Issue with PF on FreeBSD 6.2.5?

Gilberto Villani Brito linux at giboia.org
Thu Jul 5 13:12:03 UTC 2007 

On 05/07/07, Laurent LEVIER <llevier at argosnet.com> wrote:
> Hi All,
>
> I am currently setting up a ChilliSpot server using the conup/condown command.
> Since the LAN will also be publicly available, I am using Chilli as UAM.
>
> These con* scripts are launched with additional arguments (IP
> address, device) when a user is authenticated ont he HotSpot
> This way, I can update firewall rules dynamically to allow the
> authenticated user to pass...or to no longer pass when session is over.
>
> Apparently, best way to solve this with pf is to use tables, since an
> anchor permits to add a rule, but not to delete the added rule (at
> least I did not find how to).
>
> But it seems it does not fully work for me.
> If you read at my pf.conf file at the end of this email, you will see
> I created a table "public_granted" that is associated with 2 rules:
> 1) a rdr to redirect to Squid transparently (rule is before the one
> redirecting transparently to Chilli authentication server)
> 2) a pass in quick rule to allow new user to pass through.
>
> The problem I have is:
> - When the public_granted table is updated with a new IP address, pf
> let the user pass through.
> - But when I delete this @IP from the table, pf keeps allowing the
> user to pass through.
>
> I appreciate all advices to help me solving this weird situation.
>
> Thanks in advance
>
> My pf.conf:
> ### Options
> # pf configuration
> set block-policy return
> set state-policy if-bound
>
> # localhost
> set skip on lo0
>
> ### Declarations
> # Interface declaration
> if_ext="nve0" # Internet Interface
> if_int="bge0" # Public access Interface
> if_wifi="tun0" # WiFi Hotspot Interface
>
> # Subnets declaration
> net_public= "192.168.254.0/24"
> net_wifi_admin="192.168.253.252/30"
>
> # IP declaration
> ip_ext_me="192.168.0.100"
> ip_wifi_me="192.168.254.1"
> ip_wifi_admin_me="192.168.253.253"
> ip_hotspot="192.168.253.254"
>
> ### Tables!
> table <public_granted>
>
> ### Redirections
> # Squid redirection for authenticated users on Public
> rdr on $if_int proto tcp from <public_granted> to 0.0.0.0/0 port 80
> -> localhost port 8080
> rdr on $if_wifi proto tcp from <public_granted> to 0.0.0.0/0 port 80
> -> localhost port 8080
> #  Authentication portal for Public
> rdr on $if_int proto tcp from $net_public to any port 80 ->
> $ip_wifi_me port 3990
> rdr on $if_wifi proto tcp from $net_public to any port 80 ->
> $ip_wifi_me port 3990
>
> ### NAT
> # Public to me on Internet side
> nat on $if_ext from $net_public to any -> $ip_ext_me
>
> ### Filtering
> # Hotspot is a typical network client
> pass out quick from any to any keep state
>
> # Who can admin me?
> pass in log quick on $if_ext proto tcp from any to $ip_ext_me port = 22
>
> ## Logs from Public access side
> # Syslog from access point sent to me
> pass in log quick on $if_int proto udp from $ip_hotspot to
> $ip_wifi_admin_me port = 514
>
> # DHCP
> pass in log quick on $if_int proto udp from $net_public to
> $ip_wifi_me port = 67
> pass in log quick on $if_int proto udp from $net_public to
> $ip_wifi_me port = 68
>
> # DNS for Public
> pass in log quick on $if_int proto tcp from $net_public to
> $ip_wifi_me port = 53
> pass in log quick on $if_int proto udp from $net_public to
> $ip_wifi_me port = 53
> # DNS for WiFi
> pass in log quick on $if_wifi proto tcp from $net_public to
> $ip_wifi_me port = 53
> pass in log quick on $if_wifi proto udp from $net_public to
> $ip_wifi_me port = 53
>
> # Authentication portal for Public
> pass in log quick on $if_int proto tcp from $net_public to
> $ip_wifi_me port = 3990
> pass in log quick on $if_int proto tcp from $net_public to
> $ip_wifi_me port = 443
> # Authentication portal for Wifi
> pass in log quick on $if_wifi proto tcp from $net_public to
> $ip_wifi_me port = 3990
> pass in log quick on $if_wifi proto tcp from $net_public to
> $ip_wifi_me port = 443
>
> # Ping is granted to authenticated users (public_granted table)
> pass in log quick on $if_wifi proto icmp from <public_granted> to
> $ip_wifi_me keep state
>
> # Closing rule for Public & WiFi
> block in log quick from any to $ip_wifi_me
> block in log quick from any to $ip_wifi_admin_me
>
> ## HotSpot LAN configuration
> # Table public_granted: contains granted users on Radius
> pass in log quick on $if_int from <public_granted> to any keep state
> pass in log quick on $if_wifi from <public_granted> to any keep state
>
> # Finally block & log everything
> block in log from any to any
>
> Laurent LEVIER
> Systems & Networks Senior Security Expert, CISSP CISM
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

Hi Laurent,
I have the same problem, but this is because PF works with sessions,
on end of a session it will block the next session.


-- 
Gilberto Villani Brito
System Administrator
Londrina - PR
Brazil
gilbertovb(a)gmail.com

More information about the freebsd-pf mailing list