Hi all, I am trying t create a very restrictive pf ruleset, I am running a set of NAT'ed clients behind an open BSD firewall, but they are systematically abusing the use of the bandwidth, so I thought I would create a more restrictive ruleset, then add some altq tricks, and solve my problem.
The thing is, for example, for an http connection:
The rule is:
pass out log-all on $ext_if inet proto tcp from any to any port 80 flags S/SA modulate state
it gets matched well, and the request goes out.
the logs look like this (rl0 is the $ext_if):
Jun 30 05:31:36.386120 rule 29/0(match): pass out on rl0: 192.168.1.12.1268 > 213.228.128.63.80: S 4027642076:4027642076(0) win 64240 <mss 1460> (DF)
But nothing comes back.... I do not even see a block on rl0 for the answer...
Can anyone point me in the right direction to solve this? I thought that it was to be solved by keep/modulate state!
Bellow is a copy of the pf.conf that is generating this, it is mostly copy/past from tutorials on the net, except for the two last lines (I hope it gets out readeable)! Thank you for your time.
# pf.conf for OpenBSD 3.2 running quimica-ua.dhs.org
# Outside ip address of nat firewall is dhcp
# Inside network is 192.168.1.0
#### Variables ####
ext_if="rl0"
int_if="rl1"
SpoofIP="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1"
DOUBLECLICK="204.253.104.0/24, 205.138.3.0/24, 206.65.183.0/24, 208.184.29.0/24"
Services="int_net="192.168.1.0/24"
int_ip="192.168.1.1/32"
ext_ip="rl0/32" # this may need changing
Abusers="192.168.1.13"
open_ports_tcp="{ ftp, ssh, smtp, www, pop3, nntp, https }" # ,6346,6347,49151 >< 65535 }"
open_ports_udp="{ domain }"
#### Optimization ####
set optimization aggressive
set timeout tcp.established 3600
set timeout { tcp.opening 30, tcp.closing 120 }
set limit { states 10000, frags 1000 }
# statistics logging on external interface
set loginterface $ext_if
# Normalization
scrub in on $ext_if all fragment reassemble
scrub in on $int_if all fragment reassemble
#### Begin Nat Translation Rules ####
# Redirect for tircproxy in transparent mode!
# need to add a line for each port an irc server runs in
rdr on $int_if proto tcp from $int_ip to any port 6667 -> 127.0.0.1 port 7666
rdr on $int_if proto tcp from $int_ip to any port 7000 -> 127.0.0.1 port 7666
# Redirect for ftp-proxy
# see bellow rules regarding data connections
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Nat external interface to internal network
nat on $ext_if from $int_ip to any -> ($ext_if)
#### BEGIN Filtering Rules ####
# Antispoof rules
block in log quick on $ext_if from { $SpoofIP } to any
block out log quick on $ext_if from any to { $SpoofIP }
# Lets stop those hax0rz
block in log quick on $ext_if proto tcp from any to any flags FUP
block in log quick on $ext_if proto tcp from any to any flags SAFRPU
block in log quick on $ext_if proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
# Block anything coming form source we have no back routes for
block in log quick from no-route to any
# We do not need ipv6, right?
block in log quick inet6 all
block out log quick inet6 all
# Pass everything on the loopback device,
# should be after the antispoof and antihack rules
pass in quick on lo0 all
pass out quick on lo0 all
# block and log everything by default
block out log-all on $ext_if all
block in log-all on $ext_if all
# silently drop broadcasts (cable modem noise)
block in log on $ext_if from any to 255.255.255.255
# Deny doubleclick ads here...
#block out log on $ext_if from any to { $DOUBLECLICK }
#block in log on $ext_if from { $DOUBLECLICK } to any
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out log-all on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# From here we add services on a need to use basis.
pass out log on $ext_if inet proto udp from any to any port $open_ports_udp keep state
pass out log-all on $ext_if inet proto tcp from any to any port $open_ports_tcp flags S/SA modulate state
The thing is, for example, for an http connection:
The rule is:
pass out log-all on $ext_if inet proto tcp from any to any port 80 flags S/SA modulate state
it gets matched well, and the request goes out.
the logs look like this (rl0 is the $ext_if):
Jun 30 05:31:36.386120 rule 29/0(match): pass out on rl0: 192.168.1.12.1268 > 213.228.128.63.80: S 4027642076:4027642076(0) win 64240 <mss 1460> (DF)
But nothing comes back.... I do not even see a block on rl0 for the answer...
Can anyone point me in the right direction to solve this? I thought that it was to be solved by keep/modulate state!
Bellow is a copy of the pf.conf that is generating this, it is mostly copy/past from tutorials on the net, except for the two last lines (I hope it gets out readeable)! Thank you for your time.
# pf.conf for OpenBSD 3.2 running quimica-ua.dhs.org
# Outside ip address of nat firewall is dhcp
# Inside network is 192.168.1.0
#### Variables ####
ext_if="rl0"
int_if="rl1"
SpoofIP="10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1"
DOUBLECLICK="204.253.104.0/24, 205.138.3.0/24, 206.65.183.0/24, 208.184.29.0/24"
Services="int_net="192.168.1.0/24"
int_ip="192.168.1.1/32"
ext_ip="rl0/32" # this may need changing
Abusers="192.168.1.13"
open_ports_tcp="{ ftp, ssh, smtp, www, pop3, nntp, https }" # ,6346,6347,49151 >< 65535 }"
open_ports_udp="{ domain }"
#### Optimization ####
set optimization aggressive
set timeout tcp.established 3600
set timeout { tcp.opening 30, tcp.closing 120 }
set limit { states 10000, frags 1000 }
# statistics logging on external interface
set loginterface $ext_if
# Normalization
scrub in on $ext_if all fragment reassemble
scrub in on $int_if all fragment reassemble
#### Begin Nat Translation Rules ####
# Redirect for tircproxy in transparent mode!
# need to add a line for each port an irc server runs in
rdr on $int_if proto tcp from $int_ip to any port 6667 -> 127.0.0.1 port 7666
rdr on $int_if proto tcp from $int_ip to any port 7000 -> 127.0.0.1 port 7666
# Redirect for ftp-proxy
# see bellow rules regarding data connections
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8081
# Nat external interface to internal network
nat on $ext_if from $int_ip to any -> ($ext_if)
#### BEGIN Filtering Rules ####
# Antispoof rules
block in log quick on $ext_if from { $SpoofIP } to any
block out log quick on $ext_if from any to { $SpoofIP }
# Lets stop those hax0rz
block in log quick on $ext_if proto tcp from any to any flags FUP
block in log quick on $ext_if proto tcp from any to any flags SAFRPU
block in log quick on $ext_if proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
# Block anything coming form source we have no back routes for
block in log quick from no-route to any
# We do not need ipv6, right?
block in log quick inet6 all
block out log quick inet6 all
# Pass everything on the loopback device,
# should be after the antispoof and antihack rules
pass in quick on lo0 all
pass out quick on lo0 all
# block and log everything by default
block out log-all on $ext_if all
block in log-all on $ext_if all
# silently drop broadcasts (cable modem noise)
block in log on $ext_if from any to 255.255.255.255
# Deny doubleclick ads here...
#block out log on $ext_if from any to { $DOUBLECLICK }
#block in log on $ext_if from { $DOUBLECLICK } to any
# ICMP
# pass out/in certain ICMP queries and keep state (ping)
# state matching is done on host addresses and ICMP id (not type/code),
# so replies (like 0/0 for 8/0) will match queries
# ICMP error messages (which always refer to a TCP/UDP packet) are
# handled by the TCP/UDP states
pass out log-all on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
#pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# From here we add services on a need to use basis.
pass out log on $ext_if inet proto udp from any to any port $open_ports_udp keep state
pass out log-all on $ext_if inet proto tcp from any to any port $open_ports_tcp flags S/SA modulate state