Pf basic rules and usage

[BeastieBoy]

Hi,

I was trying to create a set of rules for pf after reading the *beep**beep**beep**beep*'n manual, faq, handbook, etc, and obviously I locked myself out! Yeah I know I shouldn't have written a rule for ssh...

Anyway it's done now, so what would be the rules to:
- accept ssh connections on a given port (eg: 15322) and redirect to 22?
- accept http connections on port 80
- accept smtp connections on port 25

I don't see why pf is much better than iptables, well it's not that much easier to write rules...


Thanks for your help.

 

[BeastieBoy]

Ok I managed to rescue my server here are my faulty rules:

block in log all
pass out quick
set skip on lo

# SSH
pass in on vr0 proto tcp from any port 13742 to 127.0.0.1 port 22

#pass in from port 80

# Mail
#pass in from port 2525 to 127.0.0.1 port 25
#pass in from port 25
#pass in from port 993

How to fix and reduce them?

 

[fwaggle]

Your issue is you're basically filtering by source ports. To redirect SSH, you want an RDR rule first, then you want pass rules later.

To specify the port on your local machine you want to allow connections to, it's something like this:

pass in on $if proto tcp from any to ($if) port $port

If you specify a port after "from any", then that tells PF to check the source port of the connection (controlled by the other end, not worth filtering imho).

Also, setup at(1) and then do something like:

# at +2m pfctl -d
pfctl -ef /etc/pf.conf

If you lock yourself out of your box, in 2 minutes it'll disable pf and you can get back in. Hope that helps.

 

[BeastieBoy]

Before I fcuk up again my box will the following allow ssh?

pass in on vr0 proto tcp from any port 15762 to 127.0.0.1 port 22 flags S/SA keep state

 

[BeastieBoy]

fwaggle: your at command seems interesting but as is, there is a syntax error, and the manual page is... well... unhelpful... as usual...

 

[fwaggle]

No, that rule won't do what you think it's doing. "from any port X" means that the source port must match (in your case, 15762) - considering that most OSes randomly select source ports your odds of matching this rule are quite slim. I think what you want is something more like this:

pass in on vr0 proto tcp from any to (vr0) port 15762 rdr-to 127.0.0.1 port 22

I'm not even sure if that'll work though as I've never tried to do redirects without having the machine acting as a NAT router - is there any specific reason you don't just change the port sshd is listening to?

As far as the "at" command goes, I might have screwed up the syntax - maybe it's "at 2m <command>"... not sure. You could make a cron job to do the same thing, just have it disable pf every 5 minutes then watch the clock while testing.

 

[BeastieBoy]

You are right it's easier to change the sshd port than to fiddle with pf.