Basic setup.
[remote static IP] ---- SSH ---> [local static IP/router] --- port forward 22 ---> [192.168.1.11]
This is the traffic I see on the internal machine.
Based on that traffic, I created my rules...
Here are the rules expanded.
However, I cannot figure out why the firewall isn't allowing traffic from either my local ip block or the remote machine, both of which are in my white_list.
[remote static IP] ---- SSH ---> [local static IP/router] --- port forward 22 ---> [192.168.1.11]
This is the traffic I see on the internal machine.
Code:
root@LR-Remote:~/firewall.d # tcpdump src host {REMOTE IP}
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:01:06.531865 IP {REMOTE IP} > 192.168.1.11.ssh: Flags \[S\], seq 2160000328, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1166592543 ecr 0], length 0
16:01:06.553182 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1420543396, win 1040, options [nop,nop,TS val 1166592562 ecr 360790155], length 0
16:01:06.553203 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 0:49, ack 1, win 1040, options [nop,nop,TS val 1166592562 ecr 360790155], length 49
16:01:06.586524 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], seq 49:1497, ack 39, win 1040, options [nop,nop,TS val 1166592597 ecr 360790188], length 1448
16:01:06.586546 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 1497:2017, ack 39, win 1040, options [nop,nop,TS val 1166592597 ecr 360790188], length 520
16:01:06.711294 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2017:2065, ack 1087, win 1040, options [nop,nop,TS val 1166592722 ecr 360790210], length 48
16:01:06.743595 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2065:2081, ack 1367, win 1040, options [nop,nop,TS val 1166592754 ecr 360790343], length 16
16:01:06.866862 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2081:2137, ack 1367, win 1040, options [nop,nop,TS val 1166592878 ecr 360790472], length 56
16:01:06.900316 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2137:2209, ack 1423, win 1040, options [nop,nop,TS val 1166592902 ecr 360790490], length 72
16:01:07.002718 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2209:2297, ack 1495, win 1040, options [nop,nop,TS val 1166593013 ecr 360790603], length 88
16:01:07.131220 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1583, win 1040, options [nop,nop,TS val 1166593141 ecr 360790627], length 0
16:01:09.084636 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [F.], seq 2297, ack 1583, win 1040, options [nop,nop,TS val 1166595095 ecr 360790627], length 0
16:01:09.106433 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1584, win 1040, options [nop,nop,TS val 1166595116 ecr 360792709], length 0
^C
13 packets captured
53 packets received by filter
0 packets dropped by kernel
Based on that traffic, I created my rules...
Code:
root@LR-Remote:~/firewall.d # cat /root/firewall.d/pf.conf
############ Global Options #######################
iface = "em0"
set block-policy return
set loginterface $iface
set skip on lo
tcp_services = "{22, 139, 445, 873}"
udp_services = "{137, 138}"
icmp_types = "echoreq"
localnet = "192.168.1.0/24"
static_ip = "192.168.1.11"
white_list = "{--RemoteIP--, 192.168.1.0/24}"
table <us.blocks> persist file "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"
################ End Global Options ################
########### Traffic Normalization ##################
scrub in on $iface all fragment reassemble
scrub out on $iface all fragment reassemble
####################################################
####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######
#nat on $ext_if from $localnet to any -> ($ext_if)
####################################################
################## Filters #########################
block in all
block drop in quick from <bruteforce>
block drop in quick on $iface from ! <us.blocks> to { self }
pass out quick on $iface from { self } to any
pass in on $iface proto tcp from $white_list to { self } port $tcp_services
pass in on $iface proto udp from $white_list to { self } port $udp_services
# SSH lines incase I drop the whitelist
#pass in log quick on $iface proto tcp from $white_list to { self } port 22 \
# flags S/SA keep state \
# (max-src-conn 5, max-src-conn-rate 3/9, \
# overload <bruteforce> flush global)
####################################################
################### <END OF FILE> ##################
####################################################
Here are the rules expanded.
Code:
root@LR-Remote:~/firewall.d # pfctl -sr
scrub in on em0 all fragment reassemble
scrub out on em0 all fragment reassemble
block return in all
block drop in quick on em0 inet from ! <us.blocks> to 192.168.1.11
block drop in quick on em0 inet from ! <us.blocks> to 127.0.0.1
block drop in quick on em0 inet6 from ! <us.blocks> to ::1
block drop in quick from <bruteforce> to any
pass out quick on em0 inet from 192.168.1.11 to any flags S/SA keep state
pass out quick on em0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on em0 inet6 from ::1 to any flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = rsync flags S/SA keep state
pass in on em0 inet proto udp from {REMOTE IP} to 192.168.1.11 port = netbios-ns keep state
pass in on em0 inet proto udp from {REMOTE IP} to 192.168.1.11 port = netbios-dgm keep state
pass in on em0 inet proto udp from {REMOTE IP} to 127.0.0.1 port = netbios-ns keep state
pass in on em0 inet proto udp from {REMOTE IP} to 127.0.0.1 port = netbios-dgm keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.11 port = netbios-ns keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.11 port = netbios-dgm keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 127.0.0.1 port = netbios-ns keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 127.0.0.1 port = netbios-dgm keep state
However, I cannot figure out why the firewall isn't allowing traffic from either my local ip block or the remote machine, both of which are in my white_list.