Re: icmp block/pass rules in PF

[Joseph Borg]

tried that and myriad other configurations, including one liners as I want to 
understand the parser from a user perspective. 

this doesn’t work:
pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
these work:
pass out on $DMZ_if inet proto icmp from 192.168.2.1 
pass out on $DMZ_if inet proto icmp icmp-type echoreq

The system is amd64, 5.7 release on an Intel Bay Trail Celeron*. Maybe this is 
somehow breaking the parser?

I'm following The Book of PF and there is a similar example:

pass inet proto icmp icmp-type $icmp_types from $localnet
pass inet6 proto icmp6 icmp6-type $icmp6_types from $localnet
pass inet proto icmp icmp-type $icmp_types to $ext_if
pass inet6 proto icmp6 icmp6-type $icmp6_types to $ext_if

Excerpt From: Peter N.M. Hansteen. “The Book of PF: A No-Nonsense Guide to the 
OpenBSD Firewall.”

Curiously the PF guide on openbsd.org doesn’t include src/dst ip addresses. I’m 
assuming that I’m the only one having this problem and there’s something stupid 
I’m not seeing…

Note: I break on action, interface, source, destination, options as I’m a bit 
careless and easily miss something otherwise… My rulesets aren’t that big 
anyways. When that happens I’ll resort to includes.

The general, *highly simplified* syntax for filter rules is:

action [direction] [log] [quick]\
[on interface] [af] [proto protocol]\
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]]   \
[flags tcp_flags] [state]

action [direction] [log] [quick]\
[on interface] [af] [proto protocol]\
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]]   \
[flags tcp_flags] [state]

Suggestion: can we have a wiki where we can post user examples of configuration 
snippets of the various system services and discuss them? or maybe an official 
list of recommended sources online? I get to understand languages better 
through idiomatic use than through rules unfortunately.

* head of dmesg:

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8463536128 (8071MB)
avail mem = 8234319872 (7852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebde0 (51 entries)
bios0: vendor American Megatrends Inc. version "F1" date 08/01/2014
bios0: Gigabyte Technology Co., Ltd. J1900M-D2P
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S3) PS2M(S3) XHC1(S4) EHC1(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC
cpu0: 1MB 64b/line 16-way L2 cache


> On 03 Sep 2015, at 23:05, ropers  wrote:
> 
> Amateurish guess here: 
> Could it be that this hinges upon whether proto icmp is divided over two 
> lines or not?
> 
> On 3 September 2015 at 11:58, Joseph A Borg  wrote:
> am I being daft on this one?
> 
> pfctl passes a syntax check on a rule such as
> this:
> 
> passout on $DMZ_if
>   \
>  inet proto icmp  
>\
>  from
> 192.168.99.68
> 
> but not this:
> passout on $DMZ_if
>   \
>  inet proto
> icmp icmp-type unreach  \
>  from 192.168.99.68
> 
> this is ok:
> passout on
> $DMZ_if \
>  inet proto icmp icmp-type $icmp-type_list
> 
> I'm resorting
> to having separate pass rules for localnet_if in and dmz_if out
> 
> is this ok?
> am I missing something?
> 
> regards

Re: icmp block/pass rules in PF

[Joseph Borg]

tried that and myriad other configurations, including one liners as I want to 
understand the parser from a user perspective. 

this doesn’t work:
pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
these work:
pass out on $DMZ_if inet proto icmp from 192.168.2.1 
pass out on $DMZ_if inet proto icmp icmp-type echoreq

The system is amd64, 5.7 release on an Intel Bay Trail Celeron*. Maybe this is 
somehow breaking the parser?

I'm following The Book of PF and there is a similar example:

pass inet proto icmp icmp-type $icmp_types from $localnet
pass inet6 proto icmp6 icmp6-type $icmp6_types from $localnet
pass inet proto icmp icmp-type $icmp_types to $ext_if
pass inet6 proto icmp6 icmp6-type $icmp6_types to $ext_if

Excerpt From: Peter N.M. Hansteen. “The Book of PF: A No-Nonsense Guide to the 
OpenBSD Firewall.”

Curiously the PF guide on openbsd.org doesn’t include src/dst ip addresses. I’m 
assuming that I’m the only one having this problem and there’s something stupid 
I’m not seeing…

Note: I break on action, interface, source, destination, options as I’m a bit 
careless and easily miss something otherwise… My rulesets aren’t that big 
anyways. When that happens I’ll resort to includes.

The general, *highly simplified* syntax for filter rules is:

action [direction] [log] [quick]\
[on interface] [af] [proto protocol]\
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]]   \
[flags tcp_flags] [state]

action [direction] [log] [quick]\
[on interface] [af] [proto protocol]\
[from src_addr [port src_port]] \
[to dst_addr [port dst_port]]   \
[flags tcp_flags] [state]

Suggestion: can we have a wiki where we can post user examples of configuration 
snippets of the various system services and discuss them? or maybe an official 
list of recommended sources online? I get to understand languages better 
through idiomatic use than through rules unfortunately.

* head of dmesg:

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8463536128 (8071MB)
avail mem = 8234319872 (7852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebde0 (51 entries)
bios0: vendor American Megatrends Inc. version "F1" date 08/01/2014
bios0: Gigabyte Technology Co., Ltd. J1900M-D2P
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S3) PS2M(S3) XHC1(S4) EHC1(S4) 
PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee0: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz
cpu0: 
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC
cpu0: 1MB 64b/line 16-way L2 cache


> On 03 Sep 2015, at 23:05, ropers  wrote:
> 
> Amateurish guess here: 
> Could it be that this hinges upon whether proto icmp is divided over two 
> lines or not?
> 
> On 3 September 2015 at 11:58, Joseph A Borg  wrote:
> am I being daft on this one?
> 
> pfctl passes a syntax check on a rule such as
> this:
> 
> passout on $DMZ_if
>   \
> inet proto icmp   
>   \
> from
> 192.168.99.68
> 
> but not this:
> passout on $DMZ_if
>   \
> inet proto
> icmp icmp-type unreach  \
> from 192.168.99.68
> 
> this is ok:
> passout on
> $DMZ_if \
> inet proto icmp icmp-type $icmp-type_list
> 
> I'm resorting
> to having separate pass rules for localnet_if in and dmz_if out
> 
> is this ok?
> am I missing something?
> 
> regards

icmp block/pass rules in PF

[Joseph A Borg]

thank you o great one… I am humbled by my total obliviousness.


> On 04 Sep 2015, at 21:43, Christian Weisgerber  wrote:
> 
> On 2015-09-04, Joseph Borg  wrote:
> 
>> this doesn’t work:
>>  pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
>> these work:
>>  pass out on $DMZ_if inet proto icmp from 192.168.2.1 
>>  pass out on $DMZ_if inet proto icmp icmp-type echoreq
> 
> Simply searching for "icmp-type" in the pf.conf(5) man page turns up
> these example lines
> 
>   pass out inet proto icmp all icmp-type echoreq
> 
>   pass on $ext_if inet proto icmp all icmp-type 8 code 0
> 
> In the grammar section, we find
> 
>pf-rule= action [ ( "in" | "out" ) ]
> [ "log" [ "(" logopts ")"] ] [ "quick" ]
> [ "on" ( ifspec | "rdomain" number ) ] [ af ]
> [ protospec ] hosts [ filteropts ]
> 
>filteropt  = user | group | flags | icmp-type | icmp6-type |
> "tos" tos |
>[...]
> 
> which makes it clear that host addresses like "from 192.168.2.1"
> must precede "icmp-type".
> 
>> Suggestion: can we have a wiki where we can post user examples
>> of configuration snippets of the various system services and discuss
>> them?
> 
> If you are already overwhelmed by the existing documentation, how
> will adding even more text help?
> 
> -- 
> Christian "naddy" Weisgerber  na...@mips.inka.de

Re: icmp block/pass rules in PF

[Christian Weisgerber]

On 2015-09-04, Joseph Borg  wrote:

> this doesn’t work:
>   pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
> these work:
>   pass out on $DMZ_if inet proto icmp from 192.168.2.1 
>   pass out on $DMZ_if inet proto icmp icmp-type echoreq

Simply searching for "icmp-type" in the pf.conf(5) man page turns up
these example lines

pass out inet proto icmp all icmp-type echoreq

pass on $ext_if inet proto icmp all icmp-type 8 code 0

In the grammar section, we find

 pf-rule= action [ ( "in" | "out" ) ]
  [ "log" [ "(" logopts ")"] ] [ "quick" ]
  [ "on" ( ifspec | "rdomain" number ) ] [ af ]
  [ protospec ] hosts [ filteropts ]

 filteropt  = user | group | flags | icmp-type | icmp6-type |
  "tos" tos |
 [...]

which makes it clear that host addresses like "from 192.168.2.1"
must precede "icmp-type".

> Suggestion: can we have a wiki where we can post user examples
> of configuration snippets of the various system services and discuss
> them?

If you are already overwhelmed by the existing documentation, how
will adding even more text help?

-- 
Christian "naddy" Weisgerber  na...@mips.inka.de

icmp block/pass rules in PF

[Joseph A Borg]

am I being daft on this one?

pfctl passes a syntax check on a rule such as
this:

pass   out on $DMZ_if  
\
inet proto icmp       
\
from
192.168.99.68

 but not this:
pass   out on $DMZ_if  
\
inet proto
icmp icmp-type unreach     \
from 192.168.99.68

this is ok:
pass   out on
$DMZ_if \
inet proto icmp icmp-type $icmp-type_list

I'm resorting
to having separate pass rules for localnet_if in and dmz_if out

is this ok?
am I missing something?

regards