Hello all, I had authpf working successfully with a much simpler pf setup. But with a hardware failure, I had to collapse the services I run onto a single system. And I haven't successfully gotten authpf running on this.
Attached is my pf.conf in all its ugliness. I don't really know what I'm doing there and this has undoubtedly accumulated some cruft over the several years I've been using it (originally on OpenBSD before it was really working on FreeBSD). authpf itself seems to think it is working. When I ssh into that account, it prints the message of the day and the message I expect about how I'm authenticated from some IP address. And it sits there waiting for me to decide I'm going elsewhere -- all entirely what I've come to expect. What I haven't come to expect is that the access I'm attempting is being blocked. And I'm certain the problem is with my pf setup since a tcpdump of pflog shows the packets being blocked. So I haven't got this right. Any help would be much appreciated. -- David Benfell, LCP [EMAIL PROTECTED] --- Resume available at http://www.parts-unknown.org/ NOTE: I sign all messages with GnuPG (0DD1D1E3).
# $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
#ext_if="ext0" # replace with actual external interface name i.e., dc0
ext_if="sf0"
#int_if="int0" # replace with actual internal interface name i.e., dc1
int_if="sf1"
voip_cfg_if="vr0"
pub_if="sf3"
local_if="lo0"
#lupin_if="sf1"
#internal_net="10.1.1.1/8"
internal_net="192.168.18.1/24"
external_addr="66.93.170.242"
internal_addr="192.168.18.1"
routable_subnet="66.93.170.241/28"
voip_cfg="192.168.102.1"
voip_local="192.168.102.2"
mta_ad = "192.168.19.242"
mta_pt = "25"
dhcp_net="192.168.20.0/24"
#lupin_net="192.168.100.0/24"
public_admin_net="192.168.17.0/24"
starshine="216.240.40.160/27"
#allowed_nets="{ $starshine, $internal_net }"
trusted_external="{ 12.22.55.0/24 64.0.0.0/4 134.154.0.0/16 216.240.40.161/27
70.7.71.0/24 }"
# Doubletree Local CSU Hayward starshine.org
Sprint
earth_ext="66.93.170.243"
earth_int="192.168.18.43"
dnscache="192.168.19.4"
kindling_ext="66.93.170.244"
kindling_int="192.168.19.244"
home_ext="66.93.170.245"
home_int="192.168.18.44"
raven_ext="66.93.170.246"
raven_int="192.168.18.45"
lair_ext="66.93.170.247"
lair_int="192.168.18.46"
thunder_ext="66.93.170.248"
thunder_int="192.168.18.47"
voip_ext="66.93.170.254"
#lupin_ext="66.93.170.254"
non_routable="{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 }"
macintoshes="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int }"
linux_pcs="{ $dnscache, $kindling_ext, $kindling_int, $home_ext, $home_int,
$raven_ext, $raven_int }"
auth_local="{ $lair_ext, $lair_int, $thunder_ext, $thunder_int \
$earth_ext, $dnscache, $kindling_ext, $kindling_int, $home_ext,
$home_int, $raven_ext, $raven_int }"
#lupin_router="192.168.100.1"
#lupin_net="192.168.100.0/24"
tcp_udp="proto { tcp, udp }"
in_out="{ in, out }"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18 }
table <authpf_users> persist
table <spamd-white> persist
table <ssh-block> persist { 201.6.117.62, 125.88.102.22, 200.225.217.114,
67.64.167.243, 212.203.9.64, 202.111.157.144, 217.64.100.162, 217.64.100.162,
217.64.100.162 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
set block-policy drop
#set block-policy return
#set require-order yes
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in from any to any
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#altq on $ext_if bandwidth 1.5Mb cbq queue { dflt, tor }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
#queue dflt bandwidth 85% cbq(default) priority 3
#queue tor bandwidth 15% priority 1
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
no rdr inet proto tcp from <spamd-white> to any port smtp
no rdr inet proto tcp from $starshine to any port smtp
rdr pass inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
rdr on $ext_if proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# block SMTP from Hotmail and other spammer networks
# hotmail.com
rdr on $ext_if proto tcp from 65.54/16 to any port smtp -> 127.0.0.1 port 8025
rdr on $ext_if proto tcp from 64.4/16 to any port smtp -> 127.0.0.1 port 8025
# prod-infinitum.com.mx
rdr on $ext_if proto tcp from 201.153.0.0/16 to any port smtp -> 127.0.0.1 port
8025
# voyager.net
rdr on $ext_if proto tcp from 216.93.66.0/24 to any port smtp -> 127.0.0.1 port
8025
rdr on $ext_if proto tcp from 71.6.163.0/24 to any port smtp -> 127.0.0.1 port
8025
rdr on $ext_if proto tcp from 74.8.221.0/24 to any port smtp -> 127.0.0.1 port
8025
rdr on $ext_if proto tcp from 172.16.0.0/8 to any port smtp -> 127.0.0.1 port
8025
rdr on $ext_if proto tcp from 195.238.2.0/24 to any port smtp -> 127.0.0.1 port
8025
#rdr on $ext_if proto tcp from any to any port smtp -> $mta_ad port $mta_pt
# FTP
#rdr on { $int_if,$pub_if } proto tcp from any to any port ftp -> 127.0.0.1
#binat-anchor "authpf/*"
binat-anchor "authpf/*"
#nat on $ext_if from $internal_net to any -> ($ext_if)
#binat on $ext_if from $home_int to any -> $home_ext
#binat on $ext_if from $raven_int to any -> $raven_ext
#binat on $ext_if from $lair_int to any -> $lair_ext
#binat on $ext_if from $thunder_int to any -> $thunder_ext
#binat on $ext_if from $lupin_router to any -> 66.93.170.253
nat-anchor "authpf/*"
nat on $ext_if from $internal_net to any -> $external_addr
nat on $ext_if from $dhcp_net to any -> $external_addr
nat on $voip_cfg_if from $internal_net to any -> 192.168.102.2
#nat on $ext_if from $lupin_net to any -> $lupin_ext
# rdr: packets coming in on $ext_if with destination $external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such packets, and
# outgoing packets will be translated as coming from the external address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 -> 10.1.1.1
port 5678
# rdr NTP for the GPS time source to the internal network. Hopefully, this way,
# the time source will answer.
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
# spamd-setup puts addresses to be redirected into table <spamd>.
table <spamd> persist
no rdr on { lo0, lo1 } from any to any
rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
# redirect connections from spammers to spamd, all legitimate
# connections will not be redirected
#rdr on $ext_if inet proto tcp \
#from <spamd> to ($ext_if) port 25 -> 127.0.0.1 port 8025
rdr-anchor "authpf/*"
# block IPv6
block in log quick inet6 all
antispoof log quick for { $ext_if, $pub_if }
pass in log quick on lo0 from any to any
# enable authpf rules
anchor "authpf/*"
# pass redirected connections to spamd listening on the local
# loop interface (lo0)
pass in log quick on lo0 inet proto tcp \
from <spamd> to 127.0.0.1 port 8025
#allow SMTP, DNS, ICMP, HTTP
#pass in log quick on $int_if inet proto tcp from any to any port { smtp,
domain } flags S/SA synproxy state
#pass in log quick on $int_if inet proto tcp from any to any port { smtp,
domain } keep state
pass in log quick inet proto tcp from any to any port { smtp, domain, http }
keep state
pass in log quick inet proto udp from any to any port domain
pass log quick proto icmp all
#block the outside world unless...
block in log on { $ext_if, $pub_if } all
#allow access to the outside world unless...
pass out log on { $ext_if, $pub_if } all
# protect VOIP configuration
#pass out log quick on $voip_cfg_if proto tcp from $internal_net to any flags
S/SA synproxy state
pass out log quick on $voip_cfg_if proto tcp from $internal_net to any keep
state
#allow ssh, printing from trusted networks
#pass log quick on $ext_if proto tcp from $trusted_external to any port ssh
flags S/SA synproxy state
#pass log quick on $ext_if proto tcp from $trusted_external to any port ssh
keep state
block log quick on $ext_if proto tcp from <ssh-block> to any port ssh
pass log quick on { $int_if, $pub_if } proto tcp from any to any port { ssh,
515, 631 } keep state
#pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.18.20
port { 515, 631 } flags S/SA synproxy state
pass in log quick on $ext_if proto tcp from $trusted_external to 192.168.18.20
port { 515, 631 } keep state
#allow ssh from anywhere (trust sshguard to keep out the riff-raff)
pass log quick on $ext_if proto tcp from any to any port ssh keep state
#allow NFS within site
#sunrpc 111/tcp rpcbind #SUN Remote Procedure Call
#sunrpc 111/udp rpcbind #SUN Remote Procedure Call
#nfsd-status 1110/tcp #Cluster status info
#nfsd-keepalive 1110/udp #Client status info
#nfsd 2049/tcp nfs # NFS server daemon
#nfsd 2049/udp nfs # NFS server daemon
block log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port {
rpcbind, nfsd-status, nfsd-keepalive, nfsd }
pass log quick inet $tcp_udp from any to any port { rpcbind, nfsd-status,
nfsd-keepalive, nfsd } keep state
#block ports used by W32.Blaster.Worm, per Speakeasy alert 12 Aug 2003
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
134 >< 140
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
445
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
593
#block ports recommended by CERT
block in log quick on { $ext_if, $pub_if } inet proto udp from any to any port
69
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port
87
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
111
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port
511 >< 516
block in log quick on { $ext_if, $pub_if } inet proto tcp from any to any port
540
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
2000
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
2049
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
5999 >< 6064
#block ports recommended by Felix von Leitner
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
5000
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
1025
#LDAP stuff
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
ldap
block in log quick on { $ext_if, $pub_if } inet $tcp_udp from any to any port
ldaps
#pass in log quick on $int_if inet $tcp_udp from any to any port ldap
#pass in log quick on $int_if inet $tcp_udp from any to any port ldaps
#allow non-privileged ports anywhere
#pass log quick $tcp_udp from any to any port>1023 flags S/SA synproxy state
pass log quick $tcp_udp from any to any port>1023 keep state
#allow Tor services to router
#pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 9001,
9030 } flags S/SA synproxy state
pass in $tcp_udp from any to { $external_addr, $internal_addr } port { 9001,
9030 } keep state
#allow FTP to ftp-proxy
#pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user proxy
flags S/SA synproxy state
#pass in on $ext_if inet proto tcp from port ftp-data to 127.0.0.1 user proxy
keep state
#allow internal access to and from DMZ
#allow Internet access here
pass in log quick on { $int_if, $pub_if } $tcp_udp from { $internal_net,
$dhcp_net } to any keep state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy keep state
queue dflt
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue developers
queue dflt
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue marketing
queue dflt
pgpfqDO6ysf6R.pgp
Description: PGP signature
