PF PF not loading ruleset

T

tomsdongle

Hi everyone,

I feel somewhat embarrassed posting this, but I'm at a complete loss ...

Ive got two FreeBSD web servers (10.1).

One is running on RackSpace and the other on DigitalOcean. The RS server has been up and running for sometime now and PF is working perfectly for me. This week I copied over my pf.conf to my DO box and the rules don't appear to be loading at all - I did amend the ext_if name.

Code: 
ext_if="vtnet0"

webports = "{http}"

int_tcp_services = "{www}"

#int_udp_services = "{nothing}

set skip on lo

set loginterface $ext_if


scrub in all random-id fragment reassemble


block return in log all

block out all

antispoof quick for $ext_if


table <bruteforce> persist

block quick from <bruteforce>

pass in quick proto tcp to $ext_if port 22 keep state (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global)
                                                                                                   
# Webserver                                                                                        

pass proto tcp from any to $ext_if port $webports                                                  
                                                                                              

# Allow essential outgoing traffic                                                                 

pass out quick on $ext_if proto tcp to any port $int_tcp_services                                  

pass out quick on $ext_if proto udp to any port $int_udp_services
My rc.conf:
Code: 
pf_rules="/etc/pf.conf"

pf_enable="YES"
The only difference between the two machines is platform they sit on, a quick portscan of my DO box suggests the everything is open, including 3306 :s
Code: 
    Open TCP Port:     21             ftp

    Open TCP Port:     22             ssh

    Open TCP Port:     80             http

    Open TCP Port:     554            rtsp

    Open TCP Port:     3306           mysql

    Open TCP Port:     7070           arcp
Any thoughts?
 
Then look at the output of pfctl -sr -gv, there should be non-zero numbers in the Packets, Bytes and States fields at least on some of the rules if they are being used.
 
Some, but not all

Code: 
@0 scrub in all random-id fragment reassemble
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 67418     Packets: 65322     Bytes: 2107471     States: 0     ]
@0 block return in log all
  [ Skip steps: i=2 f=2 p=6 sa=2 sp=end da=6 dp=6 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 31115     Bytes: 1991194     States: 0     ]
@1 block drop out all
  [ Skip steps: p=6 sp=end da=6 dp=6 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 48        Bytes: 2808        States: 0     ]
@2 block drop in quick on ! vtnet0 inet from (My public IP)/18 to any
  [ Skip steps: d=5 f=4 p=6 sp=end da=6 dp=6 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 0         Bytes: 0           States: 0     ]
@3 block drop in quick inet from (My public IP) to any
  [ Skip steps: d=5 p=6 sp=end da=6 dp=6 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 0         Bytes: 0           States: 0     ]
@4 block drop in quick on vtnet0 inet6 from fe80::601:44ff:fe2f:1601 to any
  [ Skip steps: p=6 sp=end da=6 dp=6 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31138     Packets: 0         Bytes: 0           States: 0     ]
@5 block drop quick from <bruteforce:0> to any
  [ Skip steps: sp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 0         Bytes: 0           States: 0     ]
@6 pass in quick on vtnet0 inet6 proto tcp from any to fe80::601:44ff:fe2f:1601 port = ssh flags S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global, src.track 3)
  [ Skip steps: d=8 p=end sa=end sp=end dp=8 ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31186     Packets: 0         Bytes: 0           States: 0     ]
@7 pass in quick inet proto tcp from any to (My public IP) port = ssh flags S/SA keep state (source-track rule, max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush global, src.track 3)
  [ Skip steps: p=end sa=end sp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31138     Packets: 85        Bytes: 15163       States: 1     ]
@8 pass on vtnet0 inet6 proto tcp from any to fe80::601:44ff:fe2f:1601 port = http flags S/SA keep state
  [ Skip steps: d=10 p=end sa=end sp=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31175     Packets: 0         Bytes: 0           States: 0     ]
@9 pass inet proto tcp from any to (My public IP) port = http flags S/SA keep state
  [ Skip steps: p=end sa=end sp=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 31175     Packets: 2490      Bytes: 3095786     States: 0     ]
@10 pass out quick on vtnet0 proto tcp from any to any port = http flags S/SA keep state
  [ Skip steps: i=end d=end f=end p=end sa=end sp=end da=end dp=end ]
  [ queue: qname= qid=0 pqname= pqid=0 ]
  [ Evaluations: 20        Packets: 0         Bytes: 0           States: 0     ]
 
tomsdongle said:
The only difference between the two machines is platform they sit on, a quick portscan of my DO box suggests the everything is open, including 3306 :s
Code: 
    Open TCP Port:     21             ftp

    Open TCP Port:     22             ssh

    Open TCP Port:     80             http

    Open TCP Port:     554            rtsp

    Open TCP Port:     3306           mysql

    Open TCP Port:     7070           arcp
Any thoughts?
Click to expand...

Do you actually run these services on the host machine?
 
I don't want to hijack this thread, but a similar problem is occurring in my workstation.
I had a pf.conf working in an old server running 9.3-RELEASE. I copied this file to the workstation running 10.1-STABLE r281384M and made the necessary adjustments regarding interfaces and IPs. The problem is that there are rules that don't seem to be loaded. The sequence of events I did was:

Code: 
# pfctl -d
No ALTQ support in kernel
ALTQ related functions disabled
pf disabled

Code: 
 # pfctl -e
No ALTQ support in kernel
ALTQ related functions disabled
pf enabled

Code: 
 # pfctl -f pf.minimal
No ALTQ support in kernel
ALTQ related functions disabled

Code: 
 # pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
block drop in on igb1 all
pass inet from any to 127.0.0.41 flags S/SA keep state
pass in on igb1 inet proto udp from any port = 18666 to 127.0.0.41 port = 18666 keep state
pass inet from 127.0.0.41 to any flags S/SA keep state
pass out all flags S/SA keep state


Code: 
# cat pf.minimal
table <local> { 192.168.1.0/24 }

#INTERFACES
ext_if = "igb1"
int_if = "igb0"

mldonkey = "127.0.0.41"

# Ports for mldonkey
mldonkey_web_port = "4080"
mldonkey_tcp_port= "18662"
mldonkey_udp_port= "18666"

set block-policy drop
set skip on lo

# NAT
#nat on $ext_if from $jailnet to any -> $ext_if
nat pass on $ext_if from $mldonkey to any -> ($ext_if)

# rdr for $mldonkey
rdr pass on $ext_if inet proto tcp from any to port = $mldonkey_web_port -> $mldonkey port $mldonkey_web_port
rdr pass on $ext_if inet proto tcp from any to port = $mldonkey_tcp_port -> $mldonkey port $mldonkey_tcp_port
rdr pass on $ext_if inet proto udp from any to port = $mldonkey_udp_port -> $mldonkey port $mldonkey_udp_port

rdr pass on $int_if inet proto tcp from <local> to $mldonkey port = $mldonkey_web_port -> $mldonkey port $mldonkey_web_port

block in on $ext_if
pass from lo1 to any keep state
pass from any to lo1 keep state

pass out all keep state

pass in on $ext_if inet proto tcp from any port $mldonkey_web_port to $mldonkey port $mldonkey_web_port keep state
pass in on $ext_if inet proto udp from any port $mldonkey_udp_port to $mldonkey port $mldonkey_udp_port keep state
pass in on $ext_if inet proto tcp from any port $mldonkey_tcp_port to $mldonkey port $mldonkey_tcp_port keep state

As can be seen, from the last three pass in rules, only the second one seems to be parsed. It seems that there are no syntactic errors parsing the file:
Code: 
# pfctl -nf pf.minimal
#

So, what's happening? Am I doing something wrong or is this some kind of bug?
 
You must log in or register to reply here.
Back
Top