pf rules

Doug Hardie bc979 at lafn.org
Sat Jan 23 21:08:24 UTC 2010 

On 23 January 2010, at 04:18, Erik Norgaard wrote:

> Doug Hardie wrote:
> 
>> This is quite interesting.  I can't figure out the rules on my system. 
> 
> Maybe try to simplify, clean up and structure your rules :)
> 
>> Here is the pf.conf file with all comments removed:
>> table <blackhole> persist file "/etc/blackhole"
>> table <spamd> persist
>> table <spamd-white> persist
>> table <spamd-white-local> persist file "/etc/mail/whitelist"
>> MAILHOSTS = "{zool.lafn.org}"
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> no rdr inet proto tcp from <spamd-white> to any port smtp
>> rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
> 
> 1. pf allows short cuts, but these also makes it more difficult to debug. I'd separate NAT from filtering,

Ok.  I guess you want some white space between them?  Here it is with the white space and comments:

ext_if="dc0"    
table <blackhole> persist file "/etc/blackhole"
table <spamd> persist
table <spamd-white> persist
table <spamd-white-local> persist file "/etc/mail/whitelist"
MAILHOSTS = "{zool.lafn.org}"

# NAT/RDR Rules
no rdr on { lo0, lo1 } from any to any
no rdr inet proto tcp from <spamd-white-local> to any port smtp
no rdr inet proto tcp from <spamd-white> to any port smtp
rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd

# Filter Rules
pass in log inet proto tcp to $MAILHOSTS port smtp keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state
block in quick log on $ext_if from <blackhole> to any

Other than the comments I don't see the difference.


> that is never use "rdr pass" even though pf allows it. You also need to understand when rdr takes place to write your filtering rules.

That would be really helpful if that information were available somewhere it could be found.  I have not been able to find that anywhere.  

> 
> 2. you can deploy one of two policies: Default block with a whitelist or default pass with a black list. Mixing these is a bad idea.
> 
> 3. $ext_if = dc0?

I added that back in above.  Somehow it got deleted with the comments.


> 4. rdr needs an interface, I'm surprised that pf will parse the above, and have no idea what it does with it. pfctl -sn should show you the nat rules.

zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port = smtp
no rdr inet proto tcp from <spamd-white> to any port = smtp
rdr pass log inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025

It seems to understand it just fine and it works properly.  See man spamd:

The following pf.conf(5) example is suggested:

         table <spamd-white> persist
         rdr pass inet proto tcp from !<spamd-white> to any \
             port smtp -> 127.0.0.1 port spamd



> 5. Organize your rules as scetched in last mail, grouping rules for each interface, it really helps locating where things go wrong.  

Other than the whitespace and comments they are.

> 
> I have log statements and catch all rules to ensure that if these are triggered there is something in my ruleset I haven't taken into account. I avoid using "any" except in default rules.
> 
>> Note:  the blackhole file is empty as is the whitelist file.  There is an entry for 216.54.240.150 in spamd database.  This is a test system.
>> Here is the output of tcpdump where I have only taken one entry for each rule.  I have listed the rule number at the front of each line:
>> Rule 0:  14:01:27.133320 rule 0/0(match): pass in on dc0: 216.54.240.150.55782 > 206.117.18.7.25: S 2501333595:2501333595(0) win 65535 <mss 1460,nop,nop,sackOK>
>> Rule 1:  02:26:44.755650 rule 1/0(match): pass in on sis0: 71.109.144.133.40864 > 192.168.25.7.75: S 3941268770:3941268770(0) win 65535 <mss 1460,nop,wscale 3,nop,nop,timestamp[|tcp]>
>> Rule 2:  10:44:45.037918 rule 2/0(match): block in on dc0: 71.109.162.173.39529 > 206.117.18.7.75: . ack 145 win 65535 <nop,nop,timestamp 705571170 1951648775>
>> Rule 4:  13:51:16.022700 rule 4/0(match): rdr in on dc0: 216.54.240.150.49821 > 127.0.0.1.8025: S 2371633783:2371633783(0) win 65535 <mss 1460,nop,nop,sackOK>
>> 
>> I found no entries for rule 3.  There is virtually no traffic on this system other than from me.
>> As I look at pf.conf and tie the rules to the entries I get (rule number at beginning of line):
>> no rdr on { lo0, lo1 } from any to any
>> no rdr inet proto tcp from <spamd-white-local> to any port smtp
>> 0 - no rdr inet proto tcp from <spamd-white> to any port smtp
>> 4 - rdr pass log inet proto tcp from any to any port smtp -> 127.0.0.1 port spamd
>> pass in log inet proto tcp to $MAILHOSTS port smtp keep state
>> 1 - pass in log on sis0 reply-to (sis0 192.168.25.1) proto tcp from any to any port 75 keep state
>> block in quick log on $ext_if from <blackhole> to any
>> I have no clue which one is rule 2.  The only block is the last entry but that should never be used because the blackhole file is empty.  pfctl shows the table is empty also.
>> The ordering seems to make no sense either.  I also note that the man page for pf.conf indicates in the BNF grammar for pf.conf that log is a valid entry for no rdr.  However, that always generates a syntax error.  Apparently there is no way to log the use of no rdr rules.
> 
> see, things seems to have been swapped around somehow, that rule 4 rdr is really rule 0 again only now matches for the rdr action, in rule 0 it matches pass action. or so it appears.
> 
> anyway, to interpret the output of pflog, you need the output from pfctl -sr and pfctl -sn rather than your config file.

zool# pfctl -sr
No ALTQ support in kernel
ALTQ related functions disabled
pass in log inet proto tcp from any to 206.117.18.7 port = smtp flags S/SA keep state
pass in log on sis0 reply-to (sis0 192.168.25.1) inet proto tcp from any to any port = 75 flags S/SA keep state
block drop in log quick on dc0 from <blackhole> to any


zool# pfctl -sn
No ALTQ support in kernel
ALTQ related functions disabled
no rdr on lo0 all
no rdr on lo1 all
no rdr inet proto tcp from <spamd-white-local> to any port = smtp
no rdr inet proto tcp from <spamd-white> to any port = smtp
rdr pass log inet proto tcp from any to any port = smtp -> 127.0.0.1 port 8025

> 
> So, to solve your problem, separate first NAT and filtering. Things becomes so much more clear.
> 
> Regards, Erik
> 
> -- 
> Erik Nørgaard
> Ph: +34.666334818/+34.915211157                  http://www.locolomo.org
>

More information about the freebsd-questions mailing list