Releasing all outgoing ports for a particular IP.

Gary Palmer gpalmer at freebsd.org
Thu Feb 14 20:04:40 UTC 2013 

On Thu, Feb 14, 2013 at 06:06:22PM +0000, Lisa Muir wrote:
> Hi Guys,
> 
> Hope you might be able to help me with a query. Am a little past the
> newbie stage with pf, and moderately comfortable with it, but by no
> means a guru yet, finding my way.
> 
> Have one firewall which has a public interface with multiple ip's and
> 5 private lans with the usual private lan space ip's. The machine has
> been running fine for a year and a bit, and I have various port
> forwarding things going, internal redirection for dmz hosts being
> accessed from the lan, port forwarding for public ip aliases's on the
> external interface. Two things have left me with questions, one is
> about UDP port forwarding which I got working but am not 100% happy
> with, and I'll come back to that in another thread, and today's one
> which is releasing all tcp ports for a particular IP which is in the
> "DMZ" vlan. In this case, the vlans are implemented at the switches,
> and a seperate interface on the pf firewall links into each vlan, no
> kernel based vlan in operation.
> 
> As a rule, we restrict outgoing ports, we only allow out what we know
> about and approve, but we're putting in a CCTV transmitter into the
> DMZ which requires access to every tcp port for outgoing. Here is a
> cut down version of my pf.conf with the relevant data, starting with
> the definitions for interfaces, the host in question that I am testing
> with, and the ports:
> 
> #####################
> # Definitions
> #
> # interfaces
> 
> # Vlan1 is the switch management vlan
> vlan1_if = "em1"
> 
> # Vlan2 is the business vlan
> vlan2_if = "em2"
> 
> # Vlan3 is the topsec secretary vlan
> vlan3_if = "em3"
> 
> # Vlan4 is the "dmz"
> vlan4_if = "em4"
> 
> # Vlan5 is the domestic house vlan
> vlan5_if = "em5"
> 
> # Wlan is the wireless lan in the building
> wlan_if = "msk0"
> 
> # The em0 vlan is a direct cat-5 cable link to wireless broadband kit
> for public internet
> ext_if = "em0"
> 
> # The em0_alias0 is a virtual interface for additional public ip
> stc_dvr_ext_if = "173.47.184.4"
> 
> tunnel_if = "gif0"
> vpn_if = "tun0"
> 
> # Host that we are testing our rules with
> emailserver = "10.168.3.99"
> 
> # Ports that we want to open for this host, all tcp going out
> all_ports = "{ 1:65535 }"
> 
> 
> 
> The lans, 1, 2, 3, wireless and are restricted to only trafficing on
> ports such as 80, 443, 25, 587, 143 etc.
> 
> But I want my email server to go out on any port, so the following
> lines were added, which work:
> 
> 
> pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports
> pass out on $ext_if proto tcp from $ext_if to any port $all_ports
> 
> 
> 
> The first line of that is suitably restrictive, it only allows that
> one single host in the DMZ to traffic out on all tcp ports.
> 
> its the next pass rule that bothers me. Because all lans nat through
> to the ext_if, this next line effectively opens up all ports to get
> out into the wild if any of them are accidently opened to get into the
> gateway. I'd like to be able to restrict that particular pass rule to
> a single host.
> 
> Is that possible? or do I just have to live with the fact that I have
> it restricted at the pass in stage?
> 
> When i get more info, I may be able to restrict the outgoing
> destination to a list of ip's rather than passing out to any, which
> will help tighten the rule up, but it seems a little unrestricted for
> my liking as is.

Hi Lisa,

I believe you should look at PF tags.  If you tag the traffic coming in with
the

pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports

rule, you should then be able to use that in our ext_if rule to ensure
only those packets are let out

e.g.

pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports tag MAILSERVER
pass out quick on $ext_if tagged MAILSERVER

Regards,

Gary

More information about the freebsd-pf mailing list