pflog and traffic via gif_if

[stephen]

Hi,

I've found something that perhaps someone could explain to me...


Previously I had problems allowing traffic to pass via my gif
interface.. as far as the gif tunnel is setup, it works 100% as when I
flushed my ruleset or disabled PF, there wasn't a problem.  Before I
started out blocking outbound services , I had a

 pass out on $ext_if from any to any keep state

rule, and the gif seemed to work fine...

Once I had blocked all traffic in/out on the $ext_if and $int_if, I
had to open ports one by one on both so that traffic could pass...

The initial rule for the tunnel was:

###tunnel filters
 pass  in on $gif_if all
 pass out on $gif_if all
 pass  in on $ext_if inet proto ipencap   from any  to any
 pass out on $ext_if inet proto ipencap   from any  to any

Once I was logging stuff properly, and using tcpdump, I noticed i had
to open $int_if/rl0 to allow traffic on ports 135,137-139 so my
windows boxes from behind firewall could talk to the windows boxes on
the other side of the tunnel... this makes sense as traffic would have
to enter the box per se, via my NIC, before being routed to the other
lan through the gif tunnel.

000000 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61411, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000483 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61412, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
530734 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61413, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000230 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61414, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
437281 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61419, offset 0, flags [DF], length: 48) 10.0.88.23.3736 >
10.0.89.1.445: S [tcp sum ok] 3464632695:3464632695(0) win 65535 <mss
1460,nop,nop,sackOK>
000247 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61420, offset 0, flags [DF], length: 48) 10.0.88.23.3737 >
10.0.89.1.139: S [tcp sum ok] 2514062872:2514062872(0) win 65535 <mss
1460,nop,nop,sackOK>
000477 rule 6/0(match): block in on rl0: IP (tos 0x0, ttl 128, id
61421, offset 0, flags [none], length: 78) 10.0.88.23.137 >
10.0.89.1.137:
>>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST
TrnID=0x864C
OpCode=0
NmFlags=0x0
Rcode=0
QueryCount=1
AnswerCount=0
AuthorityCount=0
AddressRecCount=0
QuestionRecords:
Name=
WARNING: Short packet. Try increasing the snap length

^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel


So I added rules for the $int_if/$int_if:

###tunnel filters
 pass  in on $gif_if all
 pass out on $gif_if all
 pass  in on $ext_if inet proto ipencap   from any  to any
 pass out on $ext_if inet proto ipencap   from any  to any
 pass  in on $int_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state
 pass out on $int_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state


and ran tcpdump again:

Tue Apr 19 09:17:10 root at bollox:/home/stephen# tcpdump -n -e -ttt -vv -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 96 bytes
000000 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34146, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
395435 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34156, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
 -snipped out some other packets that were not relevant-
546633 rule 31/0(match): block in on tun0: IP (tos 0x0, ttl 126, id
34194, offset 0, flags [DF], length: 48) 165.165.153.89.3479 >
165.165.167.17.445: S [tcp sum ok] 2834692615:2834692615(0) win 64800
<mss 1440,nop,nop,sackOK>
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel


The way I see it traffic destined for 10.0.89.0 should be allowed to
enter via the NIC (10.0.88.254) as PF is allowing any source IP to
reach any destination IP if ports are 135,137-139,445

But now here's what I don't get..

I then had to allow traffic to pass via the same ports on
$ext_if/tun0, when the routing table is routing the traffic via the
gif tunnel (routing is set up fine, when ruleset flushed, works 100%).
 So I thought let me just try it out (as thats what tcpdump is telling
me is blocked) even though it sounds a little sketchy...

###tunnel filters
 pass  in on $gif_if all
 pass out on $gif_if all
 pass  in on $ext_if inet proto ipencap   from any  to any
 pass out on $ext_if inet proto ipencap   from any  to any
 pass  in on $int_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state
 pass out on $int_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state
 pass  in on $ext_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state
 pass out on $ext_if proto { udp,tcp }    from any  to any port {
135,137:139,445 }  keep state

and that works perfectly.


The only thing I can think of is that pf sees the gif interface as a
virtual device and doesnt apply the rule to the virtual device but
rather the physical device the virtual device uses (tun0/$ext_if)
which seems very unlikely but i can't think what else it could be as i
see references to the tun0 device in tcpdump (the rl0/$int_if
references in tcpump in the first instance seems obvious... have to
allow the traffic in via the NIC to the local lan before being able to
transport it to the other lan via the gif tunnel)

Any comments/ views on this?

Perhaps there is something not 100% with my conf?   (although it is
working now, it's not really ideal passing netbios traffic from any to
any)


Tue Apr 19 09:26:53 root at bollox:/home/stephen# uname -a
FreeBSD bollox.soh.local 5.3-STABLE FreeBSD 5.3-STABLE #2: Mon Mar  7
18:09:46 SAST 2005    
stephen at bollox.soh.local:/usr/obj/usr/src/sys/BOLLOX  i386

Tue Apr 19 10:21:13 root at bollox:/home/stephen# cat /etc/pf.conf
########## /etc/pf.conf
##### macros
int_if = "rl0"
ext_if = "tun0"
gif_if = "gif3"

icmp_types = "echoreq"

dns = "{ 196.25.1.1 }"
mail1 = "{ dbn.stormnet.co.za }"
mail2 = "{ smtp.saix.net }"

p2p_ports = " { 6346 }"
p2p_clients = "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 , 10.0.88.23 }"
studio = "{ 10.0.88.5 , 10.0.88.11 , 10.0.88.12 }"

sh = "10.0.88.23/24"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
soh ="{ 10.0.88.1 , 10.0.88.2 , 10.0.88.3 , 10.0.88.4 , 10.0.88.5 ,
10.0.88.6 , 10.0.88.7 , 10.0.88.8 , 10.0.88.9 , 10.0.88.10 ,
10.0.88.11 , 10.0.88.12 , 10.0.88.13 , 10.0.88.14 , 10.0.88.15 ,
10.0.88.16 , 10.0.88.17 , 10.0.88.18 , 10.0.88.19 , 10.0.88.20 ,
10.0.88.21 , 10.0.88.22 , 10.0.88.23 , 10.0.88.24 , 10.0.88.25 ,
10.0.88.26 , 10.0.88.27 , 10.0.88.28 , 10.0.88.29 , 10.0.88.30 }"

vpn_conf = "{ x.y.z.237 }"


##### aliases
int_net		= "{" $int_if:network "}"

##### behavior options
set optimization aggressive
set block-policy return
set loginterface $ext_if
set fingerprints "/etc/pf.os"

##### scrub
scrub in all

##### nat/rdr
nat on $ext_if from $int_net to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 80 -> 127.0.0.1 port 3128
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

##### anti spoofing protection
#antispoof quick for $int_if inet
#antispoof quick for $ext_if inet
#antispoof quick for lo0

#block drop in  on $ext_if from $priv_nets to any
#block drop out on $ext_if from any to $priv_nets

#####filter rules
###default block and log all
 block log all
 block in log quick  inet6 all
 block out log quick inet6 all
 pass in  quick	     inet proto icmp all icmp-type $icmp_types keep state
 pass out quick      inet proto icmp all icmp-type $icmp_types keep state
 pass quick 	     on lo0 all


###filter rules for $int_if inbound
 block in log 	on $int_if all
#pass in on $int_if from $soh to $int_if keep state
 pass in on $int_if proto tcp from any to $int_if port 2222 keep state
#pass in on $int_if proto tcp  from any to $dns keep state 
 pass in on $int_if proto { udp,tcp } from $int_net to any port = 53 keep state
 pass in on $int_if proto tcp from $soh to any port = 3128 flags S/SA
keep state
 pass in on $int_if proto tcp from $soh to any port = 443 flags S/SA keep state 
#pass in on $int_if proto tcp from $int_net to $int_if port { 21,20 } keep state
#pass in on $int_if proto tcp from $int_net to any port 8021 keep state
 pass in on $int_if proto tcp from $soh to $int_if port 25 keep state 
 pass in on $int_if proto tcp from $soh to $int_if port 110 keep state 
 pass in on $int_if proto { udp,tcp } from $int_net to any port 6346 keep state
 pass in on $int_if proto tcp from $int_net to ($ext_if) port { 25,110
} keep state
 pass in on $int_if proto tcp from $int_net to $mail1 port { 25,110 } keep state
 pass in on $int_if proto tcp from $int_net to $mail2 port { 25,110 } keep state
 pass in on $int_if proto tcp from $int_net to any port { 2222 } keep state

###filter rules for $int_if outbound
 block out log on $int_if all
#pass out on $int_if all keep state
#pass out on $int_if inet proto tcp from $int_if to $int_net port 20 keep state

###filter rules for $ext_if inbound
 block in log on $ext_if all
#pass in on $ext_if inet proto tcp from any to ($ext_if)  port 20  keep state
#pass in on $ext_if inet proto tcp from any to ($ext_if)  port 21  keep state
 pass in on $ext_if inet proto tcp from any to ($ext_if)  port 25  keep state
 pass in on $ext_if inet proto tcp from any to ($ext_if)  port 110 keep state
#pass in on $ext_if inet proto tcp from any to ($ext_if)  port 2222 keep state
#pass in on $ext_if inet proto tcp from any to any	  port 55000:57000 keep state

##block nmap's fingerprinting attempt(FIN, URG, PSH)
 block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP


###filter rules for $ext_if outbound
 block out log 	on $ext_if all
 pass out on $ext_if inet proto udp from any 	   to $dns  port 53 keep state 
#pass out on $ext_if inet proto tcp from any 	   to $dns port 53 flags
S/SA keep state
 pass out on $ext_if inet proto tcp from ($ext_if) to $vpn_conf	flags
S/SA keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 21 keep state
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 20 keep state 
#pass out on $ext_if inet proto tcp from ($ext_if) to any port 8021 keep state
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 25 keep state 
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail1 port 110
keep state
 pass out on $ext_if inet proto tcp from ($ext_if) to $mail2 port 25 keep state 
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 80 keep state 
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 443 keep state 
 pass out on $ext_if inet proto tcp from ($ext_if) to any port 6346 keep state 
 pass out on $ext_if inet proto tcp from ($ext_if) to any port {
22,2222 } keep state

 
###tunnel filters
 pass in  on $gif_if all
 pass out on $gif_if all
 pass in  on $ext_if inet proto ipencap from any to any 				 
 pass out on $ext_if inet proto ipencap from any to any  			 
 pass in  on $int_if proto { udp,tcp }  from any to any port {
135,137:139,445 } keep state
 pass out on $int_if proto { udp,tcp }  from any to any port {
135,137:139,445 } keep state
 pass in  on $ext_if proto { udp,tcp }  from any to any port {
135,137:139,445 } keep state
 pass out on $ext_if proto { udp,tcp }  from any to any port {
135,137:139,445 } keep state


ps: the reason ports and hosts are seperated is because of labelling
pps: everything related to ftp has been commented out because I cant
get it working, but thats another battle for another day =]


Thanks,


Stephen