Hi everyone,
I've had no problems with my PF rules for a while, until recently I installed FreeRADIUS. The problems I'm having now is that I don't seem to grasp the logic of PF rules. What I need is let in packets on port 1812 (radius) and block all the rest.
Here is the ruleset I've created for the purpose, but somehow the needed packets get BLOCKED here. Since the interface in question is my outer world interface, I want to keep stuff blocked there -- except for radius. Or any other port I might need to keep open.
Just purposefully simplified it to block all that is not explicitly allowed.
And the word "quick" would imply that incoming packets on port 1812 ARE allowed. Yet here's what I have in the tcpdump output:
The funny thing is I tried putting the "block all" rule #first or #last -- no matter the position, the incoming packets are never identified in the "pass in quick port 1812" rule, but invariably get blocked in "block all"...
That's really driving me mad, because on OpenBSD it's all logical and all WORKS the way it is written in the documentation.
I've had no problems with my PF rules for a while, until recently I installed FreeRADIUS. The problems I'm having now is that I don't seem to grasp the logic of PF rules. What I need is let in packets on port 1812 (radius) and block all the rest.
Here is the ruleset I've created for the purpose, but somehow the needed packets get BLOCKED here. Since the interface in question is my outer world interface, I want to keep stuff blocked there -- except for radius. Or any other port I might need to keep open.
Code:
out_if = "re0"
lan_if = "re1"
all_if = "{ re0 re1 }"
set block-policy return
set skip on lo0
#set skip on tap0
#set skip on bridge0
nat on $out_if from 192.168.26.0/27 to any -> ($out_if)
anchor openvpn
block all
pass quick on $lan_if from any to any keep state
pass in log quick on $out_if proto udp from 192.168.24.1 to 192.168.24.5 port 1812
pass out quick all
And the word "quick" would imply that incoming packets on port 1812 ARE allowed. Yet here's what I have in the tcpdump output:
Code:
00:00:11.460004 rule 1/0(match): block in on re0: 192.168.24.1.32772 > 192.168.24.5.1812: RADIUS, Access-Request (1), id: 0x00 length: 1472
00:00:00.000010 rule 1/0(match): block in on re0: 192.168.24.1 > 192.168.24.5: ip-proto-17
00:00:02.924586 rule 1/0(match): block in on re0: 52.41.222.26.443 > 192.168.24.5.60882: Flags [P.], seq 359337947:359337982, ack 1573383051, win 114, options [nop,nop,TS val 2468663184 ecr 2933380], length 35
00:00:27.655471 rule 1/0(match): block in on re0: 192.168.24.1.32772 > 192.168.24.5.1812: RADIUS, Access-Request (1), id: 0x00 length: 1472
00:00:00.000011 rule 1/0(match): block in on re0: 192.168.24.1 > 192.168.24.5: ip-proto-17
00:00:31.037882 rule 1/0(match): block in on re0: 192.168.24.1.32772 > 192.168.24.5.1812: RADIUS, Access-Request (1), id: 0x00 length: 1472
00:00:00.000011 rule 1/0(match): block in on re0: 192.168.24.1 > 192.168.24.5: ip-proto-17
That's really driving me mad, because on OpenBSD it's all logical and all WORKS the way it is written in the documentation.