PF with two interfaces

[VampirD]

I'm trying to migrate a Linux/shorewall gateway to FreeBSD. In the rules file of shorewall I have the following rules:

ACCEPT   loc:local_ip   net                  protocol   port
DNAT     net:some_ip    loc:some_local_ip    tcp        ssh

In the pf.conf file will I have to write the rule for both interfaces?

pass out on $int_if proto tcp from $local_ip to port $tcp_pass
pass out on $ext_if proto tcp to port $tcp_pass

 

[johnblue]

It depends ..

If you have a block all statement, then you will need to construct pass statements for both in and out of the interfaces.

Here is a sample configuration that I use as my base if I am standing up a new firewall to sit in front of an network with an Exchange server:

#macros
ext_if="bge0"
int_if="bge1"

#tables
table <ssh-bruteforce>

#options
set block-policy return
set skip on lo0
scrub in all

#traffic normalization

#queueing

#translation
nat on $ext_if from 172.16.1.0/24 to any -> $ext_if
rdr pass on $ext_if proto tcp from any to $ext_if port 25 -> 172.16.1.11
rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> 172.16.1.12
rdr pass on $ext_if proto tcp from any to $ext_if port 443 -> 172.16.1.11

#packet filtering
block in
pass out

block in quick on $ext_if from <ssh-bruteforce>

pass in on $ext_if proto tcp from any to $ext_if port ssh \
flags S/SA keep state \
(max-src-conn-rate 2/120, overload <ssh-bruteforce> flush global)

pass in quick on $ext_if inet proto { udp, tcp } from any to $ext_if port domain
pass in quick on $int_if inet from 172.16.1.0/24 to any

The premise here is a default block for traffic in and if it can be trusted in, it can pass out on its own.

Be sure to include code for the ssh-bruteforce blocking. It is very effective and simple to implement. max-src-conn-rate 2/120 translates into a block if more than two connections are attempted within 120 seconds. To check to see what has been blocked:

# pfctl -t ssh-bruteforce -T show

And you should get something like this:

No ALTQ support in kernel
ALTQ related functions disabled
   31.3.245.178
   42.120.22.86
   58.251.14.198
   60.191.220.106
   60.220.225.214
   61.132.4.85
   61.142.106.34
   61.155.177.58
   61.156.40.44
   62.14.45.253
   64.15.152.208
   67.205.67.147
   78.60.146.192
   79.172.10.78
   80.73.11.173
   82.165.129.56

Other than the rdr statement for ports 25, 80 and 443, I pass DNS traffic in on $ext_if and RFC1918 traffic in on $int_if. Make note of joining the pass option to the rdr statement as it takes care of two items on one line.

Ummm, what else, oftentimes you will see howto guide that have a parentheses around one of the interfaces and this is not needed unless the IP address is DHCP assigned.

Hope that is of some help.

 

[VampirD]

So, to redirect the connections to the web server I need this two rules?

rdr pass on $ext_if proto tcp from any to $ext_if port 80 -> 192.168.0.14
rdr pass on $int_if proto tcp to $int_if port 80 -> 192.168.0.14

 

[SirDice]

The last rdr isn't needed. But you do have to have rules allowing the traffic coming in on $ext_if and going out on $int_if.

 

[johnblue]

It might be more expedient if you could please post your whole pf.conf file for review. Most people around here are generally willing to help out and there is no shame in asking for help if you are trying.

Asking to be spoon fed is something completely different ..

 

[VampirD]

My current pf.conf is:

ext_if = "alc0"
int_if = "re0"
tcp_out = "{ 20 21 22 25 53 80 443 587 }"

set block_policy drop
set skip on lo0

icmp_tipes = "echoreq"

scrub in on $ext_if all fragment reassemble

block in from no-route to any

block all

block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

pass in on $int_if proto tcp to port 3128

pass out on $ext_if proto tcp to port $tcp_out

I think it should work fine with Squid (still not configured) now I have to write the rules for the mail, web, and a few PC that don't use the proxy.

 

[kpa]

Drop the rules with the various flags, they do absolutely nothing since you have scrub on.

 

[johnblue]

So one of the things that you can do when are editing your conf file is to check to see if your syntax is correct.

Using what you provided, I put it into a file with a suffix of .test on my 9.1 box and this is what I got:

# pfctl -v -n -f /etc/pf.conf.test

ext_if = "alc0"
int_if = "re0"
tcp_out = "{ 20 21 22 25 53 80 443 587 }"
/etc/pf.conf.test:5: syntax error
set skip on { lo0 }
icmp_tipes = "echoreq"

Your syntax error is on line five and it is complaining about the underscore, it needs to be a hyphen.

 

[CoTones]

And add log to blocking rules. At least when learning.

Btw,

man pf.conf

is very, very, very, very good think. Really.