PF rule match only packets for local machine
Hallo all,
May I ask any PF professional for his advice?
I have openbsd router with more interfaces doing routing. It does not work as a
firewall so there is only one rule pass flags any no state.
Because of many hack-scripts doing SSH logins and filling logs I would like to
block every SSH traffic going to this host from unknown IPs, but not routed
traffic. I want to keep this block rule as simple as possible to be correct for
future, even if interfaces change or IP addresses change.
I work mostly with Linux and I in netfilter I would create following rule:
iptables -I INPUT -j DROP -s OURNETWORK -m state --state NEW
In PF I did following rules:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from unknown
networks to all hosts.
Could someone please help me to create PF rules to block only traffic going to
local machine from other networks as OutNetworks similary as the iptables rule
above?
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles found, maybe I
have not asked correct.
Thank you very much for any idea.
Regards,
Robert Wolf.
Re: PF rule match only packets for local machine
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from unknown
networks to all hosts.
Could someone please help me to create PF rules to block only traffic going to
local machine from other networks as OutNetworks similary as the iptables rule
above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles found, maybe I
have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
--
Greetings
Rafal Bisingier
Re: PF rule match only packets for local machine
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
--
With best regards,
Gregory Edigarov
Re: PF rule match only packets for local machine
Hi,
start with block rule without quick, then apply pass rules.
something like this:
table OutNetworks const { }
block proto tcp from any to any port 22
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
2012/1/5 Gregory Edigarov g...@bestnet.kharkov.ua:
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
--
With best regards,
B B B B Gregory Edigarov
Re: PF rule match only packets for local machine
On 2012-01-05, Gregory Edigarov g...@bestnet.kharkov.ua wrote:
On Thu, 5 Jan 2012 09:21:16 +0100
Rafal Bisingier ra...@man.poznan.pl wrote:
Hi,
On Thursday, 05 Jan 2012 at 09:00 CET
Robert Wolf r.wolf.c...@gmail.com wrote:
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port as well.
block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Could someone please help me to create PF rules to block only
traffic going to local machine from other networks as OutNetworks
similary as the iptables rule above?
Just replace to any to to self. Should do what you want.
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
Unless enclosed by parentheses; block proto tcp to (self) port ssh
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).
Re: PF rule match only packets for local machine
Hallo all,
thank you for your answers.
table OutNetworks const { }
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1
port 22 block quick proto tcp from any to any port 22
But of course, the last rule blocks every SSH traffic going from
unknown networks to all hosts.
Just replace to any to to self. Should do what you want.
*** YES!:-) That is the keyword I was looking for:-)
I have read PF manual but not found any possibility to tell pf to
LOCAL-HOST. I have search with google but no relevant articles
found, maybe I have not asked correct.
Well, it's not very easy to find, but the self word is explained in
the manual.
*** Oh I see it now. It is in the TABLES section. I have look for in the
section PACKET FILTERING in the article for syntax of from port os to port.
Yes, but also keep in mind that self is only evaluated on ruleset
load.
*** H, OK, it is not same as iptables -I INPUT, but at least I can create
one rule without defining IP addresses or interfaces. Great, thank you for for
info.
I have updated my rules to
pass in quick proto tcp from any to (self) port rdr-to 127.0.0.1 port 22
block quick proto tcp from ! OurNetwork to (self) port 22 no state
we use pass flags any no state because this machine works as router but I
want to block incoming SSH traffic.
Surely better to have ssh listen on the additional port if it's needed?
Whatever reason you have for using PF without keeping state presumably
applies to port as well.
*** You are right. I can configure SSH on both 22 and ports. I want to
have port 22 because of access from our networks with strict firewall allowing
SSH on port 22. But for access from unknown networks I want to have additional
port open. And I wanted to have as less as possible files changed. I have
changed already pf.conf so I wanted to make updates only in pf.conf. But it's
no problem to update sshd_config too.
Unless enclosed by parentheses; block proto tcp to (self) port ssh
*is* evaluated each time. However on a router with relatively static
IP address configuration, it's often helpful to avoid the overhead
of lookups for each packet (especially if you're not keeping state...).
*** Cool, applied:)
start with block rule without quick, then apply pass rules.
something like this:
table OutNetworks const { }
block proto tcp from any to any port 22
pass quick proto tcp from OurNetworks to any port 22 no state
pass in quick proto tcp from any to any port rdr-to 127.0.0.1 port 22
*** This does not work. We have one rule pass flags any no state after this
block because the machine is a router and we want to pass everything. If I
move this block after that pass any, it would block every ssh traffic going
through.
The solution with (self) is the best one, I will try to find a little better
solution for all non-SSH packets to be passed before SSH check, something like
==
pass out quick flags any no state
pass in quick proto ! tcp flags any no state
pass in quick proto tcp from any to any port ! 22 flags any no state
## start sshd on port 22 and instead ##
## pass in quick proto tcp from any to (self) port rdr-to 127.0.0.1 port 22
block in quick proto tcp from ! OurNetwork to (self) port 22 no state
pass flags any no state
==
Is this better?
Thank you all for your answers.
Regards,
Robert Wolf.
