PF Still cutting of www server by myself

B

bryn1u

Hey all,

I have a problem with rules. Im still cutting off www server myself. I have a server with few public ip added to em0. One adress IP is for jail, it's 79.137.X.X. Inside jail i have a running nginx server.
Address 91.121.X.X is main address of server added to em0. Rules below deny my www,dns and pkg doesn't want to either:
Code: 
root@HardenedBSD:/home/bryn1u # pkg update
Updating BSD repository catalogue...
Unable to update repository BSD
Error updating repositories!
root@BSD:/home/bryn1u
Server and i don't know why. When i turn off pf everything works great. When i change rules on any to any instead IP address everything works either. Someone can explain to me what's wrong ?
The funny thing is for ssh it works for 91.121.X.X and 79.137.X.X

Code: 
.......
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"
#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

block drop in log (all)  quick on $ext_if from <bruteforce> to any
block drop out log (all) quick on $ext_if from any to <bruteforce>

### 91.121.X.X:
### SSH:
pass in on $ext_if proto tcp from any to 91.121.X.X port { 22 }
pass out on $ext_if proto tcp from 91.121X.X to any port { 22 }

### 79.137.56.144:
### SSH:
pass in on $ext_if proto tcp from any to 79.137.X.X port { 22 }    
pass out on $ext_if proto tcp from 79.137.X.X to any port { 22 }

### WWW
pass in on $ext_if proto tcp from any to 79.137.X.X port { 80 }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 80 }

### DNS
pass in on $ext_if proto tcp from any to 79.137.X.X port { 53  }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 53  }  
pass in on $ext_if proto udp from any to 79.137.X.X port { 53  }   
pass out on $ext_if proto udp from 79.137.X.X to any port { 53  }
 
You don't need to allow outgoing traffic for incoming connections. The responses are 'automagically' allowed because the rules are stateful.
 
bryn1u said:
Hey all,

I have a problem with rules. Im still cutting off www server myself. I have a server with few public ip added to em0. One adress IP is for jail, it's 79.137.X.X. Inside jail i have a running nginx server.
Address 91.121.X.X is main address of server added to em0. Rules below deny my www,dns and pkg doesn't want to either:
Code: 
root@HardenedBSD:/home/bryn1u # pkg update
Updating BSD repository catalogue...
Unable to update repository BSD
Error updating repositories!
root@BSD:/home/bryn1u
Server and i don't know why. When i turn off pf everything works great. When i change rules on any to any instead IP address everything works either. Someone can explain to me what's wrong ?
The funny thing is for ssh it works for 91.121.X.X and 79.137.X.X

Code: 
.......
block drop in log all label "default in deny rule"
block drop out log all label "default out deny rule"
#######################
# enable antispoofing #
#######################

antispoof log quick for $ext_if inet label "antispoof rule"

# block all if no back routes
block in log quick from no-route to any label "no-route rule"

# block all if reverse fails (probably spoofed)
block in log quick from urpf-failed to any label "reverse lookup failed rule (probably spoofed)"

# drop broadcast requests quietly
block in log quick on $ext_if from any to 255.255.255.255

block drop in log (all)  quick on $ext_if from <bruteforce> to any
block drop out log (all) quick on $ext_if from any to <bruteforce>

### 91.121.X.X:
### SSH:
pass in on $ext_if proto tcp from any to 91.121.X.X port { 22 }
pass out on $ext_if proto tcp from 91.121X.X to any port { 22 }

### 79.137.56.144:
### SSH:
pass in on $ext_if proto tcp from any to 79.137.X.X port { 22 }   
pass out on $ext_if proto tcp from 79.137.X.X to any port { 22 }

### WWW
pass in on $ext_if proto tcp from any to 79.137.X.X port { 80 }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 80 }

### DNS
pass in on $ext_if proto tcp from any to 79.137.X.X port { 53  }
pass out on $ext_if proto tcp from 79.137.X.X to any port { 53  } 
pass in on $ext_if proto udp from any to 79.137.X.X port { 53  }  
pass out on $ext_if proto udp from 79.137.X.X to any port { 53  }
Click to expand...

Ehh, everything works. I just made mismash with ip and ports. Topic can be removed.
Thanks.
 
SirDice said:
You don't need to allow outgoing traffic for incoming connections. The responses are 'automagically' allowed because the rules are stateful.
Click to expand...

Yes, i know but i was trying everything differnces combinations. As i said i made a little bit chaos :((
 
You must log in or register to reply here.
Back
Top