Topic awaiting preservation: Using PF and having problems (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=24052" title="Pages that link to Topic awaiting preservation: Using PF and having problems (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Using PF and having problems <span class="small">(Page 1 of 1)</span>\$

WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 11-16-2004 04:41 I am trying to use pf to socure a FreeBSD box. This box will only ever have maybe 1 or 2 different IP's connecting to it, but will need to communicate outwards. I started with code: ext_if = "exl0" # the external card admin = "myinternalip" block all pass quick on lo0 all pass in on $ext_if from $admin pass out on $ext_if to $admin This works great if the box only wants to talk to my computer, but it turns out that when I want to have the box do something useful like dowload any kind of data from I am sunk. I tried changing the rules but as soon as I do I can no longer SSH into the box, what happens in that SSH gets slow to load during the boot process, and when I attempt to connect to the box I get the prompt fo a username but the prompt for the password never comes. I can't see why this would happen. My new rules would look like this (and many other variations): code: ext_if = "exl0" # the external card admin = "myinternalip" block in all pass quick on lo0 all pass in on $ext_if from $admin pass out on $ext_if to $admin or even code: ext_if = "exl0" # the external card admin = "myinternalip" block all pass quick on lo0 all pass out all pass in on $ext_if from $admin pass out on $ext_if to $admin I don't know what I am doing wrong. The overall goal would be to have this box be to be able to dowload files,update the ports tree using cvsup, and to allow my IP address and only my IP address full access to all services. Ultimately it will be a private development box. Dan @ Code Town (Edited by WarMage on 11-16-2004 04:41)
Skaarjj Maniac (V) Mad Scientist From: :morF Insane since: May 2000	posted 11-16-2004 08:02 Examine it closely... you're looking to allow it to download files? On HTTP and FTP? Then you need to allow outgoing access to (I think, I don't have my port reference sheets on me) ports 21 and 8080 and incoming on 21 and 80, but for your IP to allow full access. If this works the way I think it does as well remember to enter your rules for what communication is allowed before you start denying it. If you deny first then nothing will work the way you expect it to. Of course, having never worked with this type of communication rule before I could be wrong, but those are my thoughts. Justice 4 Pat Richard
WarMage Maniac (V) Mad Scientist From: Rochester, New York, USA Insane since: May 2000	posted 11-16-2004 14:25 The way I understand it is that the last matching rule wins, but quick forces the matching to stop and selects the rule if it matches. So the first example commented code: ext_if = "exl0" # the external card admin = "myinternalip" block all # Block everything pass quick on lo0 all # but allow everything on the local loopback immediately stop parsing if it matches pass in on $ext_if from $admin # and also allow anything in from me pass out on $ext_if to $admin # and allow anything out to me So when I change the rules to code: ext_if = "exl0" # the external card admin = "myinternalip" block in all # Block everything coming in (and allow everything out) pass quick on lo0 all # but allow everything on the local loopback pass in on $ext_if from $admin # and also allow anything in from me pass out on $ext_if to $admin # and allow anything out to me It should,t prevent me from accessing the SSH password prompt, because even if I messed up the first rules the last two should give me full access. And I don't know what her would allow the initial handshake and username prompt, but deny the password. And I know it is pf because when I disable it (pfctl -d) I can log in. Dan @ Code Town (Edited by WarMage on 11-16-2004 14:26)
cycus Nervous Wreck (II) Inmate From: Insane since: Nov 2000	posted 11-24-2004 02:06 I don't have a great deal of experience with PF, but using IPFW if you want to be able to connect to external hosts and get packets back while not allowing other people to connect in you need to use statefull rules. In IPFW this creates a dynamic rule table with IP and Port numbers. With non-statefull rules you either have to allow or deny, allowing out only allows out, so you will not even get the reply packets to your own request. Here is a brief example, where check-state and keep-state call for the dynamic rule table: code: add check-state add pass tcp from ${admin} to me 22 in setup keep-state add pass ip from me to any out keep-state add drop all from any to any I think PF has a ?keep state? feature. cycus

Topic awaiting preservation: Using PF and having problems (Page 1 of 1) $Pages that link to <a href="https://ozoneasylum.com/backlink?for=24052" title="Pages that link to Topic awaiting preservation: Using PF and having problems (Page 1 of 1)" rel="nofollow" >Topic awaiting preservation: Using PF and having problems <span class="small">(Page 1 of 1)</span>\$

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 11-16-2004 04:41

I am trying to use pf to socure a FreeBSD box.

This box will only ever have maybe 1 or 2 different IP's connecting to it, but will need to communicate outwards.

I started with

code:

ext_if = "exl0" # the external card

admin = "myinternalip"



block all



pass quick on lo0 all



pass in on $ext_if from $admin

pass out on $ext_if to $admin

This works great if the box only wants to talk to my computer, but it turns out that when I want to have the box do something useful like dowload any kind of data from I am sunk.

I tried changing the rules but as soon as I do I can no longer SSH into the box, what happens in that SSH gets slow to load during the boot process, and when I attempt to connect to the box I get the prompt fo a username but the prompt for the password never comes. I can't see why this would happen.

My new rules would look like this (and many other variations):

code:

ext_if = "exl0" # the external card

admin = "myinternalip"



block in all



pass quick on lo0 all



pass in on $ext_if from $admin

pass out on $ext_if to $admin

or even

code:

ext_if = "exl0" # the external card

admin = "myinternalip"



block all



pass quick on lo0 all



pass out all

pass in on $ext_if from $admin

pass out on $ext_if to $admin

I don't know what I am doing wrong. The overall goal would be to have this box be to be able to dowload files,update the ports tree using cvsup, and to allow my IP address and only my IP address full access to all services.

Ultimately it will be a private development box.

Dan @ Code Town

(Edited by WarMage on 11-16-2004 04:41)

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted 11-16-2004 08:02

Examine it closely... you're looking to allow it to download files? On HTTP and FTP? Then you need to allow outgoing access to (I think, I don't have my port reference sheets on me) ports 21 and 8080 and incoming on 21 and 80, but for your IP to allow full access. If this works the way I think it does as well remember to enter your rules for what communication is allowed before you start denying it. If you deny first then nothing will work the way you expect it to.

Of course, having never worked with this type of communication rule before I could be wrong, but those are my thoughts.

Justice 4 Pat Richard

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted 11-16-2004 14:25

The way I understand it is that the last matching rule wins, but quick forces the matching to stop and selects the rule if it matches.

So the first example commented

code:

ext_if = "exl0" # the external card

admin = "myinternalip"



block all  # Block everything



pass quick on lo0 all # but allow everything on the local loopback immediately stop parsing if it matches



pass in on $ext_if from $admin # and also allow anything in from me

pass out on $ext_if to $admin # and allow anything out to me

So when I change the rules to

code:

ext_if = "exl0" # the external card

admin = "myinternalip"



block in all  # Block everything coming in (and allow everything out)



pass quick on lo0 all # but allow everything on the local loopback



pass in on $ext_if from $admin # and also allow anything in from me

pass out on $ext_if to $admin # and allow anything out to me

It should,t prevent me from accessing the SSH password prompt, because even if I messed up the first rules the last two should give me full access.

And I don't know what her would allow the initial handshake and username prompt, but deny the password. And I know it is pf because when I disable it (pfctl -d) I can log in.

Dan @ Code Town

(Edited by WarMage on 11-16-2004 14:26)

cycus
Nervous Wreck (II) Inmate

From:
Insane since: Nov 2000

posted 11-24-2004 02:06

I don't have a great deal of experience with PF, but using IPFW if you want to be able to connect to external hosts and get packets back while not allowing other people to connect in you need to use statefull rules. In IPFW this creates a dynamic rule table with IP and Port numbers. With non-statefull rules you either have to allow or deny, allowing out only allows out, so you will not even get the reply packets to your own request.

Here is a brief example, where check-state and keep-state call for the dynamic rule table:

code:

add check-state

add pass tcp from ${admin} to me 22 in setup keep-state

add pass ip from me to any out keep-state

add drop all from any to any

I think PF has a ?keep state? feature.
cycus