Why this rule doesn't score a match?

FreeBSD freebsd at optiksecurite.com
Wed Jul 23 18:44:33 UTC 2008 

Ivan Petrushev a écrit :
> Hello,
> I'm trying very simple 'block all, allow a few' firewall, but
> something doesn't seem right.
> As far as I remember 'the right matched rule' is taken and executed -
> this doesn't seem working here.
> Here is my firewall:
> #####################
> #macros
> if = "re0"
> ext_ip = "10.10.10.21"
> tcp_services = "{http, https, ssh, domain, 5190, 5222, ftp, 1025}"
> udp_services = "{domain, 5190, 5222, ftp}"
>
> #filter
> block in log on $if
> pass on $if proto tcp from any port $tcp_services
> pass on $if proto udp from any port $udp_services
> ####################
> The point here is that if a packet for some of the listed service is
> matching against the rules, it will match the block rule, but after
> that will match some of the last two and get passed. Instead it gets
> blocked and I see it into the log:
> tcpdump -n -i pflog0
> 19:54:57.657194 IP 64.12.161.185.5190 > 10.10.10.21.54111:  tcp 24
> [bad hdr length 0 - too short, < 20]
> (there are many of these, including on the other ports)
>
> Now, there is something different. I tried removing the block rule,
> and added logging for the 'pass' rules. In that case a packet
> traveling down the rules should match only on the 'pass' rules and get
> logged.
> ####################
> #filter
> #block in log on $if
> pass log on $if proto tcp from any port $tcp_services
> pass log on $if proto udp from any port $udp_services
> ####################
>
> Well, it doesn't get logged. The only thing I see into the log is:
> 20:12:53.185368 IP 10.10.10.1.53 > 10.10.10.21.60918: [|domain]
> And more DNS requests. There is nothing from 5190 (ICQ) or 5222 (Gtalk) or 80...
>
> What could be wrong here - it is fairly simple ruleset?
>   
You should try "pass in on $if proto tcp from any to $ext_ip port 
$tcp_services flags S/SA keep state" and "pass in on $if proto udp from 
any to $ext_ip port $udp_services keep state"

Your rule expect the traffic to came FROM $tcp_services but it is goint 
TO those ports.

You can omit the "flags S/SA keep state" and the "keep state" if you're 
using FreeBSD 7, it is added automatically.

I would also suggest you to use "block all log" instead of "block in 
log" and specifiy rules for your outgoing traffic too.

Good luck

Martin

More information about the freebsd-pf mailing list