IPF ipf use dhcp/pppoe interface ip in ruleset

[cy@]

pass out log all:

Why log all packets?

Where in your ruleset is this rule. Placement where it is in the ruleset matters, hugely. Also, quick rules are checked before this rule.

My VPN, using ssh, has an interface. Do you use IPsec? IPsec, designed with IPv6 in mind, has no concept of interfaces. Your choice of VPN software matters.

 

[SurtursRevenge]

pass out log all:

Why log all packets?

Where in your ruleset is this rule. Placement where it is in the ruleset matters, hugely. Also, quick rules are checked before this rule.

My VPN, using ssh, has an interface. Do you use IPsec? IPsec, designed with IPv6 in mind, has no concept of interfaces. Your choice of VPN software matters.

Why not log all out packets ? Logging doesn't hurt and helps with troubleshooting. And as i am trying to understand what is happening i tend to log everything.

pass out all is at the end of the file. But as you said quick is checked before and i only have quick rules in the ruleset

 

[SurtursRevenge]

I did some more troubleshooting



# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
# Rules
pass in quick on re0 proto tcp from {1.2.3.4 5.6.7.8} to re0/netmasked port = 22 flags S/SAFR keep state

pass in quick on re1.7 proto udp from any to re1.7/netmasked port = 67
pass in quick on re1.9 proto udp from any to re1.9/netmasked port = 67
pass in quick on re1.253 proto udp from any to re1.253/netmasked port = 67

# Guest
pass in quick on re1.253 out-via re0 proto tcp from any to any flags S/SAFR keep state
pass in quick on re1.253 out-via re0 proto udp from any to any keep state
pass in quick on re1.253 out-via re0 proto icmp from any to any keep state

# Cleanup Rule
block in log all
pass out log all



When using this ruleset /netmasked works and does not give me an error.
Why ? I will now add more rules step by step until i can reproduce the error. But the rest of the ruleset seems to be fine as it got applied with no error, when i removed the /netmasked

But what i don't understand. I have the rules
pass in quick on re1.253 out-via re0
re1.253 has the IP 10.111.253.254. re0 is the wan interface.
When i am at a workstation (e.g. 10.111.253.100) i can ssh to 10.111.253.254. Why ? This rule explicit has re0 as outgoing interface. So i don't understand why this rule applies and why i can access ssh on the router ?
What am i not unterstanding correctly

 

[aronhoustongy]

Hi cy@


Not shure if i get this right

#this allows enrypted ipsec traffic
pass in quick on $wan proto udp from 1.2.3.4 to any port = 500 keep state
pass in quick on $wan proto udp from 1.2.3.4 to any port = 4500 keep state
pass in quick on $wan proto esp from 1.2.3.4 to any keep state

# this allows clear traffic "into" the VPN
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state

But why is the decrypted answer packet the blocked as shown in the log ?
pass out log all
All egress packets should be allowed and the state should be keeped. I don't get this.



What would be the benefits in putting the rules on the external interface ? Where would be the difference ?
Also how would this work on vpn as it does not have a interface ?


pass in log quick on $clients proto tcp from 10.111.9.0/24 to 192.168.178.10 port = 445 flags S/SAFR keep state
pass in log quick on $clients proto tcp from 10.111.9.0/24 to 192.168.178.2 port = 3389 flags S/SAFR keep state

What i now do is having pass in on the client interface and allowing to access a file server and a terminal server. How would you do this ?


So i want the clients to connect to the internet and the vpn. and like guests only to have access to the internet

# Guest
pass in log quick on $guest out-via $wan proto tcp from any to any flags S/SAFR keep state
pass in log quick on $guest out-via $wan proto udp from any to any keep state
pass in log quick on $guest out-via $wan proto icmp from any to any keep state

Thats why i use pass in and out via to ensure the packet uses the correct path. Or did i get something wrong here ?


Shouldn't these internal egress packets be allowed because of
pass out log all

What is also a bit strange.
I have a client with dhcp IP 10.111.9.119. The Client Interface on the Router is 10.111.9.254. Why can the Client access the router via ssh on 10.111.9.254. There is no pass rule allowing this an a
block in log all rule that should prohibit this.
So what is the herarchy of the rules and why isn't this access blocked ?


Also do you have any idear why re0/netmasked gives Luxury Hair Salon in San Francisco me the "24:25:ioctl(add/insert rule): bad interface index with dynamic dest. address" ?

In an IPF (Internet Packet Filter) configuration where DHCP (Dynamic Host Configuration Protocol) or PPPoE (Point-to-Point Protocol over Ethernet) interfaces are used, it's essential to incorporate the dynamically assigned IP addresses into the ruleset effectively. DHCP and PPPoE are common methods for obtaining IP addresses dynamically from a network server, making them versatile options for connecting to the internet.

When crafting rulesets for IPF, it's crucial to consider the dynamic nature of these interfaces. Unlike statically assigned IP addresses, DHCP and PPPoE interfaces may change their IP addresses periodically or upon connection establishment. Therefore, instead of hardcoding specific IP addresses into the ruleset, it's advisable to utilize macros or variables that represent the dynamically assigned IP addresses.