freebsd 10.3, pf, and openvpn

David Mehler dave.mehler at gmail.com
Sat Apr 22 18:35:16 UTC 2017 

Hello,

First of all my thanks to everyone who has been helping me with my
FreeBSD, pf, and Openvpn issue over the past few days. It is much
appreciated.

The good news is I have it, FreeBSD, pf, and Openvpn with the external
Windows client now working, that is I can connect. I can ping the
192.168.0.1 vpn server address, as well as from server to client I
haven't done much else but it is working.

The bad news is I have it by accident, I'm not sure how or why it is
working. I don't think it should be. Below I've placed the relevant
portions of my before (non-working) and after (working) pf
configuration files In the working configuration there's no rdr lines,
shouldn't there be?

Non-working pf configuration:
ext_if="vtnet0"
vpn_if = "tun0"
vpnnet="192.168.0.0/24"
udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277,
24441}" # This line is required for dns, removing the 1194 from this
line did not effect the outcome
vpn="192.168.0.1"
set skip on tun0
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble # Are these values correct?
nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
rdr on $ext_if inet proto udp to $ext_if port 1194 -> $vpn port 1194
pass inet proto tcp from { self, $jailnet, $vpnnet } to any port
$tcp_services $tcpstate
pass inet proto udp from { self, $jailnet, $vpnnet } to port
$udp_services $udpstate
# Pass traffic to the vpn
pass inet proto { tcp, udp } to $vpn port 1194 $udpstate

Working pf configuration:
ext_if="vtnet0"
vpn_if = "tun0"
vpnnet="192.168.0.0/24"
vpn="192.168.0.1"
set skip on tun0
scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
fragment reassemble
nat on $ext_if inet from $vpnnet to any -> $ext_if
# Pass traffic to the vpn
pass in quick on $ext_if proto udp from any to $ext_if port 1194 keep state

I'm wondering why my second config works? Are my scrub values right.
Here's my server's network device configurations:

vtnet0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
	options=6c07bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,VLAN_HWTSO,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
	ether EthernetAddress
	inet6 fe80::f03c:91ff:fedf:6fc%vtnet0 prefixlen 64 scopeid 0x1
	inet6 inet6Address autoconf
	inet xxx.xxx.xxx.xxx netmask 0xffffff00 broadcast xxx.xxx.xxx.255
	nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
	media: Ethernet 10Gbase-T <full-duplex>
	status: active
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> metric 0 mtu 1500
	options=80000<LINKSTATE>
	inet6 fe80::6424:fcc1:8d67:8fc6%tun0 prefixlen 64 scopeid 0x4
	inet 192.168.0.1 --> 192.168.0.2 netmask 0xffffff00
	nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
	Opened by PID 81855
pflog0: flags=141<UP,RUNNING,PROMISC> metric 0 mtu 33160

I'm also curious as to whether my tls configuration is correct, using
the most secure ciphers and protocols and pfs for both the control and
data channels? Do I also need to uncomment the lz4 lines? Here's the
relevant portions of my client and server configs:

server configuration:
local xxx.xxx.xxx.xxxport 1194
proto udp4
dev tun0
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/openvpn-server.crt
key /usr/local/etc/openvpn/keys/openvpn-server.key  # This file should
be kept secret
dh /usr/local/etc/openvpn/keys/dh.pem
topology subnet
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
# Then add this line to ccd/Thelonious:
#   ifconfig-push 10.9.0.1 10.9.0.2
;push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option DNS 208.67.220.220"
;client-to-client
keepalive 10 120
tls-auth /usr/local/etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-GCM
;compress lz4-v2
;push "compress lz4-v2"
max-clients 16
user nobody
group nobody
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 4
mute 20
mute-replay-warnings
remote-cert-tls	client
tls-version-min 1.2
auth SHA512
tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
explicit-exit-notify 1

client configuration:
client

dev tun

proto udp4

tun-mtu 1500

remote xxx.xxx.xxx.xxx 1194

resolv-retry infinite

nobind

persist-key

persist-tun

mute-replay-warnings

ca ca.crt

cert client1.crt

key client1.key

tls-auth ta.key 1

remote-cert-tls server

cipher AES-256-GCM

verb 4

tls-version-min 1.2

tls-cipher TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256:TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256

auth SHA512

route-method exe

route-delay 5

route-metric 550

Thanks again.
Dave.

PS, Ultima can I get a look at your pf configuration?

On 4/19/17, David Mehler <dave.mehler at gmail.com> wrote:
> Hello,
>
> I commented out the rules indicated and still nothing.
>
> Thanks.
> DAve.
>
> On 4/19/17, Ultima <ultima1252 at gmail.com> wrote:
>> I forgot to mention, make sure the ext_gateway variable changed to the
>> correct gateway.
>>
>> On Wed, Apr 19, 2017 at 8:24 PM, Ultima <ultima1252 at gmail.com> wrote:
>>
>>> I keep looking at the rules and finally decided to rewrite some of them.
>>> This may not fix the issue you are having with openvpn tho. The issue
>>> with
>>> that is most likely the passing out rules. This rule is kinda written
>>> wierd
>>> and I suggest just removing it and passing everything out and verifying
>>> if
>>> that is the cause. The problem is many connections that the host will
>>> open
>>> is opened at the high end ports, I believe it was around 40000:65535. I
>>> could be wrong tho and hope someone corrects my errors if so.
>>>
>>> > # Pass out only the desired ports from host and jails
>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>> $tcp_services $tcpstate
>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>> > $udp_services
>>> $udpstate
>>>
>>> If ur still having issues with openvpn, with this ruleset, then first,
>>> try
>>> changing the block all rule to block on ext_if. This will determine if a
>>> pass rule internally is the cause.
>>>
>>> > block all
>>> block on $ext_if all
>>>
>>> Going to CC freebsd-pf at freebsd.org I hope this helps
>>>
>>> Ultima
>>>
>>>
>>> #
>>> # Required order: macros, options, normalization, queueing,
>>> # translation, filtering.
>>> # Note: translation rules are first match while filter rules are last
>>> match.
>>>
>>> # Macros
>>> ext_if="vtnet0"
>>> ext_gateway="10.0.0.1"
>>> int_if = "lo1"
>>> vpn_if = "tun0"
>>> jailnet = "10.0.0.0/8"
>>> vpnnet="10.8.0.0/8"
>>> icmp_types="{echoreq, unreach}"
>>> #IPV6 ICMP types:
>>> # packet to big and echo request type ping
>>> # Neighbor Discovery Protocol (NDP) (types 133-137):
>>> #   Router Solicitation (RS), Router Advertisement (RA)
>>> #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
>>> #   Route Redirection
>>> icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
>>> #synstate="flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate
>>> 5/3, overload <bruteforce> flush global)"
>>> tcpstate="flags S/SA modulate state"
>>> udpstate="keep state"
>>>
>>> # allowed traffic
>>> tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
>>> http, imap, https, submission, imaps, 2703}"
>>> udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc,
>>> http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441,
>>> 4500,
>>> 500, 50, 51}"
>>>
>>> # Name and IP of jails
>>> webmail="10.0.0.15"
>>> # Name and IP of jailed ssh servers
>>> jssh1="10.0.0.15"
>>> jssh2="10.0.0.16"
>>> jssh3="10.0.0.17"
>>> jssh4="10.0.0.18"
>>> jssh1_tcp="2220"
>>> jssh2_tcp="2221"
>>> jssh3_tcp="2222"
>>> jssh4_tcp="2223"
>>> # The Asterisk Server
>>> asterisk="10.0.0.17"
>>> asterisk_tcp="5060:5061"
>>> asterisk_udp="5060, 10000:10500"
>>> # The vpn server
>>> vpn="10.8.0.1"
>>>
>>> # Options
>>> # block-policy can be either drop or return
>>> set block-policy drop
>>> set optimization conservative
>>> set skip on lo0
>>>
>>> # Normalization
>>> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts
>>> behind
>>> # firewall. Set random-id to help same.
>>> # Set mss to ATM network frame size for easy splitting upstream.
>>> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp
>>> fragment reassemble
>>>
>>> # NAT
>>> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
>>> nat on $ext_if from $vpnnet to any -> ($ext_if)
>>>
>>> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
>>> jailed ssh servers
>>> # External redirect & reflect for internal hosts
>>> # Note, the -> $ip port $port is only required for port triggering.
>>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>>> port { $jssh1_tcp } tag jssh1 -> $jssh1
>>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>>> port { $jssh2_tcp } tag jssh2 -> $jssh2
>>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>>> port { $jssh3_tcp } tag jssh3 -> $jssh3
>>> rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) }
>>> port { $jssh4_tcp } tag jssh4 -> $jssh4
>>>
>>> # Redirect traffic to the vpn server
>>> # External redirect
>>> rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if),
>>> ($int_if) } port 1194 tag vpn -> $vpn
>>>
>>> # Redirect traffic to the asterisk server
>>> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
>>> # RTSP ports 10000 to 10500
>>> rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag
>>> asterisk_udp -> $asterisk
>>> rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag
>>> asterisk_tcp -> $asterisk
>>>
>>> # Tables
>>> table <bruteforce> persist file "/etc/pf/bruteforce"
>>> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
>>> table <fail2ban> persist file "/etc/pf/fail2ban"
>>> table <martians> persist file "/etc/pf/martians"
>>> # The ZeuS blocklist of c&c servers
>>> table <ZeuS> persist file "/etc/pf/ZeuS"
>>> # The malwaredomain ip block list
>>> table <malwaredomain> persist file "/etc/pf/malwaredomain"
>>> # Table of selected country IP addresses
>>> table <blocked_countries> persist file "/etc/pf/blocked_countries"
>>> # Table of apache mod_evasive blocks
>>> table <evasive> persist file "/etc/pf/evasive"
>>>
>>> antispoof for { $ext_if, $int_if }
>>>
>>> # Start by blocking by default
>>> block all
>>>
>>> # Block anything in the blocked_countries table first
>>> block in quick from <blocked_countries>
>>>
>>> # Block nmap scans
>>> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
>>>
>>> # Explicitly block unroutable addresses
>>> block drop in quick on $ext_if from <martians> to any
>>> block drop out quick on $ext_if from any to <martians>
>>>
>>> # Explicitly block anything in the bruteforce table
>>> block in quick from <bruteforce>
>>>
>>> # Explicitly block anything in the fail2ban table
>>> block in quick from <fail2ban>
>>>
>>> # Explicitly block anything in the droplasso table
>>> block in quick from <droplasso>
>>>
>>> # Explicitly block anything in the ZeuS table
>>> block in quick from <ZeuS>
>>>
>>> # Explicitly block anything in the malwaredomain table
>>> block in quick from <malwaredomain>
>>>
>>> # Block anything in the evasive table
>>> block in quick from <evasive>
>>>
>>> # allow ping and host unreach
>>> pass inet proto icmp icmp-type $icmp_types keep state
>>>
>>> # Traceroute
>>> # allow out the default range for traceroute(8):
>>>   # ”base+nhops*nqueries-1” (33434+64*3-1)
>>> pass inet proto udp to port 33433:33626 # For IPv4
>>>
>>> # Pass out only the desired ports from host and jails
>>> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>> $tcp_services $tcpstate
>>> pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services
>>> $udpstate
>>>
>>>  # Allow ssh connections in from the internet
>>> pass in inet proto tcp from any to ($ext_if) port ssh \
>>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>>> <bruteforce> flush global)
>>> # Pass in ssh traffic to the jails
>>> # pass rules for nat redirect
>>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged
>>> jssh1 jssh2 jssh3 jssh4 \
>>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>>> <bruteforce> flush global)
>>> pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags
>>> S/SA keep state
>>>
>>> # Pass traffic to the vpn
>>> pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp }
>>> tagged vpn $udpstate
>>> pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate
>>> pass out on tun0 keep state
>>> #pass quick on tun0 all keep state
>>>
>>> # Pass in smtp, http, https, submission, imaps traffic from the internet
>>> pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \
>>> flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload
>>> <bruteforce> flush global)
>>>
>>> # pass traffic from the asterisk server
>>> pass inet proto tcp tagged asterisk_tcp keep state
>>> pass inet proto udp tagged asterisk_udp keep state
>>>
>>> On Wed, Apr 19, 2017 at 11:06 AM, David Mehler <dave.mehler at gmail.com>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> Thanks. Still no go on the vpn.In answer to your questions:
>>>>
>>>> > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>>>
>>>> > $tcp_services $tcpstate
>>>>
>>>> > pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>>>
>>>> > $udp_services $udpstate
>>>>
>>>>
>>>>
>>>>
>>>> I've got only a selected list of ports that I want in or out,
>>>> everything else should be blocked.
>>>>
>>>> I tried commenting out the pass quick on tun0 all and replaced it with
>>>> set skip on tun0 no joy.
>>>>
>>>> I took out the second nat line on the vpnnet as of now I'm wanting to
>>>> keep the jailnet and the vpnnet ranges the same, though if this issue
>>>> doesn't soon resolve I might change that idea.
>>>>
>>>>
>>>> > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>>
>>>>
>>>>
>>>> global)
>>>>
>>>> > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>>
>>>>
>>>> What I wanted to achieve with this was nat reflection, external
>>>> connections to these hosts worked fine on the desired ports, but on
>>>> the host itself if I tried to do an ssh to one of my jails port 2220
>>>> it failed, these rules corrected that.
>>>>
>>>> Right now I'll settle for working.
>>>>
>>>> Thanks.
>>>> Dave.
>>>>
>>>> On 4/19/17, Ultima <ultima1252 at gmail.com> wrote:
>>>> > After a full look, I suspect this being a problem entry.
>>>> >
>>>> >> # Pass out only the desired ports from host and jails
>>>> >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port
>>>> >> $tcp_services $tcpstate
>>>> >> pass inet proto udp from {self, $jailnet, $vpnnet} to port
>>>> >> $udp_services $udpstate
>>>> >
>>>> > Try commenting them and adding pass out all or pass inet proto { tcp,
>>>> udp }
>>>> > any and see if that works.
>>>> >
>>>> >
>>>> >> pass quick on tun0 all keep state
>>>> > This is another problem area, but probably not the cause. The quick
>>>> > is
>>>> > probably not handled as you are expecting. Pf reads the filtering
>>>> > rules
>>>> in
>>>> > priority from bottom to top bottom being highest priority to top
>>>> > being
>>>> > lowest priority. When quick is added, this is more or less reversed
>>>> > for
>>>> the
>>>> > rule and because its near the bottom it has a lower priority. In
>>>> > general
>>>> > the "quick" directive can make pf very confusing and a ruleset harder
>>>> > to
>>>> > read so other than the top blocking entires with quick, I suggest
>>>> > never
>>>> > using it, or use it for all filters and make it simple the opposite
>>>> > way.
>>>> >
>>>> >
>>>> >> jailnet = "10.0.0.0/8"
>>>> >> vpnnet="10.8.0.0/8"
>>>> > One thing I noticed is that the subnet chosen is an /8 subnet.
>>>> > Because
>>>> of
>>>> > this, the entire 10.* address space applies to jailnet making all
>>>> jailnet +
>>>> > vpnnet entries redundant. This also allows all addresses to
>>>> communicate, at
>>>> > least if pf isn't filtering them. Usually segmenting the subnet is
>>>> desired
>>>> > to limit communication between them.
>>>> >
>>>> >> pass quick on lo0 all
>>>> > Why not just skip on lo0?
>>>> >
>>>> >
>>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>> > (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> > global)
>>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>> > Why does this nearly duplicate rules exist?
>>>> >
>>>> >
>>>> > Optimizing pf is fun, but one thing that is important to remember is
>>>> > the
>>>> > more rules added, the more cycles used per packet. This is typically
>>>> > not
>>>> > noticed on a small deployments but it can become huge issue if grown.
>>>> >
>>>> > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler <dave.mehler at gmail.com>
>>>> > wrote:
>>>> >
>>>> >> Hello Ultima,
>>>> >>
>>>> >> Thank you for your reply. Thanks for the information, I'm liking the
>>>> >> new way the rules are looking. Unfortunately, still no go on the
>>>> >> vpn.
>>>> >> Everything else is working, just not the vpn.
>>>> >>
>>>> >> Thanks.
>>>> >> Dave.
>>>> >> PS, here's my rules as they stand now.
>>>> >>
>>>> >> pf.conf:
>>>> >> #
>>>> >> # Required order: macros, options, normalization, queueing,
>>>> >> # translation, filtering.
>>>> >> # Note: translation rules are first match while filter rules are
>>>> >> last
>>>> >> match.
>>>> >>
>>>> >> # Macros
>>>> >> ext_if="vtnet0"
>>>> >> int_if = "lo1"
>>>> >> vpn_if = "tun0"
>>>> >> jailnet = "10.0.0.0/8"
>>>> >> vpnnet="10.8.0.0/8"
>>>> >> icmp_types="{echoreq, unreach}"
>>>> >> #IPV6 ICMP types:
>>>> >> # packet to big and echo request type ping
>>>> >> # Neighbor Discovery Protocol (NDP) (types 133-137):
>>>> >> #   Router Solicitation (RS), Router Advertisement (RA)
>>>> >> #   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
>>>> >> #   Route Redirection
>>>> >> icmp6_types="{ 2, 128, 133, 134, 135, 136, 137 }"
>>>> >> #synstate="flags S/SA synproxy state (max-src-conn 15,
>>>> >> max-src-conn-rate 5/3, overload <bruteforce> flush global)"
>>>> >> tcpstate ="flags S/SA modulate state"
>>>> >> udpstate ="keep state"
>>>> >> voipports = "{5060, 5061, 10000:10500}"
>>>> >>
>>>> >> # allowed traffic
>>>> >> tcp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>>>> >> bootpc, http, imap, https, submission, imaps, 2703}"
>>>> >> udp_services="{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps,
>>>> >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277,
>>>> >> 24441,
>>>> >> 4500, 500, 50, 51}"
>>>> >>
>>>> >> # Name and IP of jails
>>>> >> webmail="10.0.0.15"
>>>> >> # Name and IP of jailed ssh servers
>>>> >> jssh1="10.0.0.15"
>>>> >> jssh2="10.0.0.16"
>>>> >> jssh3="10.0.0.17"
>>>> >> jssh4="10.0.0.18"
>>>> >> # The Asterisk Server
>>>> >> asterisk="10.0.0.17"
>>>> >> # The vpn server
>>>> >> vpn="10.8.0.1"
>>>> >>
>>>> >> # Options
>>>> >> # block-policy can be either drop or return
>>>> >> set block-policy drop
>>>> >> set optimization conservative
>>>> >> set skip on tun0
>>>> >>
>>>> >> # Normalization
>>>> >> # normalize all incoming traffic. Set ttl 254: limits mapping of
>>>> >> hosts
>>>> >> behind
>>>> >> # firewall. Set random-id to help same.
>>>> >> # Set mss to ATM network frame size for easy splitting upstream.
>>>> >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble
>>>> >> tcp
>>>> >> fragment reassemble
>>>> >>
>>>> >> # NAT
>>>> >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port
>>>> >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port
>>>> >>
>>>> >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to
>>>> >> jailed ssh servers
>>>> >> # External redirect
>>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port
>>>> >> 2220
>>>> >> # reflect for internal hosts
>>>> >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port
>>>> >> 2220
>>>> >>
>>>> >> # External redirect
>>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port
>>>> >> 2221
>>>> >> # reflect for internal hosts
>>>> >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port
>>>> >> 2221
>>>> >>
>>>> >> # External redirect
>>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port
>>>> >> 2222
>>>> >> # reflect for internal hosts
>>>> >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port
>>>> >> 2222
>>>> >>
>>>> >> # External redirect
>>>> >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port
>>>> >> 2223
>>>> >> # reflect for internal hosts
>>>> >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port
>>>> >> 2223
>>>> >>
>>>> >> # Redirect traffic to the vpn server
>>>> >> # External redirect
>>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn
>>>> port
>>>> >> 1194
>>>> >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn
>>>> port
>>>> >> 1194
>>>> >> # reflect for internal hosts
>>>> >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn
>>>> port
>>>> >> 1194
>>>> >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn
>>>> port
>>>> >> 1194
>>>> >>
>>>> >> # Redirect traffic to the asterisk server
>>>> >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling.
>>>> >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 ->
>>>> >> $asterisk port 5060
>>>> >> #rdr on $ext_if inet proto tcp from any to any port 5060 ->
>>>> >> $asterisk
>>>> >> port
>>>> >> 5060
>>>> >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port
>>>> 5061
>>>> >> # RTSP ports 10000 to 10500
>>>> >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 ->
>>>> >> $asterisk
>>>> >> port 10000:10500
>>>> >>
>>>> >> # Tables
>>>> >> table <bruteforce> persist file "/etc/pf/bruteforce"
>>>> >> table <droplasso> persist file "/etc/pf/pf.drop.lasso.conf"
>>>> >> table <fail2ban> persist file "/etc/pf/fail2ban"
>>>> >> table <martians> persist file "/etc/pf/martians"
>>>> >> # The ZeuS blocklist of c&c servers
>>>> >> table <ZeuS> persist file "/etc/pf/ZeuS"
>>>> >> # The malwaredomain ip block list
>>>> >> table <malwaredomain> persist file "/etc/pf/malwaredomain"
>>>> >> # Table of selected country IP addresses
>>>> >> table <blocked_countries> persist file "/etc/pf/blocked_countries"
>>>> >> # Table of apache mod_evasive blocks
>>>> >> table <evasive> persist file "/etc/pf/evasive"
>>>> >>
>>>> >> # for the spamd greylist/blacklist service
>>>> >> # (not related to spamassassin's spamd daemon)
>>>> >> #table <spamd> persist
>>>> >> #table <spamd-white> persist
>>>> >>
>>>> >> antispoof for $ext_if
>>>> >> antispoof for $int_if
>>>> >>
>>>> >> # Start by blocking by default
>>>> >> block all
>>>> >>
>>>> >> # Block anything in the blocked_countries table first
>>>> >> block in quick from <blocked_countries>
>>>> >>
>>>> >> # Block nmap scans
>>>> >> block in quick on $ext_if inet proto tcp from any to any flags
>>>> >> FUP/FUP
>>>> >>
>>>> >> # Explicitly block unroutable addresses
>>>> >> block drop in quick on $ext_if from <martians> to any
>>>> >> block drop out quick on $ext_if from any to <martians>
>>>> >>
>>>> >> # Explicitly block anything in the bruteforce table
>>>> >> block in quick from <bruteforce>
>>>> >>
>>>> >> # Explicitly block anything in the fail2ban table
>>>> >> block in quick from <fail2ban>
>>>> >>
>>>> >> # Explicitly block anything in the droplasso table
>>>> >> block in quick from <droplasso>
>>>> >>
>>>> >> # Explicitly block anything in the ZeuS table
>>>> >> block in quick from <ZeuS>
>>>> >>
>>>> >> # Explicitly block anything in the malwaredomain table
>>>> >> block in quick from <malwaredomain>
>>>> >>
>>>> >> # Block anything in the evasive table
>>>> >> block in quick from <evasive>
>>>> >>
>>>> >> # pass everything on the loopback interface
>>>> >> pass quick on lo0 all
>>>> >>
>>>> >> # allow ping and host unreach
>>>> >> pass inet proto icmp icmp-type $icmp_types keep state
>>>> >>
>>>> >> # Traceroute
>>>> >> # allow out the default range for traceroute(8):
>>>> >>   # ”base+nhops*nqueries-1” (33434+64*3-1)
>>>> >> pass inet proto udp to port 33433:33626 # For IPv4
>>>> >>
>>>> >> # Pass out only the desired ports from host and jails
>>>> >> pass inet proto tcp from { self, $jailnet } to any port
>>>> >> $tcp_services
>>>> >> $tcpstate
>>>> >> pass inet proto udp from { self, $jailnet } to port $udp_services
>>>> >> $udpstate
>>>> >>
>>>> >>  # Allow ssh connections in from the internet
>>>> >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >> # Pass in ssh traffic to the jails
>>>> >> # pass rules for nat redirect
>>>> >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state
>>>> >>
>>>> >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state
>>>> >>
>>>> >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state
>>>> >>
>>>> >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state
>>>> >>
>>>> >> # Pass traffic to the vpn
>>>> >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate
>>>> >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate
>>>> >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate
>>>> >> #pass inet proto tcp from any to $vpn port 1194 $udpstate
>>>> >>
>>>> >> # Pass in http traffic from the internet
>>>> >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >>
>>>> >> # Pass in https traffic from the internet
>>>> >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >>
>>>> >> # Pass in smtp traffic from the internet
>>>> >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >>
>>>> >> # Pass in submission traffic from the internet
>>>> >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >>
>>>> >> # Pass in imaps traffic from the internet
>>>> >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state
>>>> >> (max-src-conn 15, max-src-conn-rate 5/3, overload <bruteforce> flush
>>>> >> global)
>>>> >>
>>>> >> # pass traffic from the asterisk server
>>>> >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state
>>>> >>
>>>> >>
>>>> >> On 4/18/17, Ultima <ultima1252 at gmail.com> wrote:
>>>> >> > I didn't have time to read and look through this entire post, but
>>>> >> > I
>>>> >> think I
>>>> >> > know the issue you're running into and this suggestion should push
>>>> you
>>>> >> > in
>>>> >> > the right direction.
>>>> >> >
>>>> >> > this rule for example,
>>>> >> >
>>>> >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> > # reflect for internal hosts
>>>> >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> >
>>>> >> > This is probably not giving you the results you desire. Basically
>>>> >> > because
>>>> >> > no from or to ip is specified ALL and I quite literally mean ALL
>>>> >> > packets
>>>> >> > using port 1194 are being sent to $vpn port 1194. Usually you want
>>>> >> > to
>>>> >> make
>>>> >> > it something like,
>>>> >> >
>>>> >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 ->
>>>> >> > $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 ->
>>>> >> > $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> >
>>>> >> > Now the traffic will be passed only when the packet is going to
>>>> >> > the
>>>> >> > host,
>>>> >> > not all traffic on a specific port. Another thing you may want to
>>>> >> > do
>>>> is
>>>> >> > combined many of these rules you have.
>>>> >> >
>>>> >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 ->
>>>> >> > $vpn
>>>> >> > port
>>>> >> > 1194
>>>> >> >
>>>> >> > Also note the above, because we are specifying any for from, we
>>>> >> > can
>>>> >> remove
>>>> >> > the form rule entirely and make it shorter.
>>>> >> >
>>>> >> > Hope this helps
>>>> >> >
>>>> >> > Ultima
>>>> >> >
>>>> >>
>>>> >
>>>>
>>>
>>>
>>
>

More information about the freebsd-pf mailing list