PF a question about rdr and block rules

wolffnx · Jun 11, 2018

my case is this:

Code:

ext_if="re0"
int_if="re1"

int_external_ports={3389,22}

forward_ports={3389,22}

rdr pass on $ext_if proto tcp from any to any port 3389 -> 192.168.x.x port 3389

block all

pass in on $int_if inet proto tcp from any to any port $forward_ports flags S/SA keep state
if forgot to put this line
pass out on $int_if inet proto tcp from any to any port $forward_ports flags S/SA keep state


pass in on $ext_if proto tcp from any to any port $int_external_ports flags S/SA keep state

now,if i'delete te rule

Code:

 pass in on $ext_if proto tcp from any to any port $int_external_ports flags S/SA keep state

i can still access from outside to the port 3389 and go to machine redirected
the

Code:

rdr

rule is open a port without permition o the external interface, is this normal for PF ?

the ports have been changed for the example

Kristof Provost · Jun 11, 2018

Yes, that's expected behaviour.

`Orum · Jun 11, 2018

This is because you've set up the rule as rdr pass. From pf.conf():

Code:

     If the pass modifier is given, packets matching the translation rule are
     passed without inspecting the filter rules

wolffnx · Jun 11, 2018

`Orum said:
This is because you've set up the rule as rdr pass. From pf.conf():

Code:

If the pass modifier is given, packets matching the translation rule are passed without inspecting the filter rules

thanks!!!!

VladiBG · Jun 11, 2018

If you are using NAT do not redirect "any to any" use "any to $ext_ip" (external ip address). Also is a good practice to limit the the scope of the source connection addresses or at lease to change the default rdp port to avoid the scanning bot's from the internet. And don't forget to patch your RDP against CredSSP vulnerability.

It should look like something like this:

Code:

trusthosts = "{ x.x.x.x/24, x.x.x.x/24, x,x,x,x/8 }"

rdr on $ext_if proto tcp from $trusthosts to $ext_ip port 13389 -> 192.168.x.x port 3389

wolffnx · Jun 11, 2018

VladiBG said:
If you are using NAT do not redirect "any to any" use "any to $ext_ip" (external ip address). Also is a good practice to limit the the scope of the source connection addresses or at lease to change the default rdp port to avoid the scanning bot's from the internet. And don't forget to patch your RDP against CredSSP vulnerability.

It should look like something like this:

Code:

trusthosts = "{ x.x.x.x/24, x.x.x.x/24, x,x,x,x/8 }" rdr on $ext_if proto tcp from $trusthosts to $ext_ip port 13389 -> 192.168.x.x port 3389

you right, i'modify everything clean for this post, but in the rdr rule i' use

Code:

rdr log(all) on $ext_if proto tcp from any to $ext_ip port 13389 -> 192.168.x.x port 3389

because i'had multiple externals ip's , and log every access from the outside
but the $trusthosts is a realy good idea,thanks for the advise

PF a question about rdr and block rules

wolffnx

Kristof Provost

`Orum

wolffnx

VladiBG

wolffnx