The Meaning of "inet" And Passing UDP Only to a DNS Srver

[Kampera]

Hello,

I've got a couple of questions about the PF firewall. First of all, why this rule :

pass in quick proto icmp icmp-type echoreq

is incorrect unless I type inet before proto:

pass in quick inet proto icmp icmp-type echoreq

What does inet stand for/mean ?

Secondly, if there are a DNS server behind the firewall, does this rule :

skip on lo
block all
pass in quick proto udp from any to any port domain

make troubles with that server?

Last question , would someone know which switch could I use with the OpenSSH's client if I want to connect to a SSH server behind a firewall accept only a connection incoming from port 1000?

block all
pass in log on em0 proto tcp from any port 1000 to port ssh flags S/SA keep state

 

[plamaiziere]

Hello,

I've got a couple of questions about the PF firewall. First of all, why this rule :

pass in quick proto icmp icmp-type echoreq

is incorrect unless I type inet before proto:

pass in quick inet proto icmp icmp-type echoreq

What does inet stand for/mean ?

inet: IPv4, inet6: IPv6. You must specify the address family because the icmp-type differs between IPv4 and IPv6.

Secondly, if there are a DNS server behind the firewall, does this rule :

skip on lo
block all
pass in quick proto udp from any to any port domain

make troubles with that server?

DNS uses TCP if the reply is large and for DNS transfert. Also, you have to allow the flow on the incoming interface and the outgoing interface (the replies are allowed by states created by the rule). Just remove the "in".

pass quick proto udp from any to $dns_server_ip port domain

Last question , would someone know which switch could I use with the OpenSSH's client if I want to connect to a SSH server behind a firewall accept only a connection incoming from port 1000?

block all
pass in log on em0 proto tcp from any port 1000 to port ssh flags S/SA keep state

I don't know, but you will be able to open only one connection.

 

[TjPhysicist]

Re: The Meaning of "inet" And Passing UDP Only to a DNS Srve

Last question , would someone know which switch could I use with the OpenSSH's client if I want to connect to a SSH server behind a firewall accept only a connection incoming from port 1000?

block all
pass in log on em0 proto tcp from any port 1000 to port ssh flags S/SA keep state

Do you mean: you have a server behind a firewall, you want it to accept SSH connections but only on port 1000? (i.e. you should ssh to server:1000 rather than server:22)? In that case do the following: in /etc/sshd_config do

Port 1000

(delete any other lines that start with 'Port' if you want 1000 to be the ONLY one).
Now in pf.conf do something like:

pass in quick on <interface> proto tcp to port 1000 flags S/SA keep state

. In this case, anytime you want to SSH to the server from anywhere, you will have to specify to use port 1000, the firewall will see that port number and allow it because of the above rule, and sshd will be listening on that port for connections so it will accept. I use this on my server (just some random port number, that i change sometimes too), works well.