Solved rule interpretation

fred974

fred974

Hi,
Could someone please help me understand what the rule bellow mean?
Code: 
pass in log on $ExtIf inet proto tcp  from !($ExtIf)  to $WebProxy  port https $TcpState $WebSTO
My understanding is:

allow all traffic from outside my network from port 443 to be passed to WebProxy and apply the rule from $TcpState $WebSTO...
Is that correct?
 
Hi,

I would really appreciate if someone could tell me if my interpretation is correct..

Thank you
 
Nothing is being passed on, that's NAT or redirection. This only says "allow this specific traffic".

More specifically it says, allow traffic coming in on $ExtIf from any address except the address of $ExtIf itself, to $WebProxy port 443.
 
Code: 
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($ExtIf) port https -> $WebProxy
proto tcp  from !($ExtIf)  to $WebProxy  port https $TcpState $WebSTO
SirDice, I realized I missed some info on first post...
So is the pass.... rule necessary with my rdr?
I'm trying to understand so I can achieve public IP to jail IP redirection has in my post here
 
Yes, the redirection only tells it how to translate an incoming packet, it doesn't allow or deny anything. So you may have a working redirection but it's possible the traffic is still denied.
 
ok so is till need
Code: 
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxy      port https $TcpState $WebSTO
Is there any change you help me with my other tread?
I tried
Code: 
 WebProxyExtIf    = "x.x.x.247"
WebProxyIntIf    = "10.8.20.14"
rdr on $ExtIf inet proto tcp from  !($ExtIf) to ($WebProxyExtIf) port http -> $WebProxyIntIf
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf      port www   $TcpState $WebSTO
but pfctl -vnf /etc/pf.conf returned
Code: 
/etc/pf.conf:104: invalid interface name 'x.x.x.247'
/etc/pf.conf:105: invalid interface name 'x.x.x.247'
 
Last edited by a moderator:
Your variable names are confusing, WebProxyExtIf for example, the name refers to an interface but the content is an IP address. This shouldn't matter functionally (a variable can be named anything you want) but it is confusing for others.
 
SirDice said:
Your variable names are confusing [...]
Click to expand...
To say the least.

fred974:
Try this:
Code: 
ExtIf = "bce0"
WebProxyExtIf    = "1.2.3.247"
WebProxyIntIf    = "1.2.3.14"
TcpState = "keep state" # if you have this value set for TcpState, you should remove it, as it's the default value that get's added to each rule.

rdr on $ExtIf inet proto tcp from !($ExtIf) to $WebProxyExtIf port http -> $WebProxyIntIf

pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf      port www   $TcpState

PS: I removed the TcpState macro because I cannot figure out what you have there.
PS2: For the future, please post all relevant parts of your rules.

LE: Alternately, you could rework the first rule and remove the second, like so:
Code: 
rdr pass log on $ExtIf inet proto tcp from !($ExtIf) to $WebProxyExtIf port http -> $WebProxyIntIf
 
da1
I tried that code and the www page could not be reached.
I have been at it for 3 days solid and I think I am way out of my depth here

Bellow id the full pf.conf (marked end of real IP ) as sugested
Code: 
### Interfaces ###
ExtIf   = "bce0"
JailIf  = "lo1"

### Hosts ###

WebProxyExtIf    = "91.203.xx.xxx"
WebProxyIntIf    = "10.8.20.13"

### Queues, States and Types ###
IcmpPing ="icmp-type 8 code 0"
SshQueue ="(ssh_bulk, ssh_login)"
SynState ="flags S/UAPRSF synproxy state"
#TcpState ="flags S/UAPRSF modulate state"
TcpState = "keep state"
UdpState ="keep state"


### Stateful Tracking Options (STO) ###
OpenSTO ="(max 90000, source-track rule, max-src-conn 1000, max-src-nodes 256)"
SmtpSTO ="(max   200, source-track rule, max-src-conn   10, max-src-nodes 256, max-src-conn-rate 200/30)"
SshSTO  ="(max   100, source-track rule, max-src-conn   10, max-src-nodes 100, max-src-conn-rate 100/30,  overload <BLOCKTEMP> flush global)"
WebSTO  ="(max  4096, source-track rule, max-src-conn   64, max-src-nodes 512, max-src-conn-rate 500/100, overload <BLOCKTEMP> flush global)"

### Tables ###
table <TRUSTED> persist file "/etc/pf-files/trusted.pftable"
table <BLOCKEDZONE> persist file "/etc/pf-files/blockedzones.pftable"
table <BLOCKTEMP> counters file "/etc/pf-files/fail2ban.pftable"
table <BLOCKNETS> {224.0.0.22, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
                    169.254.0.0/16, 192.0.2.0/24, \
                    192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24, \
                    169.254.0.0/16, 0.0.0.0/8, 240.0.0.0/4, 255.255.255.255/32}

################ Options ######################################################
### Misc Options
set skip on lo
set debug urgent
set block-policy drop
set loginterface $ExtIf
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none

### Timeout Options
set optimization normal
set timeout { tcp.closing 60, tcp.established 7200}


################ Normalization ###############################################

scrub     log on $ExtIf all reassemble tcp fragment reassemble

################ Translation #################################################
### NAT and Redirection rules are first match

# NAT all jail traffic
nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)

# Hiawatha web proxy server
rdr on $ExtIf inet proto tcp from !($ExtIf) to $WebProxyExtIf port http -> $WebProxyIntIf
rdr on $ExtIf inet proto tcp from !($ExtIf) to $WebProxyExtIf port https -> $WebProxyIntIf

# Anchors
nat-anchor "openvpn"
rdr-anchor "openvpn"

# DENY rogue redirection
#no rdr

################ Filtering ###################################################
# Rules are best (closest) match. Rules are optimized so external
# interface parsing is first followed by the internal interface.

### $ExtIf block abusive hosts in temp and blacklist tables
#block in quick on $ExtIf from                     <BLACKLIST> to any
block drop in log quick from { <BLOCKNETS> urpf-failed no-route } to any
block out quick on $ExtIf from any to { <BLOCKNETS> no-route }
block drop in log quick on $ExtIf proto udp from <BLOCKTEMP> to any
block drop in log quick on $ExtIf proto tcp from <BLOCKTEMP> to any port != ssh
block drop in log quick on $ExtIf proto tcp from <BLOCKEDZONE> to any port { 22 80 443 }
anchor "openvpn"

### $ExtIf default block with drop
block drop in log on $ExtIf
antispoof quick log for $ExtIf inet
block quick inet6
#block out log proto { tcp, udp } user { 80, 88 } label "www-mysql output deny"

### $ExtIf inbound
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf      port www   $TcpState
pass in log on $ExtIf inet proto tcp  from !($ExtIf)      to $WebProxyExtIf      port https  $TcpState

pass in quick log on $ExtIf proto tcp from <TRUSTED>      to $ExtIf         port ssh   $TcpState $SshSTO

### $ExtIf outbound
pass out log on $ExtIf inet proto tcp  from ($ExtIf) to !($ExtIf) $TcpState $OpenSTO
pass out log on $ExtIf inet proto udp  from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
pass out log on $ExtIf inet proto icmp from ($ExtIf) to !($ExtIf) $UdpState $OpenSTO
da1 said:
Is bce0 your external interface with multiple public IP's?
Click to expand...
yes /etc/rc.conf
Code: 
 ## Set gateway
  ifconfig_bce0="inet 91.203.72.xxx netmask 255.255.255.248"            # This server
  defaultrouter="91.203.72.233"

## Declare ExtIF public IPs
  ifconfig_bce0_alias0="inet 91.203.72.xxx netmask 255.255.255.0"     # Mail Server
  ifconfig_bce0_alias1="inet 91.203.72.xxx netmask 255.255.255.0"     # Web Sever
  ifconfig_bce0_alias2="inet 91.203.72.xxx netmask 255.255.255.0"     # Ftp Server

 ## Set jails aliace interface
  cloned_interfaces="${cloned_interfaces} lo1"  # allows loopback isolation in the jail
  ipv4_addrs_lo1="10.8.20.10-49/29"
 
Your jails are bound to the external interface and using the external IP addresses so there's no need for NAT or redirections. In fact, those may be the cause of the problems because you can't "bounce" traffic out the same interface it came in on.

See pf.conf(5):
Code: 
     Translation rules apply only to packets that pass through the specified
     interface, and if no interface is specified, translation is applied to
     packets on all interfaces.  For instance, redirecting port 80 on an
     external interface to an internal web server will only work for connec-
     tions originating from the outside.  Connections to the address of the
     external interface from local hosts will not be redirected, since such
     packets do not actually pass through the external interface.  [b]Redirec-
     tions cannot reflect packets back through the interface they arrive on,
     they can only be redirected to hosts connected to different interfaces or
     to the firewall itself.[/b]
 
SirDice ,
I added the missing info in previous entry.. I have the following as well in my /etc/rc.conf
Code: 
 ## Set jails aliace interface
  cloned_interfaces="${cloned_interfaces} lo1"  # allows loopback isolation in the jail
  ipv4_addrs_lo1="10.8.20.10-49/29"
I removed the nat but the problem is still the same.
Code: 
# nat on $ExtIf from $JailIf:network  to any -> ($ExtIf)
My server has 3 other interface that I could use..if necessary
 
You must log in or register to reply here.
Back
Top