Solved A little insight into what I'm doing wrong?

fullauto2012

fullauto2012

Installed a FreeBSD 10.1 box for my friends small office. He wanted all local traffic to pass without interference and only allow non-US traffic when initiated from inside the network.

After getting the whole thing up and running, I configured the firewall.

Code: 
root@Jefferson:~/firewall.d # cat pf.conf
############ Global Options #######################

int_if="fxp0"
ext_if="bge0"
set block-policy return
set loginterface $ext_if
set skip on lo

tcp_svc="22"
icmp_types="echoreq"
localnet="192.168.1.0/24"

table <us.blocks> persist file  "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist

################ End Global Options ################

########### Traffic Normalization ##################

scrub in on $ext_if all fragment reassemble
scrub out on $ext_if all fragment reassemble

####################################################


####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######

nat on $ext_if from $localnet to any -> ($ext_if)

####################################################


################## Filters #########################

block in all
block drop quick on $ext_if from $localnet to <aliens>
pass out quick on $ext_if from $localnet to any keep state
block in quick on $ext_if from <aliens> to $localnet
block drop in quick on $ext_if from ! <us.blocks> to $localnet
pass in log quick on $ext_if proto tcp from <us.blocks> to $localnet port 22 \
  flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 3/9, \
  overload <bruteforce> flush global)
pass out quick on $int_if from $localnet to any keep state
pass in quick on $int_if from $localnet to any keep state

####################################################
################### <END OF FILE> ##################
####################################################
The problem I'm having is that the initial
Code: 
block in all
is keeping all traffic from entering in spite of the
Code: 
pass in log quick on $ext_if proto tcp from <us.blocks> to $localnet port 22 \
  flags S/SA keep state \
  (max-src-conn 5, max-src-conn-rate 3/9, \
  overload <bruteforce> flush global)
The only connectivity that I want to allow through the firewall is through TCP port 22. But I am relying on the overload line to put an end to the bruteforce attacks I see so much.

But, when ever the first rule is uncommented I cannot connect at all.

I would greatly appreciate any insight into what I'm doing wrong. I was under the impression that the LAST rule that applies to a packet would be the rule that is applied. Hence, the first rule.
 
The issue is the $localnet keyword is never going to match since the external interface is NAT'ing and there are no rdr (port forward) rules to send traffic inside.

A variation for allowing SSH directly to the firewall would be to use the { self } keyword.
Code: 
pass in log quick on $ext_if proto tcp from <us.blocks> to { self } port 22 \
     flags S/SA keep state \
     (max-src-conn 5, max-src-conn-rate 3/9, \
     overload <bruteforce> flush global)

If you are looking to get at something within the LAN, pf.conf(5) has more details. See man pf.conf | less -p TRANSLATION to get right to the pertinent info.
 
Can you answer a question for me?
I'm a bit confused as to how to craft the rules.
I know the last rule to match wins, unless a "quick" preceded it.
But, the question I have is when allowing traffic past my firewall do I have to write rules on both sides?
That is to say, should I have a pass rule on $ext_if AND the $int_if?
 
Last edited:
You must log in or register to reply here.
Back
Top