PF Enabling PF Firewall Blocks Access to Web Server

I have a PF ruleset on my web server host that works for everything, except when I enable it it blocks access to my web server; can't get to any content in a web browser. My web server host is behind our institution's web cache / proxy and I think that may have something to do with it. The web proxy passes http to my server over port 80 and does SSL termination there and passes https to my server on port 81. My ruleset has those wide open, so I don't know why it's blocking www service:

Code:
#### LISTS/MACROS:
ext_if = "em0"

#### TABLES:
...

#### OPTIONS:
set skip on lo0 

#### NORMALIZATION:
scrub in all 

#### FILTERING:

# default deny everything in and log
block in log on $ext_if all 
block out log on $ext_if all 

# activate spoofing
antispoof log quick for $ext_if inet

# ssh
pass in on $ext_if proto tcp from any to $ext_if port 22 flags S/SA keep state

# smtp
pass in on $ext_if proto tcp from <mail> to $ext_if port 25 keep state

# http
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state
pass in on $ext_if proto tcp from any to $ext_if port 81 keep state

# Bacula File
pass in on $ext_if proto tcp from <baculaservers> to $ext_if port 9102 keep state

# Rsync for drush
pass in on $ext_if proto tcp from $test_server to $ext_if port 873 keep state

# let stuff out
pass out on $ext_if proto { tcp, udp } from any to any keep state

- Gavin
 
The web proxy passes http to my server over port 80 and does SSL termination there and passes https to my server on port 81.
This makes very little sense. It's common to have a reverse proxy that does the SSL termination but why would it then pass the HTTPS traffic to port 81? The HTTPS is terminated at the reverse proxy, it's not getting passed. The request is passed to your webserver on the regular port 80 without SSL.
 
This makes very little sense. It's common to have a reverse proxy that does the SSL termination but why would it then pass the HTTPS traffic to port 81? The HTTPS is terminated at the reverse proxy, it's not getting passed. The request is passed to your webserver on the regular port 80 without SSL.
I don't know, that's how our network guys did it. Should it go to my server over 443 then?
 
The HTTPS is either terminated at the reverse proxy or it's passed along to the backend webserver. Not both.
 
Do you have any idea why web traffic isn't getting through when I have ports 80 and 81 allowing from any?
 
Try changing this:
Code:
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state
To:
Code:
pass in on $ext_if proto tcp from any to ($ext_if) port 80 keep state

And check with a tool like tcpdump(1) if you're actually receiving anything. Keep in mind that the requests will come from the proxy.
 
Try changing this:
Code:
pass in on $ext_if proto tcp from any to $ext_if port 80 keep state
To:
Code:
pass in on $ext_if proto tcp from any to ($ext_if) port 80 keep state

And check with a tool like tcpdump(1) if you're actually receiving anything. Keep in mind that the requests will come from the proxy.
Thanks SirDice. The parentheses did nothing as I'm not using DHCP for this host.

I did however reacquaint myself with tcpdump and first used it to verify traffic from the load balancers coming into ports 80 and 81. I then went to check pflog and realized I hadn't started that service, LOL. After starting pflog and enabling pf, I began reloading a page from my server in my browser until I couldn't get it anymore. Then disabled pf and used tcpdump to take a look at pflog. Saw several "ICMP echo request" from the load balancers. So I read the section on Managing ICMP on the firewalls page in the handbook and (just to test) put in my ruleset:

pass inet proto icmp from any to any

Problem solved. Obviously I'm going to lock that rule down to the local network and limit to echo requests as suggested.

Hope my blundering around helps someone else out.

- Gavin
 
Back
Top