Re: pf commands to discuss
either: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert or: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert received-on $int_if there are some other ways too, but i like these the most. dlg On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote: Hi list, I have an question. I want my pc (i.e admin_pc) to be able to traceroute which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added below rules in pf.conf file. match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state due to the above rules, my PC can traceroute. It works fine. *But*, in addition to that, Firewall also can traceroute because of the above *pass out* rule. I *do NOT* want firewall to be able to traceroute. my question is that How can I exclude my firewall from being able to doing it ? -- Thank you Indunil Jayasooriya
Re: pf commands to discuss
On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: my question is that How can I exclude my firewall from being able to doing it ? I'm really not sure why you don't want the firewall to be able to traceroute. (hint: if you can't trust the users on your firewall to behave responsibly with basic troubleshooting tools, you're Doing It Wrong (tm)). However, here is one way that you can get the effect you're looking for, using the 'tag' and 'tagged' keywords: match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 tag ADMIN pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 tagged ADMIN Note I've removed the 'keep state', it's not necessary to specify that anymore.
Re: pf commands to discuss
l...@animata.net (David Gwynne), 2011.01.20 (Thu) 10:20 (CET): either: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert or: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert received-on $int_if I guess there is a ``tagged mytracert'' copy-paste error, removed it: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state received-on $int_if Bye, Marcus On 20/01/2011, at 6:17 PM, Indunil Jayasooriya wrote: Hi list, I have an question. I want my pc (i.e admin_pc) to be able to traceroute which is behind a OpenBSD 4.8 pf firewall ( Doing NAT). So , I have added below rules in pf.conf file. match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state due to the above rules, my PC can traceroute. It works fine. *But*, in addition to that, Firewall also can traceroute because of the above *pass out* rule. I *do NOT* want firewall to be able to traceroute. my question is that How can I exclude my firewall from being able to doing it ?
Re: pf commands to discuss
anyway, Thanks for enlightening me. pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state tag mytracert pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert the above 2 rules were tested. They worked as expected. or: pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state *tagged mytracert* received-on $int_if the above 2 rules were tested as well.but, it did not work. then, *tagged mytracert was removed. after removing, It worked. this is the rule. *pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state received-on $int_if Now, everything is OK.
Re: pf commands to discuss
pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state tagged mytracert received-on $int_if I guess there is a ``tagged mytracert'' copy-paste error, removed it: yes, u r right. *the below 2 rules worked*. Thanks a lot. pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 keep state pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 keep state received-on $int_if Thank you Indunil Jayasooriya
Re: pf commands to discuss
On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride mcbr...@openbsd.org wrote: On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: my question is that How can I exclude my firewall from being able to doing it ? I'm really not sure why you don't want the firewall to be able to traceroute. (hint: if you can't trust the users on your firewall to behave responsibly with basic troubleshooting tools, you're Doing It Wrong (tm)). I thought in this way. If I want to traceroute only from my PC, Why should I open it from firewall? That's why I asked such question. I would like to give another example suppose, My PC behind the firewall only wants to access a port outside. Let's say tcp port 1 ( webmin runs on ), then, from my PC I can do administration since it is web based... So I think that firewall does NOT need access to it since I am Not going to access it from my firewall. In this way, I selectively wanted to filter traffics. so, I achieved it. I realized how to do it as well. I gained the knowledge due to your below rules. Thanks a LOT. This list is also very useful. Thanks once again. match out on $ext_if from $lan_net nat-to ($ext_if) pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ port 33433 33626 tag ADMIN pass out log on $ext_if inet proto udp from $ext_if to any \ port 33433 33626 tagged ADMIN Tested. worked. Note I've removed the 'keep state', it's not necessary to specify that anymore. yes, I know. Thanks a lot for the extra effort you performed. I appreciate a lot.