Lock Order Reversal on 7.0-STABLE with pf and ipfw / dummynet (extra extra details - config files)

Alex Popa razor at dataxnet.ro
Sun Mar 16 14:45:26 PDT 2008 

Attached are pf.conf and ipfw.txt.  The former is loaded by the standard
means, and the latter is loaded via ipfw -q /path/to/ipfw.txt

Some comments:  I've anonymized the files.  Address in the 10.0.0.0/8
range stand for "internal" IP addresses, meaning one /27 and three /24
networks, and address in the 192.168.0.0/16 range stand for addresses
on the directly connected "external" networks, meaning the 2 fibers to
the ISP.  Also I've junked all but the last byte of MAC addresses in
ipfw.

I know the ipfw setup looks scary, but worst case a layer2 packet (I
should say frame) gets checked against 38 rules (39 if it's dropped).
I could probably optimize a few more rules out of this, but I'm not sure
it's worth the effort.  For layer3 I haven't counted, but I doubt it's
more than 10 rules (more likely 6-7).

Tables "metro" and "special" in pf are contolled by OpenBGPD.  They are
synced to ipfw tables 1 and 2 respectively, by cron jobs that run every
3 minutes and only make the necessary changes.

ipfw rules below the "DO NOT EDIT" line are automatically generated from
a database of IP/MAC mappings.  This can change asynchronously and can
cause the script to be regenerated and run.

The classification is supposed to speed things up a little, by not
comparing a MAC address against all hosts in its subnet, but only
against sqrt(hosts) other IPs and another sqrt(hosts) IP/MAC pairs.
[and it's not exactly sqrt, but about half of the bits in the host part
of the IP address]



Have fun
	Alex


-- 
 "Computer science is no more about computers
     than astronomy is about telescopes" -- E. W. Dijkstra
-------------- next part --------------
set move 0 to 1
set disable 0

# scary stuff, allow arp
add 10 allow mac-type 0x0806

# filter MAC on input
add 10 skipto 100 in  recv em0 layer2
add 11 allow      out xmit em0 layer2

add 12 allow in  layer2
add 13 allow out layer2

# em0 - internal
add 20 skipto 22000 in  recv em0
add 25 allow        out xmit em0

# em1 - external 1 - shape on 20000 (in) / 20500 (out)
add 30 skipto 20000 in  recv em1
add 35 skipto 20500 out xmit em1

# bge0 - extern 2 - shape on 21000 (in) / 21500 (out)
add 40 skipto 21000 in  recv bge0
add 45 skipto 21500 out xmit bge0

add 90 allow ip from any to any via lo0
add 95 allow ip from any to any

-f zero

#
# TABLES
#
# 1 - metro
# 2 - special
# 10 - internal (all)
# 11 - internal - routing external 1 (em1)
# 12 - internal - routing external 2 (bge0)
# 100 bandwidth A
# 101 bandwidth B
# 120, 121, 122 : this server:  All IPs, IP bw A, IP bw B

# NOTE:  tables 1 and 2 are synchronized to pf tables named
# "metro" and "special" by a script which runs every 3 minutes

table 10 flush
table 10 add 10.0.10.0/27
table 10 add 10.0.20.0/24
table 10 add 10.0.30.0/24
table 10 add 10.0.40.0/24
table 10 add 192.168.11.11
table 10 add 192.168.22.22

table 11 flush
table 11 add 10.0.20.0/24
table 11 add 10.0.40.0/24
table 11 add 192.168.11.11
table 11 add 192.168.22.22

table 12 flush
table 12 add 10.0.10.0/27
table 12 add 10.0.30.0/24

table 100 flush
table 100 add 10.0.20.0/24
table 100 add 10.0.30.0/24
table 100 add 10.0.40.0/24
table 100 add 192.168.11.11

table 101 flush
table 101 add 10.0.10.0/27
table 101 add 192.168.22.22

table 120 flush
table 120 add 10.0.10.1
table 120 add 10.0.20.1
table 120 add 10.0.30.1
table 120 add 192.168.33.33
table 120 add 192.168.11.11
table 120 add 192.168.22.22

table 121 flush
table 121 add 10.0.20.1
table 121 add 10.0.30.1
table 121 add 10.0.40.1
table 121 add 192.168.11.11

table 122 flush
table 122 add 10.0.10.1
table 122 add 192.168.33.33
table 122 add 192.168.22.22


#
# PIPES and QUEUES
#

-f pipe flush

# bw A - in 1/out 2
pipe  1 config bw 4500kbits/s
queue 1 config pipe 1 weight 10 mask dst-ip 0xffffffff

pipe  2 config bw 200kbits/s mask src-ip 0xffffffff

# bw B - in 3/out 4
pipe  3 config bw 1000kbits/s
queue 3 config pipe 3 weight 10 mask dst-ip 0xffffffff
pipe  4 config bw 1000kbits/s
queue 4 config pipe 4 weight 10 mask src-ip 0xffffffff

# external interface 1 (em1) - 11 in/12 out
pipe  11 config bw 95Mbits/s					queue 100
queue 11 config pipe 11 weight 10 mask dst-ip 0xffffffff	queue 100
pipe  12 config bw 95Mbits/s 	    				queue 100
queue 12 config pipe 12 weight 10 mask src-ip 0xffffffff	queue 100

# external interface 2 (bge0) - 21 in/22 out
pipe  21 config bw 95Mbits/s					queue 100
queue 21 config pipe 21 weight 10 mask dst-ip 0xffffffff	queue 100
pipe  22 config bw 95Mbits/s 			    		queue 100
queue 22 config pipe 22 weight 10 mask src-ip 0xffffffff	queue 100


###
#
# Shaping - check order:  Metro / Special / A / B (3 in, 3 out)
#
###

# em1 - ext 1 shaping - 20000/20500
add 20000 queue 11 ip from table(1) to        any
add 20005 queue 11 ip from table(2) to        any
add 20010 queue  1 ip from      any to table(100)
add 20010 queue  3 ip from      any to table(101)
add 20499 allow    ip from any to any

# only shape locally-generated traffic here,
# the rest is matched on entry [em0]
add 20500 queue 12 ip from table(120) to table(1)
add 20505 queue 12 ip from table(120) to table(2)
add 20510 pipe   2 ip from table(121) to      any
add 20515 queue  4 ip from table(122) to      any
add 20999 allow    ip from any to any

# bge0 - ext 2 shaping - 21000/21500
add 21000 queue 21 ip from table(1) to        any
add 21005 queue 21 ip from table(2) to        any
add 21010 queue  1 ip from      any to table(100)
add 21015 queue  3 ip from      any to table(101)
add 21499 allow    ip from any to any

# same as external 1, only locally generated
add 21500 queue 22 ip from table(120) to table(1)
add 21505 queue 22 ip from table(120) to table(2)
add 21510 pipe   2 ip from table(121) to      any
add 21515 queue  4 ip from table(122) to      any
add 21999 allow    ip from any to any

# em0 - internal
# from internal to internal - no limit - yay for gigabit
add 22000 allow   ip from table(10) to table(10)
add 22005 allow   ip from table(10) to 127.0.0.1
# from internal to "external" but it goes to the proxy on this machine - don't double shape
add 22050 allow  tcp from table(10) to any 80
add 22055 allow  tcp from table(10) to 127.0.0.1 8000
## special - from any source packets will be routed out external 1 so count in that queue
add 22100 queue 12 ip from any to table(2)
## metro - some sources are counted against external 1, others against external 2
add 22105 queue 12 ip from table(11)  to table(1)
add 22110 queue 22 ip from table(12)  to table(1)
# non-metro, go to slow pipes
add 22115 pipe   2 ip from table(100) to any
add 22120 queue  4 ip from table(101) to any
# this rule should always have its counters at 0 or something's missing above
add 22499 allow ip from any to any

# DO NOT EDIT BELOW THIS LINE! - AUTO GENERATED
add 100 skipto 1000 ip from 10.0.10.0/27 to any
add 101 skipto 1100 ip from 10.0.20.0/24 to any
add 102 skipto 1200 ip from 10.0.30.0/24 to any
add 103 skipto 1300 ip from 10.0.40.0/24 to any
add 1000 skipto 2000 ip from 10.0.10.0/29 to any
add 1001 skipto 2100 ip from 10.0.10.8/29 to any
add 1002 skipto 2200 ip from 10.0.10.16/29 to any
add 1003 skipto 2300 ip from 10.0.10.24/29 to any
add 1100 skipto 2400 ip from 10.0.20.0/28 to any
add 1101 skipto 2500 ip from 10.0.20.16/28 to any
add 1102 skipto 2600 ip from 10.0.20.32/28 to any
add 1103 skipto 2700 ip from 10.0.20.48/28 to any
add 1104 skipto 2800 ip from 10.0.20.64/28 to any
add 1105 skipto 2900 ip from 10.0.20.80/28 to any
add 1106 skipto 3000 ip from 10.0.20.96/28 to any
add 1107 skipto 3100 ip from 10.0.20.112/28 to any
add 1108 skipto 3200 ip from 10.0.20.128/28 to any
add 1109 skipto 3300 ip from 10.0.20.144/28 to any
add 1110 skipto 3400 ip from 10.0.20.160/28 to any
add 1111 skipto 3500 ip from 10.0.20.176/28 to any
add 1112 skipto 3600 ip from 10.0.20.192/28 to any
add 1113 skipto 3700 ip from 10.0.20.208/28 to any
add 1114 skipto 3800 ip from 10.0.20.224/28 to any
add 1115 skipto 3900 ip from 10.0.20.240/28 to any
add 1200 skipto 4000 ip from 10.0.30.0/28 to any
add 1201 skipto 4100 ip from 10.0.30.16/28 to any
add 1202 skipto 4200 ip from 10.0.30.32/28 to any
add 1203 skipto 4300 ip from 10.0.30.48/28 to any
add 1204 skipto 4400 ip from 10.0.30.64/28 to any
add 1205 skipto 4500 ip from 10.0.30.80/28 to any
add 1206 skipto 4600 ip from 10.0.30.96/28 to any
add 1207 skipto 4700 ip from 10.0.30.112/28 to any
add 1208 skipto 4800 ip from 10.0.30.128/28 to any
add 1209 skipto 4900 ip from 10.0.30.144/28 to any
add 1210 skipto 5000 ip from 10.0.30.160/28 to any
add 1211 skipto 5100 ip from 10.0.30.176/28 to any
add 1212 skipto 5200 ip from 10.0.30.192/28 to any
add 1213 skipto 5300 ip from 10.0.30.208/28 to any
add 1214 skipto 5400 ip from 10.0.30.224/28 to any
add 1215 skipto 5500 ip from 10.0.30.240/28 to any
add 1300 skipto 5600 ip from 10.0.40.0/28 to any
add 1301 skipto 5700 ip from 10.0.40.16/28 to any
add 1302 skipto 5800 ip from 10.0.40.32/28 to any
add 1303 skipto 5900 ip from 10.0.40.48/28 to any
add 1304 skipto 6000 ip from 10.0.40.64/28 to any
add 1305 skipto 6100 ip from 10.0.40.80/28 to any
add 1306 skipto 6200 ip from 10.0.40.96/28 to any
add 1307 skipto 6300 ip from 10.0.40.112/28 to any
add 1308 skipto 6400 ip from 10.0.40.128/28 to any
add 1309 skipto 6500 ip from 10.0.40.144/28 to any
add 1310 skipto 6600 ip from 10.0.40.160/28 to any
add 1311 skipto 6700 ip from 10.0.40.176/28 to any
add 1312 skipto 6800 ip from 10.0.40.192/28 to any
add 1313 skipto 6900 ip from 10.0.40.208/28 to any
add 1314 skipto 7000 ip from 10.0.40.224/28 to any
add 1315 skipto 7100 ip from 10.0.40.240/28 to any
add 104 deny ip from any to any
add 1099 deny ip from any to any
add 1199 deny ip from any to any
add 1299 deny ip from any to any
add 1399 deny ip from any to any
add 2099 deny ip from any to any
add 2199 deny ip from any to any
add 2299 deny ip from any to any
add 2399 deny ip from any to any
add 2499 deny ip from any to any
add 2599 deny ip from any to any
add 2699 deny ip from any to any
add 2799 deny ip from any to any
add 2899 deny ip from any to any
add 2999 deny ip from any to any
add 3099 deny ip from any to any
add 3199 deny ip from any to any
add 3299 deny ip from any to any
add 3399 deny ip from any to any
add 3499 deny ip from any to any
add 3599 deny ip from any to any
add 3699 deny ip from any to any
add 3799 deny ip from any to any
add 3899 deny ip from any to any
add 3999 deny ip from any to any
add 4099 deny ip from any to any
add 4199 deny ip from any to any
add 4299 deny ip from any to any
add 4399 deny ip from any to any
add 4499 deny ip from any to any
add 4599 deny ip from any to any
add 4699 deny ip from any to any
add 4799 deny ip from any to any
add 4899 deny ip from any to any
add 4999 deny ip from any to any
add 5099 deny ip from any to any
add 5199 deny ip from any to any
add 5299 deny ip from any to any
add 5399 deny ip from any to any
add 5499 deny ip from any to any
add 5599 deny ip from any to any
add 5699 deny ip from any to any
add 5799 deny ip from any to any
add 5899 deny ip from any to any
add 5999 deny ip from any to any
add 6099 deny ip from any to any
add 6199 deny ip from any to any
add 6299 deny ip from any to any
add 6399 deny ip from any to any
add 6499 deny ip from any to any
add 6599 deny ip from any to any
add 6699 deny ip from any to any
add 6799 deny ip from any to any
add 6899 deny ip from any to any
add 6999 deny ip from any to any
add 7099 deny ip from any to any
add 7199 deny ip from any to any
# This comment doesn't exist in the original file.
# A few hundred lines below have been deleted, but you should get the idea.
# Note rule numbers aren't in order, they depend on how the IP
# addresses are pulled out of the DB
add 2004 pass ip from 10.0.10.4 to any mac any 00:de:ad:be:ef:01
add 2201 pass ip from 10.0.10.17 to any mac any 00:de:ad:be:ef:ff
add 2206 pass ip from 10.0.10.22 to any mac any 00:de:ad:be:ef:cd
add 2412 pass ip from 10.0.20.12 to any mac any 00:de:ad:be:ef:c3
add 2415 pass ip from 10.0.20.15 to any mac any 00:de:ad:be:ef:25
add 2515 pass ip from 10.0.20.31 to any mac any 00:de:ad:be:ef:7d
add 2604 pass ip from 10.0.20.36 to any mac any 00:de:ad:be:ef:97
add 2702 pass ip from 10.0.20.50 to any mac any 00:de:ad:be:ef:15
add 2705 pass ip from 10.0.20.53 to any mac any 00:de:ad:be:ef:0d
add 2802 pass ip from 10.0.20.66 to any mac any 00:de:ad:be:ef:a6
add 2905 pass ip from 10.0.20.85 to any mac any 00:de:ad:be:ef:de
add 3012 pass ip from 10.0.20.108 to any mac any 00:de:ad:be:ef:c7
add 3015 pass ip from 10.0.20.111 to any mac any 00:de:ad:be:ef:a3
add 3201 pass ip from 10.0.20.129 to any mac any 00:de:ad:be:ef:d8
add 3207 pass ip from 10.0.20.135 to any mac any 00:de:ad:be:ef:5b
add 3304 pass ip from 10.0.20.148 to any mac any 00:de:ad:be:ef:bb
add 3307 pass ip from 10.0.20.151 to any mac any 00:de:ad:be:ef:f5
add 3407 pass ip from 10.0.20.167 to any mac any 00:de:ad:be:ef:5c
add 3410 pass ip from 10.0.20.170 to any mac any 00:de:ad:be:ef:0b
add 3513 pass ip from 10.0.20.189 to any mac any 00:de:ad:be:ef:cd
add 3600 pass ip from 10.0.20.192 to any mac any 00:de:ad:be:ef:85
add 3702 pass ip from 10.0.20.210 to any mac any 00:de:ad:be:ef:21
add 3706 pass ip from 10.0.20.214 to any mac any 00:de:ad:be:ef:4c
add 3806 pass ip from 10.0.20.230 to any mac any 00:de:ad:be:ef:08
add 3809 pass ip from 10.0.20.233 to any mac any 00:de:ad:be:ef:fc
add 4002 pass ip from 10.0.30.2 to any mac any 00:de:ad:be:ef:1e
add 4005 pass ip from 10.0.30.5 to any mac any 00:de:ad:be:ef:86
add 4102 pass ip from 10.0.30.18 to any mac any 00:de:ad:be:ef:55
add 4206 pass ip from 10.0.30.38 to any mac any 00:de:ad:be:ef:fe
add 4303 pass ip from 10.0.30.51 to any mac any 00:de:ad:be:ef:e0
add 4306 pass ip from 10.0.30.54 to any mac any 00:de:ad:be:ef:7a
add 4405 pass ip from 10.0.30.69 to any mac any 00:de:ad:be:ef:e5
add 4410 pass ip from 10.0.30.74 to any mac any 00:de:ad:be:ef:bd
add 4510 pass ip from 10.0.30.90 to any mac any 00:de:ad:be:ef:6d
add 4700 pass ip from 10.0.30.112 to any mac any 00:de:ad:be:ef:8d
add 4802 pass ip from 10.0.30.130 to any mac any 00:de:ad:be:ef:cd
add 4912 pass ip from 10.0.30.156 to any mac any 00:de:ad:be:ef:48
add 5010 pass ip from 10.0.30.170 to any mac any 00:de:ad:be:ef:52
add 5014 pass ip from 10.0.30.174 to any mac any 00:de:ad:be:ef:36
add 5113 pass ip from 10.0.30.189 to any mac any 00:de:ad:be:ef:56
add 5407 pass ip from 10.0.30.231 to any mac any 00:de:ad:be:ef:b4
add 5508 pass ip from 10.0.30.248 to any mac any 00:de:ad:be:ef:5d
add 5511 pass ip from 10.0.30.251 to any mac any 00:de:ad:be:ef:68
add 5714 pass ip from 10.0.40.30 to any mac any 00:de:ad:be:ef:81
add 5801 pass ip from 10.0.40.33 to any mac any 00:de:ad:be:ef:15
add 7015 pass ip from 10.0.40.239 to any mac any 00:de:ad:be:ef:3e
add 7103 pass ip from 10.0.40.243 to any mac any 00:de:ad:be:ef:b1
add 2508 pass ip from 10.0.20.24 to any mac any 00:de:ad:be:ef:95
add 2603 pass ip from 10.0.20.35 to any mac any 00:de:ad:be:ef:d0
add 3607 pass ip from 10.0.20.199 to any mac any 00:de:ad:be:ef:20
add 3705 pass ip from 10.0.20.213 to any mac any 00:de:ad:be:ef:6e
add 5006 pass ip from 10.0.30.166 to any mac any 00:de:ad:be:ef:f7
add 5208 pass ip from 10.0.30.200 to any mac any 00:de:ad:be:ef:15
add 7008 pass ip from 10.0.40.232 to any mac any 00:de:ad:be:ef:7d
add 7102 pass ip from 10.0.40.242 to any mac any 00:de:ad:be:ef:bb
add 7114 pass ip from 10.0.40.254 to any mac any 00:de:ad:be:ef:30
set enable 0
delete set 1
-------------- next part --------------
ext_if0="em1"
ext_if1="bge0"
ext_ifaces="{em1, bge0}"
int_if="em0"

internal_net_1="10.0.10.0/27"
internal_ip0="10.0.10.1"
internal_net_2="10.0.20.0/24"
internal_ip1="10.0.20.1"
internal_net_3="10.0.30.0/24"
internal_ip2="10.0.30.1"
internal_net_4="10.0.40.0/24"
internal_ip3="10.0.40.1"

external_ip0="192.168.11.11"
external_ip1="192.168.22.22"

external1_ip="192.168.33.33"
external_router="192.168.11.1"
external_router1="192.168.22.1"


localhost="127.0.0.1"

set timeout { tcp.closing 600, tcp.finwait 30, tcp.closed 60 }
set limit { states 50000, frags 15000 }

set skip on lo0

table <me> { 10.0.10.1, 10.0.20.1, 10.0.30.1, 10.0.40.1, 192.168.11.11, 192.168.22.22, 192.168.33.33} persist
table <me-internal> { 10.0.10.1, 10.0.30.1, 10.0.20.1, 10.0.40.1 }
table <internal> { 10.0.10.0/27, 10.0.30.0/24, 10.0.20.0/24, 10.0.40.0/24 }
table <metro> persist
table <special> persist

table <noproxy> { 10.0.30.123 } persist

# Prevent UCE issues - no outgoing SMTP from these
table <no-uce> persist { 10.0.30.0/24, 10.0.40.0/24, 10.0.20.14, 10.0.20.20, 10.0.20.200 }
table <uce-override> persist {10.0.30.30, 10.0.30.130, 10.0.40.40, 10.0.40.140}

table <ssh> { 1.1.1.1, 2.2.2.2, 3.3.3.3, 4.4.4.0/30 }

# users with malware, force them to clean up - redirect to "call us" page
table <force-clean> persist file "/etc/ip-force-clean"

# force-clean
rdr on $int_if proto tcp from <force-clean> to any port 80 -> $localhost port 81
rdr on $int_if proto tcp from <force-clean> to <me> port 8000 -> $localhost port 81

no rdr on $int_if proto tcp from any to <me> port 80
no rdr on $int_if proto tcp from <noproxy> to any port 80
no rdr on $int_if proto tcp from any to <metro> port 80
no rdr on $int_if proto tcp from any to <special> port 80
rdr on $int_if proto tcp from any to any port 80 -> $localhost port 8000

## oops, this is really old here, keeping it just for the sake of full reporting
anchor "temptest"


# malware gets no traffic from the outside
block in quick on $ext_if0 from any to <force-clean>
block in quick on $ext_if1 from any to <force-clean>

# this server
block in  log from any to <me>
pass  out     from <me> to any keep state

# public services
pass in log proto icmp from any to <me>
pass in log proto tcp from any to <me> port 53 keep state
pass in     proto udp from any to <me> port 53 keep state
pass in log proto tcp from any to <me> port 80 keep state
pass in log proto tcp from any to <me> port 443 keep state

# ssh - this server and 10.0.10.12 are restricted
pass in log proto tcp from <ssh> to <me> port 22 keep state label "ssh"
block in log proto tcp from any to 10.0.10.12 port 22
pass in log proto tcp from <ssh> to 10.0.10.12 port 22 keep state label "ssh"
pass in log proto tcp from <me> to 10.0.10.12 port 22 keep state label "ssh"


# allow access to the proxy
pass in proto tcp from <internal> to <me-internal> port 8000 keep state
pass in proto tcp from <internal> to $localhost port 8000 keep state

# port 25 policy - a bit hairy
pass  in       log proto tcp from any to any port = 25 keep state
pass  in quick log proto tcp from <uce-override>     to any port = 25 keep state
pass  in quick log proto tcp from 10.0.10.28 to 10.0.10.1 port = 25 keep state
#block side
block in quick log proto tcp from <no-uce> to any port = 25
block in quick log proto tcp from <no-uce> to any port = 25


# Policy routing
# first rule commented for the last 3 months
# pass out on $ext_if0 route-to ($ext_if1 $external_router1) from $internal_net_1 to !<internal> keep state
pass out on $ext_if0 fastroute from $internal_net_1 to <special> keep state
pass in  on $int_if  fastroute from $internal_net_1 to $localhost keep state
pass out on $ext_if0 route-to ($ext_if1 $external_router1) from $internal_net_2 to !<internal> keep state
pass out on $ext_if0 fastroute from $internal_net_2 to <special> keep state
pass in  on $int_if  fastroute from $internal_net_2 to $localhost keep state
pass in  on $int_if  fastroute from $internal_net_3 to $localhost keep state
pass in  on $int_if  fastroute from $internal_net_4 to $localhost keep state

# Explanation for the rules above:
#
# Net 1 used to be routed via external1, but it's no longer the case (only half of its policy routing is commented out).
#
# Most net 2 traffic goes out via external1 interface, except localhost (transparent proxy causes localhost traffic) and
# traffic to "special" which should use the normal route - hence the "fastroute".

# force-clean -> warning, plus ping and DNS
block in on $int_if from <force-clean> to any
pass in on $int_if proto tcp from <force-clean> to $localhost port 81 keep state
pass in on $int_if proto icmp from <force-clean> to <me>
pass in on $int_if proto udp from <force-clean> to <me> port 53
pass in on $int_if proto tcp from <force-clean> to <me> port 53


# just a good idea
block in proto udp from any to any port 137:139
block in proto tcp from any to any port 137:139
block in proto tcp from any to any port 135
block in proto tcp from any to any port 445
block in proto udp from any to any port 1434
block in proto udp from any to any port 1433

More information about the freebsd-stable mailing list