Solved Basic rules problem

Basic setup.

[remote static IP] ---- SSH ---> [local static IP/router] --- port forward 22 ---> [192.168.1.11]

This is the traffic I see on the internal machine.
Code:
root@LR-Remote:~/firewall.d # tcpdump src host {REMOTE IP}
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em0, link-type EN10MB (Ethernet), capture size 65535 bytes
16:01:06.531865 IP {REMOTE IP} > 192.168.1.11.ssh: Flags \[S\], seq 2160000328, win 65535, options [mss 1460,nop,wscale 6,sackOK,TS val 1166592543 ecr 0], length 0
16:01:06.553182 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1420543396, win 1040, options [nop,nop,TS val 1166592562 ecr 360790155], length 0
16:01:06.553203 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 0:49, ack 1, win 1040, options [nop,nop,TS val 1166592562 ecr 360790155], length 49
16:01:06.586524 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], seq 49:1497, ack 39, win 1040, options [nop,nop,TS val 1166592597 ecr 360790188], length 1448
16:01:06.586546 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 1497:2017, ack 39, win 1040, options [nop,nop,TS val 1166592597 ecr 360790188], length 520
16:01:06.711294 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2017:2065, ack 1087, win 1040, options [nop,nop,TS val 1166592722 ecr 360790210], length 48
16:01:06.743595 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2065:2081, ack 1367, win 1040, options [nop,nop,TS val 1166592754 ecr 360790343], length 16
16:01:06.866862 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2081:2137, ack 1367, win 1040, options [nop,nop,TS val 1166592878 ecr 360790472], length 56
16:01:06.900316 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2137:2209, ack 1423, win 1040, options [nop,nop,TS val 1166592902 ecr 360790490], length 72
16:01:07.002718 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [P.], seq 2209:2297, ack 1495, win 1040, options [nop,nop,TS val 1166593013 ecr 360790603], length 88
16:01:07.131220 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1583, win 1040, options [nop,nop,TS val 1166593141 ecr 360790627], length 0
16:01:09.084636 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [F.], seq 2297, ack 1583, win 1040, options [nop,nop,TS val 1166595095 ecr 360790627], length 0
16:01:09.106433 IP {REMOTE IP} > 192.168.1.11.ssh: Flags [.], ack 1584, win 1040, options [nop,nop,TS val 1166595116 ecr 360792709], length 0
^C
13 packets captured
53 packets received by filter
0 packets dropped by kernel

Based on that traffic, I created my rules...
Code:
root@LR-Remote:~/firewall.d # cat /root/firewall.d/pf.conf
############ Global Options #######################
iface = "em0"
set block-policy return
set loginterface $iface
set skip on lo

tcp_services = "{22, 139, 445, 873}"
udp_services = "{137, 138}"
icmp_types = "echoreq"
localnet = "192.168.1.0/24"
static_ip = "192.168.1.11"
white_list = "{--RemoteIP--, 192.168.1.0/24}"


table <us.blocks> persist file  "/root/firewall.d/us.blocks"
table <aliens> persist file "/root/firewall.d/aliens.blocks"
table <bruteforce> persist file "/root/firewall.d/bruteforce"

################ End Global Options ################

########### Traffic Normalization ##################

scrub in on $iface all fragment reassemble
scrub out on $iface all fragment reassemble

####################################################


####### NAT RULE GOES BEFORE ALL FILTERS ! ! #######

#nat on $ext_if from $localnet to any -> ($ext_if)

####################################################


################## Filters #########################

block in all
block drop in quick from <bruteforce>
block drop in quick on $iface from ! <us.blocks> to { self }
pass out quick on $iface from { self } to any
pass in on $iface proto tcp from $white_list to { self } port $tcp_services
pass in on $iface proto udp from $white_list to { self } port $udp_services

# SSH lines incase I drop the whitelist
#pass in log quick on $iface proto tcp from $white_list to { self } port 22 \
#  flags S/SA keep state \
#  (max-src-conn 5, max-src-conn-rate 3/9, \
#  overload <bruteforce> flush global)

####################################################
################### <END OF FILE> ##################
####################################################

Here are the rules expanded.
Code:
root@LR-Remote:~/firewall.d # pfctl -sr
scrub in on em0 all fragment reassemble
scrub out on em0 all fragment reassemble
block return in all
block drop in quick on em0 inet from ! <us.blocks> to 192.168.1.11
block drop in quick on em0 inet from ! <us.blocks> to 127.0.0.1
block drop in quick on em0 inet6 from ! <us.blocks> to ::1
block drop in quick from <bruteforce> to any
pass out quick on em0 inet from 192.168.1.11 to any flags S/SA keep state
pass out quick on em0 inet from 127.0.0.1 to any flags S/SA keep state
pass out quick on em0 inet6 from ::1 to any flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 192.168.1.11 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from {REMOTE IP} to 127.0.0.1 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 192.168.1.11 port = rsync flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = ssh flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = netbios-ssn flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = microsoft-ds flags S/SA keep state
pass in on em0 inet proto tcp from 192.168.1.0/24 to 127.0.0.1 port = rsync flags S/SA keep state
pass in on em0 inet proto udp from {REMOTE IP} to 192.168.1.11 port = netbios-ns keep state
pass in on em0 inet proto udp from {REMOTE IP} to 192.168.1.11 port = netbios-dgm keep state
pass in on em0 inet proto udp from {REMOTE IP} to 127.0.0.1 port = netbios-ns keep state
pass in on em0 inet proto udp from {REMOTE IP} to 127.0.0.1 port = netbios-dgm keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.11 port = netbios-ns keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 192.168.1.11 port = netbios-dgm keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 127.0.0.1 port = netbios-ns keep state
pass in on em0 inet proto udp from 192.168.1.0/24 to 127.0.0.1 port = netbios-dgm keep state

However, I cannot figure out why the firewall isn't allowing traffic from either my local ip block or the remote machine, both of which are in my white_list.
 
These rules:
Code:
block drop in quick on em0 inet from ! <us.blocks> to 192.168.1.11
block drop in quick on em0 inet from ! <us.blocks> to 127.0.0.1
block drop in quick on em0 inet6 from ! <us.blocks> to ::1
Block everything that's not in us.blocks before any of your pass rules.
 
I found it... the remote IP found its way into the brute force table while I was testing...
I feel like such a fool... Never occurred to me to check it..
This is indeed solved... Thank you all who replied...
The community is why I chose to use FreeBSD.
 
fullauto2012, for the special case of your own remote server(s), admin workstation, infrastructure, etc, it can be a good idea to exempt them from things like dynamic brute force protection. That's assuming that they are trusted static IPs. I.e. above your block rules add something like:

pass in on $ext_if proto tcp from <trusted> to any port ssh flags any

Adjust to suit protocols / services you need, etc. flags any is a useful relaxation of the normal setup to prevent already open trusted connections getting disconnected if the states are flushed (it's nice to be able to fully admin the firewall without your admin ssh session(s) getting clobbered). The default is flags S/SA to only allow TCP SYN to establish state, which is correct for untrusted hosts (i.e. everyone else, the wild 'net as a whole). With TCP traffic to a secure daemon like SSH, there's essentially zero additional risk from that special handling.
 
Back
Top