Closed Thread Icon

Topic awaiting preservation: Using PF and having problems Pages that link to <a href="https://ozoneasylum.com/backlink?for=24052" title="Pages that link to Topic awaiting preservation: Using PF and having problems" rel="nofollow" >Topic awaiting preservation: Using PF and having problems\

 
Author Thread
WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 11-16-2004 04:41

I am trying to use pf to socure a FreeBSD box.

This box will only ever have maybe 1 or 2 different IP's connecting to it, but will need to communicate outwards.

I started with

code:
ext_if = "exl0" # the external card
admin = "myinternalip"

block all

pass quick on lo0 all

pass in on $ext_if from $admin
pass out on $ext_if to $admin



This works great if the box only wants to talk to my computer, but it turns out that when I want to have the box do something useful like dowload any kind of data from I am sunk.

I tried changing the rules but as soon as I do I can no longer SSH into the box, what happens in that SSH gets slow to load during the boot process, and when I attempt to connect to the box I get the prompt fo a username but the prompt for the password never comes. I can't see why this would happen.

My new rules would look like this (and many other variations):

code:
ext_if = "exl0" # the external card
admin = "myinternalip"

block in all

pass quick on lo0 all

pass in on $ext_if from $admin
pass out on $ext_if to $admin



or even

code:
ext_if = "exl0" # the external card
admin = "myinternalip"

block all

pass quick on lo0 all

pass out all
pass in on $ext_if from $admin
pass out on $ext_if to $admin



I don't know what I am doing wrong. The overall goal would be to have this box be to be able to dowload files,update the ports tree using cvsup, and to allow my IP address and only my IP address full access to all services.

Ultimately it will be a private development box.

Dan @ Code Town

(Edited by WarMage on 11-16-2004 04:41)

Skaarjj
Maniac (V) Mad Scientist

From: :morF
Insane since: May 2000

posted posted 11-16-2004 08:02

Examine it closely... you're looking to allow it to download files? On HTTP and FTP? Then you need to allow outgoing access to (I think, I don't have my port reference sheets on me) ports 21 and 8080 and incoming on 21 and 80, but for your IP to allow full access. If this works the way I think it does as well remember to enter your rules for what communication is allowed before you start denying it. If you deny first then nothing will work the way you expect it to.

Of course, having never worked with this type of communication rule before I could be wrong, but those are my thoughts.


Justice 4 Pat Richard

WarMage
Maniac (V) Mad Scientist

From: Rochester, New York, USA
Insane since: May 2000

posted posted 11-16-2004 14:25

The way I understand it is that the last matching rule wins, but quick forces the matching to stop and selects the rule if it matches.

So the first example commented

code:
ext_if = "exl0" # the external card
admin = "myinternalip"

block all # Block everything

pass quick on lo0 all # but allow everything on the local loopback immediately stop parsing if it matches

pass in on $ext_if from $admin # and also allow anything in from me
pass out on $ext_if to $admin # and allow anything out to me



So when I change the rules to

code:
ext_if = "exl0" # the external card
admin = "myinternalip"

block in all # Block everything coming in (and allow everything out)

pass quick on lo0 all # but allow everything on the local loopback

pass in on $ext_if from $admin # and also allow anything in from me
pass out on $ext_if to $admin # and allow anything out to me



It should,t prevent me from accessing the SSH password prompt, because even if I messed up the first rules the last two should give me full access.

And I don't know what her would allow the initial handshake and username prompt, but deny the password. And I know it is pf because when I disable it (pfctl -d) I can log in.

Dan @ Code Town

(Edited by WarMage on 11-16-2004 14:26)

cycus
Nervous Wreck (II) Inmate

From:
Insane since: Nov 2000

posted posted 11-24-2004 02:06

I don't have a great deal of experience with PF, but using IPFW if you want to be able to connect to external hosts and get packets back while not allowing other people to connect in you need to use statefull rules. In IPFW this creates a dynamic rule table with IP and Port numbers. With non-statefull rules you either have to allow or deny, allowing out only allows out, so you will not even get the reply packets to your own request.

Here is a brief example, where check-state and keep-state call for the dynamic rule table:

code:
add check-state
add pass tcp from ${admin} to me 22 in setup keep-state
add pass ip from me to any out keep-state
add drop all from any to any



I think PF has a ?keep state? feature.
cycus

« BackwardsOnwards »

Show Forum Drop Down Menu