands to discuss

2011-01-20 Thread David Gwynne 
either:

pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
 port 33433  33626 keep state tag mytracert

pass out log on $ext_if inet proto udp from $ext_if to any \
 port 33433  33626 keep state tagged mytracert

or:

pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
 port 33433  33626 keep state

pass out log on $ext_if inet proto udp from $ext_if to any \
 port 33433  33626 keep state tagged mytracert received-on $int_if

there are some other ways too, but i like these the most.

dlg

On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote:

 Hi list,
 
 
 I have an question. I want my pc (i.e admin_pc)  to be able to traceroute
 which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added
 below rules in pf.conf file.
 
 
 match out on $ext_if from $lan_net nat-to ($ext_if)
 
 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state
 
 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state
 
 
 due to the above rules, my PC can traceroute. It works fine. *But*, in
 addition to that, Firewall also can traceroute because of the above *pass
 out* rule. I *do NOT* want firewall to be able to traceroute.
 
 my question is that How can I exclude my firewall from being able to doing
 it ?
 
 
 
 
 
 
 
 -- 
 Thank you
 Indunil Jayasooriya

Re: pf commands to discuss

2011-01-20 Thread Ryan McBride 
On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
 my question is that How can I exclude my firewall from being able to doing
 it ?

I'm really not sure why you don't want the firewall to be able to
traceroute. (hint: if you can't trust the users on your firewall to
behave responsibly with basic troubleshooting tools, you're Doing It
Wrong (tm)). However, here is one way that you can get the effect you're
looking for, using the 'tag' and 'tagged' keywords:

match out on $ext_if from $lan_net nat-to ($ext_if)
 
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
port 33433  33626 tag ADMIN
 
pass out log on $ext_if inet proto udp from $ext_if to any \
   port 33433  33626 tagged ADMIN


Note I've removed the 'keep state', it's not necessary to specify that
anymore.

Re: pf commands to discuss

2011-01-20 Thread MERIGHI Marcus 
l...@animata.net (David Gwynne), 2011.01.20 (Thu) 10:20 (CET):
 either:
 
 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state tag mytracert
 
 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state tagged mytracert
 
 or:
 
 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state
 
 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state tagged mytracert received-on $int_if

I guess there is a ``tagged mytracert'' copy-paste error, removed it:

pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
 port 33433  33626 keep state

pass out log on $ext_if inet proto udp from $ext_if to any \
 port 33433  33626 keep state received-on $int_if

Bye, 

Marcus

 On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote:
  Hi list,
  
  
  I have an question. I want my pc (i.e admin_pc)  to be able to traceroute
  which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added
  below rules in pf.conf file.
  
  
  match out on $ext_if from $lan_net nat-to ($ext_if)
  
  pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
   port 33433  33626 keep state
  
  pass out log on $ext_if inet proto udp from $ext_if to any \
   port 33433  33626 keep state
  
  
  due to the above rules, my PC can traceroute. It works fine. *But*, in
  addition to that, Firewall also can traceroute because of the above *pass
  out* rule. I *do NOT* want firewall to be able to traceroute.
  
  my question is that How can I exclude my firewall from being able to doing
  it ?

Re: pf commands to discuss

2011-01-20 Thread Indunil Jayasooriya 
 anyway, Thanks for enlightening me.

 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state tag mytracert

 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state tagged mytracert


   the above 2 rules were tested. They worked as expected.


 or:

 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state

 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state *tagged mytracert* received-on $int_if


the above 2 rules were tested  as well.but,  it did not work. then,  *tagged
mytracert was removed. after removing, It worked.

this is the rule.

*pass out log on $ext_if inet proto udp from $ext_if to any \
 port 33433  33626 keep state received-on $int_if


Now, everything is OK.

Re: pf commands to discuss

2011-01-20 Thread Indunil Jayasooriya 
  pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
   port 33433  33626 keep state
 
  pass out log on $ext_if inet proto udp from $ext_if to any \
   port 33433  33626 keep state tagged mytracert received-on $int_if

 I guess there is a ``tagged mytracert'' copy-paste error, removed it:


yes, u r right.  *the below 2 rules worked*. Thanks a lot.


 pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
  port 33433  33626 keep state

 pass out log on $ext_if inet proto udp from $ext_if to any \
  port 33433  33626 keep state received-on $int_if



 Thank you
Indunil Jayasooriya

Re: pf commands to discuss

2011-01-20 Thread Indunil Jayasooriya 
On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride mcbr...@openbsd.org wrote:

 On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote:
  my question is that How can I exclude my firewall from being able to
 doing
  it ?

 I'm really not sure why you don't want the firewall to be able to
 traceroute. (hint: if you can't trust the users on your firewall to
 behave responsibly with basic troubleshooting tools, you're Doing It
 Wrong (tm)).


 I thought in this way. If I want to traceroute only from my PC, Why should
I open it from firewall?
That's why I asked such question.

I would like to give another example suppose, My PC behind the firewall
only wants to access a port outside. Let's say tcp port 1 ( webmin runs
on ), then, from my PC I can do administration since it is web based... So I
think that firewall does NOT need access to it since I am Not going to
access it from my firewall. In this way, I selectively wanted to filter
traffics.

 so,  I achieved it. I realized how to do it as well. I gained the knowledge
due to your below rules. Thanks a LOT. This list is also very useful. Thanks
once again.


match out on $ext_if from $lan_net nat-to ($ext_if)

pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \
 port 33433  33626 tag ADMIN

pass out log on $ext_if inet proto udp from $ext_if to any \
port 33433  33626 tagged ADMIN

 Tested. worked.


 Note I've removed the 'keep state', it's not necessary to specify that
 anymore.


yes, I know. Thanks a lot for the extra effort you performed. I appreciate a
lot.