PF questions

José Pablo Fernández pablo.fernandez at rs.com.ar
Mon Mar 12 23:28:33 UTC 2007 

Hello,
I have a couple of PF questions. First I am NATing a set of computers on the <free4> table, to allow them to go out I write ($lans is lans = "{" $lan0 $lan1 "}" where $lan0 is re0 and $lan1 is $re1):

pass in  on $lans from <free4> to any flags S/SA keep state
pass out on $lans from <free4> to any flags S/SA keep state

or otherwise

pass on $lans from <free4> to any flags S/SA keep state

What puzzles me is why is the "pass out" rule needed. I never do a block out all, only a block in all; basically I am never doing any block out and practically never a pass out. The other exception is:

pass out from $me4 flags S/SA keep state

which is there mainly to keep state and flags. Here's the second thing that puzzles me. Why don't I need a pass out from $me6 to reach IPv6 places. ($me is the collection of IPv4 ips assigned to this host and $me6 the same for IPv6).

The other question is also regarding IPv6. To let hosts inside my network go out I needed to have this rule:

pass out on $wan6 from <free6> to any flags S/SA keep state

when I would have thought that since I am blocking everything in, and nothing out, this one should have done the trick.

pass in on $lans from <free6> to any flags S/SA keep state

That is, who is letting those IPv6 packages in, and why do I need to let the out specifically?
If you need context, my whole rules are below. Any answer and or hint is appreciated.
-- 
José Pablo Fernández
pablo.fernandez at example.org

PS: IPs and names have changed.

# My interfaces.
lan0 = "re0"
lan1 = "re1"
wan  = "fxp0"
wan6 = "stf0"

# My me, me and I.
#me = "{(" $lan0 ") (" $lan1 ") (" $wan ") (" $wan6 ") }"
me4 = "{" 192.168.0.102 192.168.1.102 210.223.83.1 127.0.0.1 "}"
me6 = "{" 2002:87:15i:0::102 2002:87:15i:1::102 2002:87:15i::1 ::1 "}"

# Globally accessable services.
mi_tcp_services = "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}"
mi_udp_services = "{domain ssh http xmpp-c2s xmpps-c2s xmpp-s2s}"

# LAN-only accessable services.
mi_internal_tcp_services = "{http-proxy}"
mi_internal_udp_services = "{ntp}"

# The network.
lans = "{" $lan0 $lan1 "}"
lans_network = "{" $lan0:network $lan1:network "}"

# Hosts that are free to reach the outside world directly.
table <free4> { black.example.org red.example.org blue.example.org brown.example.org green.example.org yellow.example.org 192.168.0.0/24 192.168.1.1/24 }
table <free6> { black.example.org red.example.org blue.example.org }

# IPv6 reachable computers by service.
table <ip6_web> { red.example.org orange.example.org voip.example.org }
table <ip6_ssh> { red.example.org black.example.org }

# Available for everybody from anywhere.
tcp_for_everybody = "{smtp smtps pop3 pop3s imap imaps}"
udp_for_everybody = "{smtp smtps pop3 pop3s imap imaps}"

# Making a return of a no-go is better than droping a package because it hides the fact that there's a firewall.
set block-policy return

# No filteblue on lo0.
set skip on lo

# This will normalize and defragment all packages. Filteblue will work better and extrange packets will be droped.
scrub in

# NAT.
nat on $wan from <free4> to any -> ($wan)

# Port forwarding. See below for the assosiatde passing rules.
rdr on $wan proto tcp from any to any port 5901 -> brown.example.org port vnc # Andres' VNC. Pupeno, 2007-02-12 14:50:02.
# Temp port forwarding.
# None so far. Pupeno, 2007-02-12 14:50:25.

# Block everything in, latter allowing some stuff. A more paranoic setup would be to block everything, in and out. But that is much more complex.
block in log

# Block RFC1918 (private) from the external card, private addresses in the public internet can't be good.
PrivateAddresses = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
block in  quick on {$wan, $wan6} from $PrivateAddresses to any
block out quick on {$wan, $wan6} from any to $PrivateAddresses

# When going out (which can be done anyway), keep state, so return packages can come in.
pass out from $me4 flags S/SA keep state

# Let some people reach all the services.
pass in  on $lans from <free4> to any flags S/SA keep state
pass out on $lans from <free4> to any flags S/SA keep state
pass out on $wan6 from <free6> to any flags S/SA keep state  # Possibly only to keep the state. Pupeno, 2007-03-12 20:04:19.
# Let all the people reach some services.
pass in on $lans proto tcp to any port $tcp_for_everybody flags S/SA keep state # in
pass in on $lans proto udp to any port $udp_for_everybody keep state # in

# Let some services be reachable by the world in some internal IPs.
pass in on $wan6 proto icmp6 from any to <free6>               keep state # Allow anyone on the free6 chunk to be pinged.
pass in on $wan6 proto tcp   from any to <ipv6_ssh> port {ssh} flags S/SA keep state

# Let forwarders pass and more importantly, be synproxied, whatever that is. See above for the assosiated rdr (redirection) rules.
pass in proto tcp from any to brown.example.org port vnc synproxy state # Andres' VNC. Pupeno, 2007-02-12 15:45:16.

# Let anyone ping me.
pass in proto icmp                            to $me4                                keep state
pass in proto icmp6                           to $me6                                keep state
# Services that should be reached from anywhere (including the LAN).
pass in          proto tcp                    to $me4 port $mi_tcp_services          flags S/SA keep state
pass in          proto udp                    to $me4 port $mi_udp_services          keep state
pass in          proto tcp                    to $me6 port $mi_tcp_services          flags S/SA keep state
pass in          proto udp                    to $me6 port $mi_udp_services          keep state
# Services that should be reached only from the LAN.
pass in on $lans proto tcp from $lans_network to $me4 port $mi_internal_tcp_services flags S/SA keep state
pass in on $lans proto udp from $lans_network to $me4 port $mi_internal_udp_services keep state
pass in on $lans proto tcp from $lans_network to $me6 port $mi_internal_tcp_services flags S/SA keep state
pass in on $lans proto udp from $lans_network to $me6 port $mi_internal_udp_services keep state
# Particular services.
pass in proto tcp from dir.backup.example.org to $me4 port bacula-dir flags S/SA keep state

# Allow comunication between the two networks.
pass in on $lan0 from $lan0:network to $lan1:network flags S/SA keep state
pass in on $lan1 from $lan1:network to $lan0:network flags S/SA keep state

More information about the freebsd-questions mailing list