Problem with PF Config

A

alexsc13

Hi,

I started to use PF and mostly it works but I have some problems. This is my current pf.conf :

Code: 
tcp_in_pass = "{ 21 22 25 53 80 465 995 10011 30033 }"
tcp_out_pass = "{ 21 22 53 }"

udp_in_pass = "{ 53 995 9987 }"
udp_out_pass = "{ 53 }"

ext_if = "bge0"

icmp_types = "{ echoreq, unreach }"

scrub in on $ext_if all fragment reassemble

block in all

pass out keep state

block in quick from urpf-failed

set skip on lo0
antispoof log for $ext_if

pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass out on $ext_if proto tcp to any port $tcp_out_pass keep state
pass in on $ext_if proto tcp to any port $tcp_in_pass keep state

pass out on $ext_if proto tcp to any port $udp_out_pass keep state
pass in on $ext_if proto tcp to any port $udp_in_pass keep state

My first problem is the Team Speak 3 Server, I cannot make it available to outside connections. The Ports needed by it are UDP 9987 and. TCP 10011 + 30033. I tried this with IPFW and it worked just fine:

Code: 
$IPF 500 allow udp from any to any 9987 in
$IPF 510 allow tcp from any to any 30033 in
$IPF 520 allow tcp from any to any 10011 in

So, how to make it work with PF ?

The other problem is, banning IP's. When I use for example pfctl -t fail2ban -T add IP it says
Code: 
1/1 added
but when I use pfctl -a all the IP is listed nowhere and also the remote server with that IP is still able to connect to this server. What am I missing there ?
 
Is your machine directly accessible from the outside ? Is your team speak server installed on this machine ?

Ta ask it simply, what is your network topology ?

When I use for example pfctl -t fail2ban -T add IP it says 1/1 added but when I use pfctl -a all the IP is listed nowhere
Click to expand...

To see the content of your tables, the command is
Code: 
pfctl -t fail2ban -T show

and also the remote server with that IP is still able to connect to this server.
Click to expand...

I don't see anywhere your fail2ban table in your pf.conf. You have to declare it in your pf configuration file and use it in your rules.
 
The Team Speak Server is installed on the machine and is directly accessible. It works fine when I shut down PF or when I try it with IPFW and the rules I had in my original post.

I wasn't aware of it that I have to declare the table for Fail2ban in my rules, do I have to do it as an Anchor ? Thank you.
 
Code: 
pass in on $ext_if proto udp from any to ($ext_if) port 9987
pass in on $ext_if proto tcp from any to ($ext_if) port 10011
pass in on $ext_if proto tcp from any to ($ext_if) port 30033

For the fail2ban table you need something like:

Code: 
table <fail2ban> persist

And:

Code: 
block in quick on $ext_if from <fail2ban> to any
 
Thanks a lot, both are working now. Fail2ban does ban and the Team Speak Server can be reached.

Could you please explain to me why the ports as I defined them in the macro don't work but adding them separately does ? I personally cannot see the reason behind this right now. Thank you.
 
I don't see any reason either why it wouldn't work with macros. Try with just those two tcp port numbers in a macro and check what pf thinks of the rules with # pfctl -sr after a reload.
 
You can always load the ruleset and run [cmd=]pfctl -sr[/cmd] and carefully check all of the rules to see whether they expand to what you expected.

You can also skip the macros at the top and simply write
Code: 
pass in on $ext_if proto tcp to any port { 21 22 25 53 80 465 995 10011 30033 } keep state
 
Thanks again for the tips, I actually noticed last night while my config did not work as intended. The 2 2 lines where I used my in and out macro for the UDP ports have been using proto tcp instead of proto udp, makes sense that it did not open the UDP port then.
 
Ah yes, I see it now .. "proto tcp -> udp_ports .." Devil in the details.
 
You must log in or register to reply here.
Back
Top