from https://groups.google.com/g/comp.lang.php/c/QKZnFFaeH6E
I am seeing weird errors as follows:
and
Did the following tests
host wordpress.org
wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.
The Doctor
unread,
06:56 (16 hours ago)
to
In article <jtufva...@mid.individual.net>,
J.O. Aho <us...@example.net> wrote:
>On 20/11/2022 03.51, The Doctor wrote:
>> Arno Welzel <use...@arnowelzel.de> wrote:
>
>>> Looks like Serendipity tries to install or update a WordPress plugin and
>>> your "nginx on FreeBSD with packet fitlering" prohibits the connection.
>>>
>>
>> HOw do we test if this is the case?
>
>First see if you can resolve the domain name to an ip on the machine
>
>host wordpress.org
wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.
>
>also check if you can connect to it
>
>wget -S https://wordpress.org
>
wget -v -v -v -v -v -v -v -v -v -v -S https://wordpress.org
--2022-11-20 06:54:04-- https://wordpress.org/
Resolving wordpress.org (wordpress.org)... 198.143.164.252
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443... failed: Operation timed out.
Retrying.
--2022-11-20 06:55:20-- (try: 2) https://wordpress.org/
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443...
tcptraceroute wordpress.org
Selected device igb0, address 204.209.81.1, port 58686 for outgoing packets
Tracing the path to wordpress.org (198.143.164.252) on TCP port 80 (http), 30 hops max
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
And the pf.conf looks like
Anything irregular?
I am seeing weird errors as follows:
Code:
2022/11/17 21:09:25 [error] 48261#101347: *432718 FastCGI sent in stderr: "PHP message: PHP Warning: An unexpected error occurred. Something may be wrong with WordPress.org or this server’s configuration. If you continue to have problems, please try the <a href="https://wordpress.org/support/forums/">support forums</a>. (WordPress could not establish a secure connection to WordPress.org. Please contact your server administrator.) in /usr/home/klint/html/wp-admin/includes/plugin-install.php on line 183" while reading upstream, client: 75.156.190.254, server: [URL='http://performanceplanning.ca/']performanceplanning.ca[/URL], request: "GET /wp-admin/plugin-install.php HTTP/3.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", referrer: "https://klint.ca/wp-admin/plugins.php"
and
Code:
2022/11/17 22:02:01 [error] 61870#100691: *77 FastCGI sent in stderr: "PHP messa
ge: PHP Fatal error: Uncaught Error: Call to a member function getStatus() on null in /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php:458
#0 /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(641): serendipity_event_spartacus->fetchfile('[URL='https://raw.git./']https://raw.git.[/URL]..', '/usr/home/docto...', 43200, true)
#1 /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php(1302): serendipity_event_spartacus->fetchOnline('sidebar')
#2 /usr/home/doctor/html/blog/serendipity/include/plugin_api.inc.php(1184): serendipity_event_spartacus->event_hook('backend_plugins...', Object(serendipity_property_bag), Array, NULL)
#3 /usr/home/doctor/html/blog/serendipity/include/admin/plugins.inc.php(160): serendipity_plugin_api::hook_event('backend_plugins...', Array)
#4 /usr/home/doctor/html/blog/serendipity/serendipity_admin.php(127): include('/usr/home/docto...')
thrown in /usr/home/doctor/html/blog/serendipity/plugins/serendipity_event_spartacus/serendipity_event_spartacus.php on line 458" while reading response header from upstream, client: 75.156.190.254, server: [URL='http://www.nk.ca/']www.nk.ca[/URL], request: "GET /~doctor/blog/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins&serendipity[adminAction]=addnew&serendipity[only_group]=UPGRADE&serendipity[token]=4baa76c4e646fa57664731401fd12b70 HTTP/3.0", upstream: "fastcgi://unix:/var/run/php-fpm.sock:", referrer: "[URL]https://www.nk.ca/~doctor/blog/serendipity/serendipity_admin.php?serendipity[adminModule]=plugins[/URL]"
host wordpress.org
wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.
The Doctor
unread,
06:56 (16 hours ago)
to
In article <jtufva...@mid.individual.net>,
J.O. Aho <us...@example.net> wrote:
>On 20/11/2022 03.51, The Doctor wrote:
>> Arno Welzel <use...@arnowelzel.de> wrote:
>
>>> Looks like Serendipity tries to install or update a WordPress plugin and
>>> your "nginx on FreeBSD with packet fitlering" prohibits the connection.
>>>
>>
>> HOw do we test if this is the case?
>
>First see if you can resolve the domain name to an ip on the machine
>
>host wordpress.org
wordpress.org has address 198.143.164.252
wordpress.org mail is handled by 10 mail.wordpress.org.
>
>also check if you can connect to it
>
>wget -S https://wordpress.org
>
wget -v -v -v -v -v -v -v -v -v -v -S https://wordpress.org
--2022-11-20 06:54:04-- https://wordpress.org/
Resolving wordpress.org (wordpress.org)... 198.143.164.252
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443... failed: Operation timed out.
Retrying.
--2022-11-20 06:55:20-- (try: 2) https://wordpress.org/
Connecting to wordpress.org (wordpress.org)|198.143.164.252|:443...
tcptraceroute wordpress.org
Selected device igb0, address 204.209.81.1, port 58686 for outgoing packets
Tracing the path to wordpress.org (198.143.164.252) on TCP port 80 (http), 30 hops max
1 * * *
2 * * *
3 * * *
4 * * *
5 * * *
And the pf.conf looks like
Code:
## Set your public interface ##
ext_if="igb0"
##Internal bridge for virtually hosted machines
int_if="bridge0"
## Set your server public IP address ##
ext_if_ip="public IP to the world"
int_if_ip="Virtual bridge IP"
#vpn interface
vpn_if="tun0"
vpn_net="10.8.0.0/16"
#vpn interface
tcpvpn_if="tun1"
tcpvpn_net="10.9.0.0/16"
#vpn interface
pptpvpn_if="pptptun0"
pptpvpn_net="10.10.0.0/16"
wgvpn_if="wg0"
wgvpn_net="10.14.0.0/16"
#Proxy for FTP
proxy="127.0.0.1"
proxyport="8021"
#All virtal machines go here!
sl="IP for VM 1"
fedora="IP for VM 2"
centos="IP for VM 3"
debian="IP for VM 4"
centos8="IP for VM 5"
ubuntu="IP for VM 6"
win2019="IP for VM 7"
kali="IP for VM 8"
oracle="IP for VM 9"
aaron="IP for VM 10"
ssh_port = "22"
#In case you need a whole group
vhosts =" { All 9 Ips with VMs }"
## Set and drop these IP ranges on public interface and any other troublemakers ##
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/13,10.15.0.0/16,10.16.0.0/12,10.32.0.0/11,10.64.0.0/10,10.128.0.0/9, \
169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4, 185.162.235.0/24, \
87.145.0.0/16 }"
## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,119,561,110,143,993,995,20,21,23,79,25,465,587,53,513,783,2228,3310,36941,3128,69,10000,20000,43,63,4321,1701,500,4500,5555,1723,47,9090,8000:8100,8443,51820,5900:5999,49150:61000}"
# Radius
radiusports = "{1645,1646,1812,1813 }"
# --- pptp server ---
PPTP_SERVER = "IP of server"
# --- pptp services ---
PPTP_SERVICES = "{ 1723 47 }"
## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20, ftp, ssh,openvpn,110,143,636,993,995,443,561,783,2228,3310,7500,10000,20000,43,63,4321,36941,3128,1701,500,4500,5555,1723,47,980,9090,8000:8100,5900:5999,23,8443,51820,49150:61000}"
int_udp_services = "{domain, ntp,69,openvpn}"
int_radius_services = "{1645,1646,1812,1813 }"
table <allowed> { 10.0.0.0/8 }
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ##
set skip on lo
set skip on wg
set skip on wg0
set skip on ng
set skip on ng0
set skip on ng1
set skip on ng2
set skip on ng3
set skip on ng4
set skip on ng5
set skip on ng6
set skip on ng7
set skip on ng8
set skip on ng9
set skip on ng10
set skip on ng11
set skip on ng12
set skip on ng13
set skip on ng14
set skip on ng15
set skip on tun
set skip on tun0
set skip on tun1
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3
set skip on tap4
set skip on tap5
set skip on tap6
set skip on tap7
set skip on tap8
set skip on tap9
set skip on tap10
set skip on tap11
set skip on tap12
set skip on tap13
set skip on tap14
set skip on tap15
set block-policy return
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
################### TRANSLATION #############
#### NAT and RDR start
nat on ! $vpn_if from $vpn_net to any -> $ext_if_ip
nat on ! $tcpvpn_if from $vpn_net to any -> $ext_if_ip
nat on ! $pptpvpn_if from $pptpvpn_net to any -> $ext_if_ip
nat on ! $wgvpn_if from $wgvpn_net to any -> $ext_if_ip
nat on $ext_if from $int_if to any -> ($ext_if)
nat on $int_if from $sl to any -> ($int_if)
nat on $int_if from $fedora to any -> ($int_if)
nat on $int_if from $centos to any -> ($int_if)
nat on $int_if from $debian to any -> ($int_if)
nat on $int_if from $centos8 to any -> ($int_if)
nat on $int_if from $ubuntu to any -> ($int_if)
nat on $int_if from $win2019 to any -> ($int_if)
nat on $int_if from $kali to any -> ($int_if)
nat on $int_if from $oracle to any -> ($int_if)
nat on $int_if from $aaron to any -> ($int_if)
nat on $int_if from $vpn_net to any -> ($int_if)
nat on $ext_if inet from $vpn_net to any ->$ext_if
nat on $ext_if from $vpn_net to any ->$ext_if
#nat on $ext_if from <allowed> to any -> $ext_if_ip
## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
P_SERVER
## Set default policy ##
block return in log all
block out all
#block in
#pass in on $ext_if inet from $vpn_net to any -> $ext_if
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $ext_if inet proto {tcp, udp} from $ext_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 19151
pass out quick on egress inet proto tcp from any to 204.209.81.1 flags S/SA
pass out quick on egress inet proto tcp from any to 204.209.81.3 flags S/SA
#set up virtual switch
pass in quick on bridge0 all
pass quick on tap0 all
pass quick on tap1 all
pass quick on tap2 all
pass quick on tap3 all
pass quick on tap4 all
pass quick on tap5 all
pass quick on tap6 all
pass quick on tap7 all
pass quick on tap8 all
pass quick on tap9 all
pass quick on tap10 all
pass quick on tap11 all
pass quick on tap12 all
pass quick on tap13 all
pass quick on tap14 all
pass quick on tap15 all
pass quick on tun0 all
pass quick on wg0 all
pass quick on ng0 all
pass quick on ng1 all
pass quick on ng2 all
pass quick on ng2 all
pass quick on ng3 all
pass quick on ng4 all
pass quick on ng5 all
pass quick on ng6 all
pass quick on ng7 all
pass quick on ng8 all
pass quick on ng9 all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
## Blocking spoofed packets
antispoof quick for $ext_if
antispoof quick for $vhosts
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from 204.209.81.0/24 to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from 139.xxx.yyy.zzz"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $ext_if_ip port 22
pass in inet proto tcp to $vhosts port 22
pass in inet proto tcp to $ext_if_ip port 2228
pass in inet proto tcp to $vhosts port 2228
pass in quick on $int_if inet from <allowed> to any keep state
pass out quick on $int_if inet from any to any keep state
# Allow Ping-Pong stuff. Be a good sysadmin
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
# All access to our Nginx/Apache/Lighttpd Webserver and other ports
pass proto tcp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $webports
pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports
# Allow essential outgoing traffic
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services
pass in proto tcp from any to any port 53
pass in proto udp from any to any port 53
#pass in $vpn_if from any to any
pass in quick proto udp from any to any port 1194
pass out proto tcp from any to any port 53
pass out proto udp from any to any port 53
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state
pass in quick proto ah from any to any
pass in quick proto ipencap from any to any
pass in quick proto udp from any to any port 500
# pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto ipencap from any to any
pass out quick proto udp from any to any port 500
# pass out quick on gif0 from any to any
pass in quick on $ext_if inet proto { tcp udp } from any to $PPTP_SERVER port $PPTP_SERVICES keep state
pass out quick on $ext_if inet from any to any keep state
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $ext_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass out quick all flags S/SA keep state
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
## I wonder if sshguard works with pf.