Solved PF rule for ip address range

[balaji18]

Hi,

How should the rule be to pass all outgoing traffic in the ip range 192.168.1.1 to 192.168.1.254.

Currently i have one ip in the ruleset and it is working fine. /etc/pf.conf is below

pass in all
block out all
pass out proto tcp to 192.168.1.9 keep state

--Thanks

 

[SirDice]

How should the rule be to pass all outgoing traffic in the ip range 192.168.1.1 to 192.168.1.254.

Important distinction to make here, is that the destination or the source address range? And do you need this for incoming or outgoing traffic?
Source, outgoing:

pass out from 192.168.1.0/24 to any

Destination, outgoing:

pass out from any to 192.168.1.0/24

 

[mer]

Without knowing future needs, I think this is a good chance to use a table. Something like:

table <clients> persist { 192.168.1.0/24, !192.168.1.9}
pass inet proto tcp from <clients> to any

Tables can also be loaded from a file meaning you could update things dynamically.
To riff off SirDice you can have separate tables for client and dest addresses.

 

[SirDice]

Unless you want to dynamically change the contents of the table you could simply use a variable:

myrange="192.168.1.0/24"
pass  out from $myrange to any

 

[balaji18]

Thanks SirDice and mer for the quick response.
Is it possible to restrict by user? Like allow only one user for outgoing traffic to a specific ip(192.168.1.9)?

--Thanks.

 

[SirDice]

Is it possible to restrict by user?

A network packet doesn't have that information, so how is PF going to determine which user sent it? Now you can filter on user but this requires the process (and the user) to be on the same machine as PF. I don't think anybody uses that functionality though. If you want to limit what users can access you should look into setting up proxy (with authentication). That works really good for web traffic, it's a little tricky for other protocols.

 

[mer]

If by "User" you mean "IP Address", but you need to be mindful of rule ordering (last match wins) and use of the "quick" (don't process any rules after this one) keyword.

roughly something like:
pass out quick from 192.168.1.1 to 192.168.1.9

If by User you mean User not IP address, then SirDice is correct.

 

[balaji18]

Thanks again to SirDice and mer for the quick response.

By user i meant, a user on the machine.

Now you can filter on user but this requires the process (and the user) to be on the same machine as PF. I don't think anybody uses that functionality though.

Yes, the user, the process and the PF are all on the same machine. I have that requirement. How should the PF rule be now? I tried
pass out root from any to 192.168.1.9

and it failed. "root" is the user.

--Thanks.

 

[SirDice]

pf.conf(5):

     user ⟨user⟩
           This rule only applies to packets of sockets owned by the specified
           user.  For outgoing connections initiated from the firewall, this
           is the user that opened the connection.  For incoming connections
           to the firewall itself, this is the user that listens on the
           destination port.  For forwarded connections, where the firewall is
           not a connection endpoint, the user and group are unknown.

           All packets, both outgoing and incoming, of one connection are
           associated with the same user and group.  Only TCP and UDP packets
           can be associated with users; for other protocols these parameters
           are ignored.

           User and group refer to the effective (as opposed to the real) IDs,
           in case the socket is created by a setuid/setgid process.  User and
           group IDs are stored when a socket is created; when a process
           creates a listening socket as root (for instance, by binding to a
           privileged port) and subsequently changes to another user ID (to
           drop privileges), the credentials will remain root.

           User and group IDs can be specified as either numbers or names.
           The syntax is similar to the one for ports.  The value unknown
           matches packets of forwarded connections.  unknown can only be used
           with the operators = and !=.  Other constructs like user ≥ unknown
           are invalid.  Forwarded packets with unknown user and group ID
           match only rules that explicitly compare against unknown with the
           operators = or !=.  For instance user ≥ 0 does not match forwarded
           packets.  The following example allows only selected users to open
           outgoing connections:

                 block out proto { tcp, udp } all
                 pass  out proto { tcp, udp } all user { < 1000, dhartmei }

 

[mer]

pf filters on information in the IP packet; source ip, source port, dest ip, dest port, protocol (TCP/UDP/ICMP), IP family (IPV4/IPV6).

 

[balaji18]

Thanks again to SirDice and mer for the quick response.

Filter by user is possible. Here is the rule
pass out from any to 192.168.1.9 user root

--Thanks.

 

[SirDice]

Filter by user is possible.

With the caveat that this only works for processes and users on the same system as the PF firewall.