freebsd 10.3, pf, and openvpn
David Mehler
dave.mehler at gmail.com
Thu Apr 20 02:01:26 UTC 2017
Hello,
I commented out the rules indicated and still nothing.
Thanks.
DAve.
On 4/19/17, Ultima <ultima1252 at gmail.com> wrote:
> I forgot to mention, make sure the ext_gateway variable changed to the
> correct gateway.
>
> On Wed, Apr 19, 2017 at 8:24 PM, Ultima <ultima1252 at gmail.com> wrote:
>
>> I keep looking at the rules and finally decided to rewrite some of them.
>> This may not fix the issue you are having with openvpn tho. The issue
>> with
>> that is most likely the passing out rules. This rule is kinda written
>> wierd
>> and I suggest just removing it and passing everything out and verifying
>> if
>> that is the cause. The problem is many connections that the host will
>> open
>> is opened at the high end ports, I believe it was around 40000:65535. I
>> could be wrong tho and hope someone corrects my errors if so.
>>
>> > # Pass out only the desired ports from host and jails
>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>> $tcp_services $tcpstate
>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>> > $udp_services
>> $udpstate
>>
>> If ur still having issues with openvpn, with this ruleset, then first,
>> try
>> changing the block all rule to block on ext_if. This will determine if a
>> pass rule internally is the cause.
>>
>> > block all
>> block on $ext_if all
>>
>> Going to CC freebsd-pf at freebsd.org I hope this helps
>>
>> Ultima
>>
>>
>> #
>> # Required order: macros, options, normalization, queueing,
>> # translation, filtering.
>> # Note: translation rules are first match while filter rules are last
>> match.
>>
>> # Macros
>> ext_if="vtnet0"
>> ext_gateway="10.0.0.1"
>> int_if = "lo1"
>> vpn_if = "tun0"
>> jailnet = "10.0.0.0/8"
>> vpnnet="10.8.0.0/8"
>> icmp_types="{echoreq, unreach}"
>> #IPV6 ICMP types:
>> # packet to big and echo request type ping
>> # Neighbor Discovery Protocol (NDP) (types 133-137):
>> # Router Solicitation (RS), Router Advertisement (RA)
>> # Neighbor Solicitation (NS), Neighbor Advertisement (NA)
>> # Route Redirection
>> icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
>> #synstate="flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate
>> 5/3, overload <bruteforce> flush global)"
>> tcpstate="flags S/SA modulate state"
>> udpstate="keep state"
>>
>> # allowed traffic
>> tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
>> http, imap, https, submission, imaps, 2703}"
>> udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
>> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500,
>> 500, 50, 51}"
>>
>> # Name and IP of jails
>> webmail="10.0.0.15"
>> # Name and IP of jailed ssh servers
>> jssh1="10.0.0.15"
>> jssh2="10.0.0.16"
>> jssh3="10.0.0.17"
>> jssh4="10.0.0.18"
>> jssh1_tcp="2220"
>> jssh2_tcp="2221"
>> jssh3_tcp="2222"
>> jssh4_tcp="2223"
>> # The Asterisk Server
>> asterisk="10.0.0.17"
>> asterisk_tcp="5060:5061"
>> asterisk_udp="5060, 10000:10500"
>> # The vpn server
>> vpn="10.8.0.1"
>>
>> # Options
>> # block-policy can be either drop or return
>> set block-policy drop
>> set optimization conservative
>> set skip on lo0
>>
>> # Normalization
>> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts
>> behind
>> # firewall. Set random-id to help same.
>> # Set mss to ATM network frame size for easy splitting upstream.
>> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
>> fragment reassemble
>>
>> # NAT
>> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
>> nat on $ext_if from $vpnnet to any -> ($ext_if)
>>
>> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
>> jailed ssh servers
>> # External redirect & reflect for internal hosts
>> # Note, the -> $ip port $port is only required for port triggering.
>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>> port { $jssh1_tcp } tag jssh1 -> $jssh1
>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>> port { $jssh2_tcp } tag jssh2 -> $jssh2
>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>> port { $jssh3_tcp } tag jssh3 -> $jssh3
>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>> port { $jssh4_tcp } tag jssh4 -> $jssh4
>>
>> # Redirect traffic to the vpn server
>> # External redirect
>> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if),
>> ($int_if) } port 1194 tag vpn -> $vpn
>>
>> # Redirect traffic to the asterisk server
>> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
>> # RTSP ports 10000 to 10500
>> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag
>> asterisk_udp -> $asterisk
>> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag
>> asterisk_tcp -> $asterisk
>>
>> # Tables
>> table <bruteforce> persist file "/etc/pf/bruteforce"
>> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
>> table <fail2ban> persist file "/etc/pf/fail2ban"
>> table <martians> persist file "/etc/pf/martians"
>> # The ZeuS blocklist of c&c servers
>> table <ZeuS> persist file "/etc/pf/ZeuS"
>> # The malwaredomain ip block list
>> table <malwaredomain> persist file "/etc/pf/malwaredomain"
>> # Table of selected country IP addresses
>> table <blocked_countries> persist file "/etc/pf/blocked_countries"
>> # Table of apache mod_evasive blocks
>> table <evasive> persist file "/etc/pf/evasive"
>>
>> antispoof for { $ext_if, $int_if }
>>
>> # Start by blocking by default
>> block all
>>
>> # Block anything in the blocked_countries table first
>> block in quick from <blocked_countries>
>>
>> # Block nmap scans
>> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
>>
>> # Explicitly block unroutable addresses
>> block drop in quick on $ext_if from <martians> to any
>> block drop out quick on $ext_if from any to <martians>
>>
>> # Explicitly block anything in the bruteforce table
>> block in quick from <bruteforce>
>>
>> # Explicitly block anything in the fail2ban table
>> block in quick from <fail2ban>
>>
>> # Explicitly block anything in the droplasso table
>> block in quick from <droplasso>
>>
>> # Explicitly block anything in the ZeuS table
>> block in quick from <ZeuS>
>>
>> # Explicitly block anything in the malwaredomain table
>> block in quick from <malwaredomain>
>>
>> # Block anything in the evasive table
>> block in quick from <evasive>
>>
>> # allow ping and host unreach
>> pass inet proto icmp icmp-type $icmp_types keep state
>>
>> # Traceroute
>> # allow out the default range for traceroute(8):
>> # ”base+nhops*nqueries-1” (33434+64*3-1)
>> pass inet proto udp to port 33433:33626 # For IPv4
>>
>> # Pass out only the desired ports from host and jails
>> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>> $tcp_services $tcpstate
>> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services
>> $udpstate
>>
>> # Allow ssh connections in from the internet
>> pass in inet proto tcp from any to ($ext_if) port ssh \
>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>> <bruteforce> flush global)
>> # Pass in ssh traffic to the jails
>> # pass rules for nat redirect
>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged
>> jssh1 jssh2 jssh3 jssh4 \
>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>> <bruteforce> flush global)
>> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags
>> S/SA keep state
>>
>> # Pass traffic to the vpn
>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp }
>> tagged vpn $udpstate
>> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate
>> pass out on tun0 keep state
>> #pass quick on tun0 all keep state
>>
>> # Pass in smtp, http, https, submission, imaps traffic from the internet
>> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \
>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>> <bruteforce> flush global)
>>
>> # pass traffic from the asterisk server
>> pass inet proto tcp tagged asterisk_tcp keep state
>> pass inet proto udp tagged asterisk_udp keep state
>>
>> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler <dave.mehler at gmail.com>
>> wrote:
>>
>>> Hi,
>>>
>>> Thanks. Still no go on the vpn.In answer to your questions:
>>>
>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>>
>>> > $tcp_services $tcpstate
>>>
>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>>
>>> > $udp_services $udpstate
>>>
>>>
>>>
>>>
>>> I've got only a selected list of ports that I want in or out,
>>> everything else should be blocked.
>>>
>>> I tried commenting out the pass quick on tun0 all and replaced it with
>>> set skip on tun0 no joy.
>>>
>>> I took out the second nat line on the vpnnet as of now I'm wanting to
>>> keep the jailnet and the vpnnet ranges the same, though if this issue
>>> doesn't soon resolve I might change that idea.
>>>
>>>
>>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>
>>>
>>>
>>> global)
>>>
>>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>
>>>
>>> What I wanted to achieve with this was nat reflection, external
>>> connections to these hosts worked fine on the desired ports, but on
>>> the host itself if I tried to do an ssh to one of my jails port 2220
>>> it failed, these rules corrected that.
>>>
>>> Right now I'll settle for working.
>>>
>>> Thanks.
>>> Dave.
>>>
>>> On 4/19/17, Ultima <ultima1252 at gmail.com> wrote:
>>> > After a full look, I suspect this being a problem entry.
>>> >
>>> >> # Pass out only the desired ports from host and jails
>>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>> >> $tcp_services $tcpstate
>>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>> >> $udp_services $udpstate
>>> >
>>> > Try commenting them and adding pass out all or pass inet proto { tcp,
>>> udp }
>>> > any and see if that works.
>>> >
>>> >
>>> >> pass quick on tun0 all keep state
>>> > This is another problem area, but probably not the cause. The quick is
>>> > probably not handled as you are expecting. Pf reads the filtering
>>> > rules
>>> in
>>> > priority from bottom to top bottom being highest priority to top being
>>> > lowest priority. When quick is added, this is more or less reversed
>>> > for
>>> the
>>> > rule and because its near the bottom it has a lower priority. In
>>> > general
>>> > the "quick" directive can make pf very confusing and a ruleset harder
>>> > to
>>> > read so other than the top blocking entires with quick, I suggest
>>> > never
>>> > using it, or use it for all filters and make it simple the opposite
>>> > way.
>>> >
>>> >
>>> >> jailnet = "10.0.0.0/8"
>>> >> vpnnet="10.8.0.0/8"
>>> > One thing I noticed is that the subnet chosen is an /8 subnet. Because
>>> of
>>> > this, the entire 10.* address space applies to jailnet making all
>>> jailnet +
>>> > vpnnet entries redundant. This also allows all addresses to
>>> communicate, at
>>> > least if pf isn't filtering them. Usually segmenting the subnet is
>>> desired
>>> > to limit communication between them.
>>> >
>>> >> pass quick on lo0 all
>>> > Why not just skip on lo0?
>>> >
>>> >
>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>> > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> > global)
>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>> > Why does this nearly duplicate rules exist?
>>> >
>>> >
>>> > Optimizing pf is fun, but one thing that is important to remember is
>>> > the
>>> > more rules added, the more cycles used per packet. This is typically
>>> > not
>>> > noticed on a small deployments but it can become huge issue if grown.
>>> >
>>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler <dave.mehler at gmail.com>
>>> > wrote:
>>> >
>>> >> Hello Ultima,
>>> >>
>>> >> Thank you for your reply. Thanks for the information, I'm liking the
>>> >> new way the rules are looking. Unfortunately, still no go on the vpn.
>>> >> Everything else is working, just not the vpn.
>>> >>
>>> >> Thanks.
>>> >> Dave.
>>> >> PS, here's my rules as they stand now.
>>> >>
>>> >> pf.conf:
>>> >> #
>>> >> # Required order: macros, options, normalization, queueing,
>>> >> # translation, filtering.
>>> >> # Note: translation rules are first match while filter rules are last
>>> >> match.
>>> >>
>>> >> # Macros
>>> >> ext_if="vtnet0"
>>> >> int_if = "lo1"
>>> >> vpn_if = "tun0"
>>> >> jailnet = "10.0.0.0/8"
>>> >> vpnnet="10.8.0.0/8"
>>> >> icmp_types="{echoreq, unreach}"
>>> >> #IPV6 ICMP types:
>>> >> # packet to big and echo request type ping
>>> >> # Neighbor Discovery Protocol (NDP) (types 133-137):
>>> >> # Router Solicitation (RS), Router Advertisement (RA)
>>> >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA)
>>> >> # Route Redirection
>>> >> icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
>>> >> #synstate="flags S/SA synproxy state (max-src-conn 15,
>>> >> max-src-conn-rate 5/3, overload <bruteforce> flush global)"
>>> >> tcpstate ="flags S/SA modulate state"
>>> >> udpstate ="keep state"
>>> >> voipports = "{5060, 5061, 10000:10500}"
>>> >>
>>> >> # allowed traffic
>>> >> tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>>> >> bootpc, http, imap, https, submission, imaps, 2703}"
>>> >> udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441,
>>> >> 4500, 500, 50, 51}"
>>> >>
>>> >> # Name and IP of jails
>>> >> webmail="10.0.0.15"
>>> >> # Name and IP of jailed ssh servers
>>> >> jssh1="10.0.0.15"
>>> >> jssh2="10.0.0.16"
>>> >> jssh3="10.0.0.17"
>>> >> jssh4="10.0.0.18"
>>> >> # The Asterisk Server
>>> >> asterisk="10.0.0.17"
>>> >> # The vpn server
>>> >> vpn="10.8.0.1"
>>> >>
>>> >> # Options
>>> >> # block-policy can be either drop or return
>>> >> set block-policy drop
>>> >> set optimization conservative
>>> >> set skip on tun0
>>> >>
>>> >> # Normalization
>>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of
>>> >> hosts
>>> >> behind
>>> >> # firewall. Set random-id to help same.
>>> >> # Set mss to ATM network frame size for easy splitting upstream.
>>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble
>>> >> tcp
>>> >> fragment reassemble
>>> >>
>>> >> # NAT
>>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
>>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
>>> >>
>>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
>>> >> jailed ssh servers
>>> >> # External redirect
>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port
>>> >> 2220
>>> >> # reflect for internal hosts
>>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port
>>> >> 2220
>>> >>
>>> >> # External redirect
>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port
>>> >> 2221
>>> >> # reflect for internal hosts
>>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port
>>> >> 2221
>>> >>
>>> >> # External redirect
>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port
>>> >> 2222
>>> >> # reflect for internal hosts
>>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port
>>> >> 2222
>>> >>
>>> >> # External redirect
>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port
>>> >> 2223
>>> >> # reflect for internal hosts
>>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port
>>> >> 2223
>>> >>
>>> >> # Redirect traffic to the vpn server
>>> >> # External redirect
>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn
>>> port
>>> >> 1194
>>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn
>>> port
>>> >> 1194
>>> >> # reflect for internal hosts
>>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn
>>> port
>>> >> 1194
>>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn
>>> port
>>> >> 1194
>>> >>
>>> >> # Redirect traffic to the asterisk server
>>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
>>> >> $asterisk port 5060
>>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk
>>> >> port
>>> >> 5060
>>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port
>>> 5061
>>> >> # RTSP ports 10000 to 10500
>>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 ->
>>> >> $asterisk
>>> >> port 10000:10500
>>> >>
>>> >> # Tables
>>> >> table <bruteforce> persist file "/etc/pf/bruteforce"
>>> >> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
>>> >> table <fail2ban> persist file "/etc/pf/fail2ban"
>>> >> table <martians> persist file "/etc/pf/martians"
>>> >> # The ZeuS blocklist of c&c servers
>>> >> table <ZeuS> persist file "/etc/pf/ZeuS"
>>> >> # The malwaredomain ip block list
>>> >> table <malwaredomain> persist file "/etc/pf/malwaredomain"
>>> >> # Table of selected country IP addresses
>>> >> table <blocked_countries> persist file "/etc/pf/blocked_countries"
>>> >> # Table of apache mod_evasive blocks
>>> >> table <evasive> persist file "/etc/pf/evasive"
>>> >>
>>> >> # for the spamd greylist/blacklist service
>>> >> # (not related to spamassassin's spamd daemon)
>>> >> #table <spamd> persist
>>> >> #table <spamd-white> persist
>>> >>
>>> >> antispoof for $ext_if
>>> >> antispoof for $int_if
>>> >>
>>> >> # Start by blocking by default
>>> >> block all
>>> >>
>>> >> # Block anything in the blocked_countries table first
>>> >> block in quick from <blocked_countries>
>>> >>
>>> >> # Block nmap scans
>>> >> block in quick on $ext_if inet proto tcp from any to any flags
>>> >> FUP/FUP
>>> >>
>>> >> # Explicitly block unroutable addresses
>>> >> block drop in quick on $ext_if from <martians> to any
>>> >> block drop out quick on $ext_if from any to <martians>
>>> >>
>>> >> # Explicitly block anything in the bruteforce table
>>> >> block in quick from <bruteforce>
>>> >>
>>> >> # Explicitly block anything in the fail2ban table
>>> >> block in quick from <fail2ban>
>>> >>
>>> >> # Explicitly block anything in the droplasso table
>>> >> block in quick from <droplasso>
>>> >>
>>> >> # Explicitly block anything in the ZeuS table
>>> >> block in quick from <ZeuS>
>>> >>
>>> >> # Explicitly block anything in the malwaredomain table
>>> >> block in quick from <malwaredomain>
>>> >>
>>> >> # Block anything in the evasive table
>>> >> block in quick from <evasive>
>>> >>
>>> >> # pass everything on the loopback interface
>>> >> pass quick on lo0 all
>>> >>
>>> >> # allow ping and host unreach
>>> >> pass inet proto icmp icmp-type $icmp_types keep state
>>> >>
>>> >> # Traceroute
>>> >> # allow out the default range for traceroute(8):
>>> >> # ”base+nhops*nqueries-1” (33434+64*3-1)
>>> >> pass inet proto udp to port 33433:33626 # For IPv4
>>> >>
>>> >> # Pass out only the desired ports from host and jails
>>> >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services
>>> >> $tcpstate
>>> >> pass inet proto udp from { self, $jailnet } to port $udp_services
>>> >> $udpstate
>>> >>
>>> >> # Allow ssh connections in from the internet
>>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >> # Pass in ssh traffic to the jails
>>> >> # pass rules for nat redirect
>>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>>> >>
>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>> >>
>>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>>> >>
>>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>>> >>
>>> >> # Pass traffic to the vpn
>>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
>>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate
>>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
>>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate
>>> >>
>>> >> # Pass in http traffic from the internet
>>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >>
>>> >> # Pass in https traffic from the internet
>>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >>
>>> >> # Pass in smtp traffic from the internet
>>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >>
>>> >> # Pass in submission traffic from the internet
>>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >>
>>> >> # Pass in imaps traffic from the internet
>>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>> >> global)
>>> >>
>>> >> # pass traffic from the asterisk server
>>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state
>>> >>
>>> >>
>>> >> On 4/18/17, Ultima <ultima1252 at gmail.com> wrote:
>>> >> > I didn't have time to read and look through this entire post, but I
>>> >> think I
>>> >> > know the issue you're running into and this suggestion should push
>>> you
>>> >> > in
>>> >> > the right direction.
>>> >> >
>>> >> > this rule for example,
>>> >> >
>>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> > # reflect for internal hosts
>>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> >
>>> >> > This is probably not giving you the results you desire. Basically
>>> >> > because
>>> >> > no from or to ip is specified ALL and I quite literally mean ALL
>>> >> > packets
>>> >> > using port 1194 are being sent to $vpn port 1194. Usually you want
>>> >> > to
>>> >> make
>>> >> > it something like,
>>> >> >
>>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> >
>>> >> > Now the traffic will be passed only when the packet is going to the
>>> >> > host,
>>> >> > not all traffic on a specific port. Another thing you may want to
>>> >> > do
>>> is
>>> >> > combined many of these rules you have.
>>> >> >
>>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn
>>> >> > port
>>> >> > 1194
>>> >> >
>>> >> > Also note the above, because we are specifying any for from, we can
>>> >> remove
>>> >> > the form rule entirely and make it shorter.
>>> >> >
>>> >> > Hope this helps
>>> >> >
>>> >> > Ultima
>>> >> >
>>> >>
>>> >
>>>
>>
>>
>
More information about the freebsd-pf
mailing list