PF rules question

M

mefizto

Greetings all,

this is my first attempt to write a rule-set for PF firewall:

Code: 
# Macros
#Interfaces
ExtInt="bge0"

#Services
TcpServices="{ssh, www, https, domain, smtp}"
UdpServices="{domain}"
IcmpTypes="{echoreq, unreach}"  #Ping
MailPorts="{smtp, imaps}"

# Tables

# Global Options
set loginterface $ExtInt        #Log all traffic on ExtInt
set block-policy return         #Filter Rule catch-all
set skip on lo                  #Do not filter lo interface traffic

# Traffic Normalization
#Scrub all packets
scrub in on $ExtInt all fragment reassemble
scrub out on $ExtInt all fragment reassemble random-id no-df #Fool monitoring

# Queueing Rules

# Network Address Translation

# Filter rules
block all                        #Block all traffic

block in quick from urpf-failed to any   #Activate spoofing protection
antispoof quick for {lo,$ExtInt} #Activate antispoofing

#TCP policy
block return-rst in on $ExtInt proto TCP all
pass in quick on $ExtInt proto TCP from any to $ExtInt port $TcpServices keep state

#UDP policy
block in on $ExtInt proto UDP all       #Block all incomming UDP traffic

#ICMP policy
block in on $ExtInt proto ICMP all
pass in quick on $ExtInt inet proto ICMP from any to $ExtInt icmp-type $IcmpTypes k
eep state

# Other traffic
block out on $ExtInt all
pass out quick on $ExtInt from $ExtInt to any keep state

The "Other traffic" rules permit unrestricted traffic to leave the firewall. However, I would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc. I thought that modifying the last line as follows:

Code: 
-pass out quick on $ExtInt from $ExtInt to any keep state
+pass out quick on $ExtInt from $ExtInt port $TcpServices to any keep state

would accomplish this, but I get an error:

Code: 
port only applies to tcp/udp

I do not understand why. In my understanding the IP addresses assigned to the $ExtInt interface will be substituted into the rule, and according to the syntax:

Code: 
action [direction] [log] [quick] [on interface] [af] [proto protocol] \
   [from src_addr [port src_port]] [to dst_addr [port dst_port]] \
   [flags tcp_flags] [state]

I am allowed to use src_port. Any help would be appreciated.

Kindest regards,

M
 
mefizto said:
The "Other traffic" rules permit unrestricted traffic to leave the firewall. However, I would like to allow outbound traffic only from certain services, e.g., request web access, ssh, get e-mail, etc. I thought that modifying the last line as follows:

Code: 
-pass out quick on $ExtInt from $ExtInt to any keep state
+pass out quick on $ExtInt from $ExtInt port $TcpServices to any keep state

would accomplish this, but I get an error:

Code: 
port only applies to tcp/udp

I do not understand why.
Click to expand...

A rule without a proto applies to UDP, TCP and ICMP. Since ICMP doesn't have port numbers it is a syntax error. You are also checking on the source port instead of the destination port. Change the rule to:
Code: 
pass out quick on $ExtInt proto tcp from $ExtInt to any port $TcpServices keep state
 
You must log in or register to reply here.
Back
Top