Re: first firewall with pf
Hi, You were right it had to do my topology. The firewall is working correctly now. Thanks again for all you help On Thu, Mar 26, 2009 at 8:07 PM, Eric Magutu emag...@gmail.com wrote: Hi Micheal, I was trying to simulate the conditions of the server on a test machine. I'm pretty sure now I didn't take into account all the network aspects, silly mistake :-) Its probably my routing. I will check on my routes tomorrow and get back to you. I think there is only one active interface though. On Thu, Mar 26, 2009 at 7:33 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? -- Regards, Eric Magutu -- Regards, Eric Magutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
Hi everyone,
Thanks for all your input so far. I have tried to implement all you
suggestions but have gotten stuck. I set up a test machine in the office
with the ip 10.0.0.110 and encountered the following problems:
when I enables antispoofing the firewall didn't work
when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried
connecting from machines on the 172.16 subnet I was unable to connect.
Can you please let me know what I'm doing wrong?
#
#interfaces #
#
ext_if=le0
#ext_if2=bce1
#
#ports to be opened #
#
#tcp ports
good_port_tcp={ 80, 110, 143, 161, 443, 873 }
#udp ports
good_port_udp={ 161, 873 }
##
#block all other traffic #
##
# should be the first rule
block in on $ext_if all
#anti-spoofing #
#traffic can't come in on your IP's
#antispoof quick for { lo0 $ext_if $ext_if2 } inet
#
#allow all connections from and to loopback #
#
pass in quick on lo0 all keep state
pass out quick on lo0 all keep state
#allow all connections out through external interfaces #
pass out quick on $ext_if all keep state
##
#Blocked ips #
##
#put ips or ip blocks as below
badguys={ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 }
block in quick on $ext_if from $badguys
#smtp connections allowed #
#European servers
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state
#American
pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25
keep state
#from the old iptables???
pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25
keep state
###
# pass traffic from allowed ports #
###
#pass traffic from allowed tcp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state
#pass traffic from allowed udp ports
pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp
keep state
##
# allow connections from NMC and servers #
##
#my ip
pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to
10.0.0.110 keep state
#172.16.0.0/12 are the ips NMC access with
pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to
10.0.0.110 keep state
##
# enable logging #
##
block in log on $ext_if
# to view log run command below
#tcpdump -n -e -ttt -i pflog0
##
#for any questions contact me#
##
On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost
mksm...@adhost.com wrote:
I also forgot to mention:
You should probably log your block rule so that you can see what's going on
if things don't work as expected.
So:
block in log on $ext_if
Note the lack of quick as well, as previously mentioned.
With logging enabled, provided you have pflog running (which you should),
you can use the following to see what's being blocked.
tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface).
Regards,
Mike
--
Regards,
Eric Magutu
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: first firewall with pf
Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? PGP.sig Description: PGP signature
Re: first firewall with pf
Hi Micheal, I was trying to simulate the conditions of the server on a test machine. I'm pretty sure now I didn't take into account all the network aspects, silly mistake :-) Its probably my routing. I will check on my routes tomorrow and get back to you. I think there is only one active interface though. On Thu, Mar 26, 2009 at 7:33 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? -- Regards, Eric Magutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
Also, it would be a good ideea to go through the pf manual at least once. I don't see any scrub or options or timeout periods (fine tunning). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
I forgot to mention... You have something like pass in/out on lo0 that's not wrong but it's not the way to do it set skip on lo0 # is the right way ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: first firewall with pf
I also forgot to mention: You should probably log your block rule so that you can see what's going on if things don't work as expected. So: block in log on $ext_if Note the lack of quick as well, as previously mentioned. With logging enabled, provided you have pflog running (which you should), you can use the following to see what's being blocked. tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface). Regards, Mike PGP.sig Description: PGP signature
