pf and Multiple External Interfaces

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

Greetings all,

now that I have both LAN and WLAN functioning on my laptop, I would like to use pf rules I wrote for LAN also for WLAN. I do not seem to be able to find any reference how to do it.

Do I just add the WLAN interface:

Code:
ExtIf1="LAN"
ExtIf2="WLAN"
and then copy each and every rule for the WLAN interface, e.g.:

Code:
pass out on $ExtIf1 proto tcp all modulate state flags S/SA
pass out on $ExtIf2 proto tcp all modulate state flags S/SA
Or is there a better way?

Kindest regards,

M
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,827
Messages: 11,313

That would probably work if your ruleset is actually that simple and minimal, though I see no reason not to reduce it to the even simpler
Code:
pass out proto tcp all modulate state flags S/SA
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

DutchDaemon,

thank you for the reply. My rule-set is more complex, the listed rule was just an example.

So, if I understand you correctly, for a complex rule-set I need to replicate each rule.

Kindest regards,

M
 

plamaiziere

Active Member

Reaction score: 40
Messages: 184

mefizto said:
Greetings all,
Code:
pass out on $ExtIf1 proto tcp all modulate state flags S/SA
pass out on $ExtIf2 proto tcp all modulate state flags S/SA
If you really need to use several interfaces, use a list like "on {$ExtIf1 $ExtIf2}". See the BNF grammar in the man page of pf.conf : 'ifspec'

You can also use interface group in place of interface (in filtering rules that's ok, but it does not work on "skip rule").
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

plamaiziere,

thank you for your reply.

Code:
If you really need to use several interfaces
Since I sometimes need to use WLAN outside of my home/office, I do not see any other option. Or are you suggesting to have two interfaces defined in the /etc/pf.conf and edit the file by uncommenting the one I will use, e.g.:

Code:
ExtIf="LAN"
# ExtIf="WLAN"
if I am to use LAN?

Could you please recommend a good reference on BNF (Backus-Naur Form?). Without it the pf.conf(5) is unreadable at my level of knowledge.

Kindest regards,

M
 

plamaiziere

Active Member

Reaction score: 40
Messages: 184

mefizto said:
plamaiziere,

thank you for your reply.

Code:
If you really need to use several interfaces
Since I sometimes need to use WLAN outside of my home/office, I do not see any other option. Or are you suggesting to have two interfaces defined in the /etc/pf.conf and edit the file by uncommenting the one I will use, e.g.:

Code:
ExtIf="LAN"
# ExtIf="WLAN"
if I am to use LAN?
It depends on your rules, if they are the same with the both interfaces you can uses something like "ExtIfs = {LAN, WLAN}". I don't think that will be a problem if an interface does not exist.

Could you please recommend a good reference on BNF (Backus-Naur Form?). Without it the pf.conf(5) is unreadable at my level of knowledge.
No, anyway that's not hard to understand. Just follow the grammar rules in your head.

Example:
Code:
     ifspec         = ( [ "!" ] interface-name ) | "{" interface-list "}"
     interface-list = [ "!" ] interface-name [ [ "," ] interface-list ]
In the grammar, the '[xx]' specifies an optional term xx, '|' an alternative.

The ifspec term means that an "ifspec" can be: an optional character "!" followed by the name of an interface, or, the character '{', followed by an interface-list, followed by a '}'.

Now just expand the rule "interface-list": an interface list is an optional "!" followed by the name of an interface, optionaly followed by an optional coma and followed by an interface-list. The rule is recursive and terminates when just the ["!"] name of an interface is present.

That means you can write for an "ifspec" something like:
Code:
em0
!em0
{em0}
{em0 em1}
{em0,em1, !em3}
...
If you give these inputs to the grammar, starting with ifspec, you can check that's correct.

It's easier to understand than to explain in fact :)

Regards.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

plamaiziere,

thank you once again, especially for explaining the BNF, I was able to grasp it to the point of being able to modify my pf.conf to a point of almost working.

Regarding the interface, I followed your suggestion:

Code:
ExtInt="{wlan0,bge0}"
The rule:

Code:
pass out quick on $ExtInt proto tcp from $ExtInt to any port $TcpServices modulate state
returns error:

Code:
no IP address found for bge0
/etc/pf.conf:72: could not parse host specification
This problem appears to be insurmountable, because since the bge0 interface is not assigned any IP address, the rule cannot be evaluated.

Any ideas?

Kindest regards,

M
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,827
Messages: 11,313

Put parentheses around the interface -> ($ExtInt)
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

DutchDaemon,

thank you for the reply. Unless I am missing something, the BNF does not explain the purpose of the parenthesis. Nevertheless, any combination of parenthesis:

Code:
pass out quick on $ExtInt proto tcp from ($ExtInt) to any port $TcpServices modulate state
Code:
pass out quick on ($ExtInt) proto tcp from $ExtInt to any port $TcpServices modulate state
Code:
pass out quick on ($ExtInt) proto tcp from ($ExtInt) to any port $TcpServices modulate state
results in the same report:

Code:
/etc/pf.conf:72: syntax error
Kindest regards,

M
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,827
Messages: 11,313

There may be a conflict between putting two interface names in one variable, and the use of parentheses, which serve to accept that an interface has no IP address and to poll the interface for IP changes. Try again with separate interfaces, or use the actual interface names.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

DutchDaemon,

thank you again for your suggestion:

Try again with separate interfaces, or use the actual interface names.
Regretfully, this did not solve the problem - same syntax error. I think that at this point I am resorting to manually editing the /etc/pf.conf file by uncommenting the interface I intend to use, and restarting pf with such edited file.

Yes, it is a kludge, but, given my paranoia, better than no firewall.

Kindest regards,

M
 

plamaiziere

Active Member

Reaction score: 40
Messages: 184

mefizto said:
Regretfully, this did not solve the problem - same syntax error. I think that at this point I am resorting to manually editing the /etc/pf.conf file by uncommenting the interface I intend to use, and restarting pf with such edited file.
If I understand well, you want to check that the source IP for outgoing packet is the IP of you ethernet card. For TCP it is useless, if the source IP address is wrong, TCP will not work.

You can't use an unknown interface in the from specification, because PF tries to retrieve all the IP addresses of the interface (which does not exist). In this case you have an error "could not parse host specification".

Anyway you can try with the keyword "self", meaning all the IP addresses of the machine, with the dynamic form (self):

Something like:
Code:
tt.txt:
pass out on {em5 em6} proto tcp from (self) to any

baby-jane:/home/patrick# pfctl -vnf tt.txt
pass out on em5 proto tcp from (self) to any flags S/SA keep state
pass out on em6 proto tcp from (self) to any flags S/SA keep state
Looks to work on my machine, and I don't have any 'em' interface.

Regards.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

plamaiziere,

thank you, it worked like a charm. The last issue - sorry - is logging the interface. I had in my rules:

Code:
set loginterface $ExtInt        #Log all traffic on ExtInt
However, if I reed correctly the BNF, the command can set logging only on a single interface. Any additional ideas how to deal with this last issue?

Kindest regards,

M
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

ctaranotte,

no, I have not considered this, since I did not know about it. ;) Thank you for bringing it to my attention; it looks like a solution.

Kindest regards,

M
 

ctaranotte

Active Member

Reaction score: 21
Messages: 110

I am using lagg right now on my laptop with a Intel Pro/1000 (aka em device) and a Wireless 5100 (aka iwn device) adapters.

I am using it in a failover mode (the master being the em device).

As far as I read, the loadbalance mode or the roundrobin mode would be more relevant to your problem.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

ctaranotte,

could you please elaborate on your last post? As I indicated in my earlier post, I use LAN in the office, where there is no WLAN; when I am in a public place or at a customer's place, there is often only WLAN an no LAN available.

In my understanding the handbook's:

Example 31-3. Failover mode between wired and wireless interfaces
seems to fit best these circumstances. Am I missing something?

Kindest regards,

M
 

ctaranotte

Active Member

Reaction score: 21
Messages: 110

My mistake, I confused with another post.

You are right failover mode is the way to go.
 
OP
OP
M

mefizto

Well-Known Member

Reaction score: 11
Messages: 459

ctaranotte,

thank you for the clarification, I thought I might have overlooked something.

Kindest regards,

M
 
Top