Why this rule doesn't score a match?

Wed Jul 23 18:28:06 UTC 2008

Hmmm, yes I'm on FreeBSD 7
I tried these pass rules before - nothing gets logged.
I thought traffic is going both TO these ports and FROM these ports.
Let's take for example a simple HTTP connection. The browser
communicates to the remote server trough remote port 80 and says 'GET
/index.html', then closes the connection. The HTTP server on the
remote side opens a connection to the local machine (on some of our
local port range)... but what is the port number on his side? I think
that it is again 80.
About pass in/pass out - I think that in/out keyword can be dropped?
PF can do without that, right?

These are my current filter rules, still nothing gets logged:
##############################
pass log on $if proto tcp from any port $tcp_services
pass log on $if proto udp from any port $udp_services
pass log on $if proto tcp from any to $ext_ip port $tcp_services
pass log on $if proto udp from any to $ext_ip port $udp_services
#############################

Regards, Ivan.

On Wed, Jul 23, 2008 at 8:43 PM, FreeBSD <freebsd at optiksecurite.com> wrote:
> Ivan Petrushev a écrit :
>>
>> Hello,
>> I'm trying very simple 'block all, allow a few' firewall, but
>> something doesn't seem right.
>> As far as I remember 'the right matched rule' is taken and executed -
>> this doesn't seem working here.
>> Here is my firewall:
>> #####################
>> #macros
>> if = "re0"
>> ext_ip = "10.10.10.21"
>> tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}"
>> udp_services = "{domain, 5190, 5222, ftp}"
>>
>> #filter
>> block in log on $if
>> pass on $if proto tcp from any port $tcp_services
>> pass on $if proto udp from any port $udp_services
>> ####################
>> The point here is that if a packet for some of the listed service is
>> matching against the rules, it will match the block rule, but after
>> that will match some of the last two and get passed. Instead it gets
>> blocked and I see it into the log:
>> tcpdump -n -i pflog0
>> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111:  tcp 24
>> [bad hdr length 0 - too short, < 20]
>> (there are many of these, including on the other ports)
>>
>> Now, there is something different. I tried removing the block rule,
>> and added logging for the 'pass' rules. In that case a packet
>> traveling down the rules should match only on the 'pass' rules and get
>> logged.
>> ####################
>> #filter
>> #block in log on $if
>> pass log on $if proto tcp from any port $tcp_services
>> pass log on $if proto udp from any port $udp_services
>> ####################
>>
>> Well, it doesn't get logged. The only thing I see into the log is:
>> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain]
>> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or
>> 80...
>>
>> What could be wrong here - it is fairly simple ruleset?
>>
>
> You should try "pass in on $if proto tcp from any to $ext_ip port
> $tcp_services flags S/SA keep state" and "pass in on $if proto udp from any
> to $ext_ip port $udp_services keep state"
>
> Your rule expect the traffic to came FROM $tcp_services but it is goint TO
> those ports.
>
> You can omit the "flags S/SA keep state" and the "keep state" if you're
> using FreeBSD 7, it is added automatically.
>
> I would also suggest you to use "block all log" instead of "block in log"
> and specifiy rules for your outgoing traffic too.
>
> Good luck
>
> Martin
>