dmehler
August 8th, 2005, 19:31
Hello,,
I'm trying to get the below pf ruleset working. I'm using FreeBSD 5.4 and am doing a block by default policy. I'm filtering on all interfaces, so i can have fine control of what goes where, i don't think i have this last right. My problem is ftp from behind my natted gateway, i.e. lan clients, and from the gateway itself isn't working, i keep getting a 421 unable to build data connection, everything i've read says this should work. My second problem is one of gre and nat, i've got a natted mpd server, but to get there the gre protocol isn't natting properly. I'd appreciate any help.
Thanks.
Dave.
pf.conf:
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# macros
# define the two network interfaces
ext_if="xl0"
int_if="xl1"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
icmp_types = "echoreq"
# define our networks
lan_net="192.168.0.0/24"
# define servers
lan_server="192.168.0.3"
nameservers = "{ 127.0.0.1 }"
isp_dhcp_server = "10.40.224.1"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 5190, cvsup, 6667, 8000, 8080, 8505, 8880 }"
# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# This helps protect against my maximum states being reached
# when being port scanned.
set timeout tcp.closed 1
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df
# nat
# translate lan client addresses to that of the externalinterface
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "pftpx/*"
# redirections
rdr on $ext_if proto tcp from any to any port $int_to_lan_services -> $lan_server
# pptp
rdr pass on $ext_if proto gre from any to any -> $lan_server
# pftpx ftp proxy
rdr-anchor "pftpx/*"
rdr on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021
# default deny
block log all
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
# pass loopback traffic
pass quick on lo0 all
# pass ng0 pptp vpn traffic
pass quick on $pptp all
# pftpx proxy traffic
anchor "pftpx /*"
# pass the traffic
pass quick on $int_if inet proto tcp from $lan_net to lo0 port 8021 flags S/SA keep state
pass in quick on $int_if inet proto tcp from any port 20 to $int_if port > 49000 user proxy flags S/SA keep state
pass in quick on $int_if inet proto tcp port 20 from any to $int_if port > 49000 user proxy flags S/SA keep state label "ftp proxy Passv mode data connection)
# Fix sites that violate RFC 959 which specifies that the data connection
# be sourced from the command port - 1 (typically port 20)
# This workaround doesn't expose us to any extra risk as we'll still only allow
# connections to the firewall on a port that ftp-proxy is listening on
pass in quick on $int_if inet proto tcp from any to $int_if port > 49000 user proxy flags S/SA keep state label "ftp proxy: rfc959 violation workaround"
# antispoof options
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# External interface (Incoming)
# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc
# Allow internet requests through in order to contact lan server
# keep state on this connection
pass in quick on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA keep state
# allow ping and traceroute
pass in inet proto icmp all icmp-type $icmp_types keep state
# pptp
pass in proto gre to any
pass out proto gre to any
pass in quick on $ext_if proto gre from any to $lan_server keep state
pass in quick on $ext_if from any to $lan_server port 1723 keep state
# External interface (outgoing)
# allow dhcp out
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
# allow UDP requests to port 53 from firewall to exit ext_if
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port 53 keep state
# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state
# Allow traffic from lan clients to exit $ext_if
# (After natting is performed) in order to contact internet servers
# (Keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services flags S/SA keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out quick on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
# Internal interface (incoming)
# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $lan_net to $int_if:broadcast
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall
# (keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53 keep state
# allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67, 68, 123 } keep state
# allow lan traffic from lan clients to enter lan
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $lan_net to any port $lan_to_int_services flags S/SA keep state
# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet hosts)
pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8 keep state
# Internal interface (Outgoing)
# Allow internet requests to exit lan
# in order to contact internet servers
pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services keep state
# Firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22 flags S/SA keep state
pass in quick inet proto icmp icmp-type 8 code 0 keep state
pass out quick inet proto icmp icmp-type 8 code 0 keep state
I'm trying to get the below pf ruleset working. I'm using FreeBSD 5.4 and am doing a block by default policy. I'm filtering on all interfaces, so i can have fine control of what goes where, i don't think i have this last right. My problem is ftp from behind my natted gateway, i.e. lan clients, and from the gateway itself isn't working, i keep getting a 421 unable to build data connection, everything i've read says this should work. My second problem is one of gre and nat, i've got a natted mpd server, but to get there the gre protocol isn't natting properly. I'd appreciate any help.
Thanks.
Dave.
pf.conf:
# pf.conf
# for use on gateway box
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# macros
# define the two network interfaces
ext_if="xl0"
int_if="xl1"
pptp = "{ ng1 ng2 ng3 ng4 ng5 ng6 ng7 ng8 ng9 ng10 ng11 ng12 ng13 ng14 }"
icmp_types = "echoreq"
# define our networks
lan_net="192.168.0.0/24"
# define servers
lan_server="192.168.0.3"
nameservers = "{ 127.0.0.1 }"
isp_dhcp_server = "10.40.224.1"
# define services
int_to_lan_services = "{ ssh, smtp, www, pop3, https, pop3s, 1194, 1723, 8000 }"
lan_to_int_services = "{ ftp-data, ftp, ssh, smtp, 43, domain, http, pop3, nntp, imap, https, imaps, pop3s, 1790, 1791, 1792, 1793, 1794, 1795, 5190, cvsup, 6667, 8000, 8080, 8505, 8880 }"
# options
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"
# This helps protect against my maximum states being reached
# when being port scanned.
set timeout tcp.closed 1
set timeout { interval 10, frag 30 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 10000, frags 5000 }
# normalize packets to prevent fragmentation attacks
scrub on $ext_if all random-id reassemble tcp
scrub on $int_if inet no-df
# nat
# translate lan client addresses to that of the externalinterface
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat-anchor "pftpx/*"
# redirections
rdr on $ext_if proto tcp from any to any port $int_to_lan_services -> $lan_server
# pptp
rdr pass on $ext_if proto gre from any to any -> $lan_server
# pftpx ftp proxy
rdr-anchor "pftpx/*"
rdr on $int_if proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021
# default deny
block log all
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
# pass loopback traffic
pass quick on lo0 all
# pass ng0 pptp vpn traffic
pass quick on $pptp all
# pftpx proxy traffic
anchor "pftpx /*"
# pass the traffic
pass quick on $int_if inet proto tcp from $lan_net to lo0 port 8021 flags S/SA keep state
pass in quick on $int_if inet proto tcp from any port 20 to $int_if port > 49000 user proxy flags S/SA keep state
pass in quick on $int_if inet proto tcp port 20 from any to $int_if port > 49000 user proxy flags S/SA keep state label "ftp proxy Passv mode data connection)
# Fix sites that violate RFC 959 which specifies that the data connection
# be sourced from the command port - 1 (typically port 20)
# This workaround doesn't expose us to any extra risk as we'll still only allow
# connections to the firewall on a port that ftp-proxy is listening on
pass in quick on $int_if inet proto tcp from any to $int_if port > 49000 user proxy flags S/SA keep state label "ftp proxy: rfc959 violation workaround"
# antispoof options
antispoof quick for $ext_if inet
antispoof quick for $int_if inet
# External interface (Incoming)
# Allow dhcp in
pass in quick on $ext_if inet proto udp from $isp_dhcp_server port bootps to 255.255.255.255 port bootpc
# Allow internet requests through in order to contact lan server
# keep state on this connection
pass in quick on $ext_if inet proto tcp from any to $lan_server port $int_to_lan_services flags S/SA keep state
# allow ping and traceroute
pass in inet proto icmp all icmp-type $icmp_types keep state
# pptp
pass in proto gre to any
pass out proto gre to any
pass in quick on $ext_if proto gre from any to $lan_server keep state
pass in quick on $ext_if from any to $lan_server port 1723 keep state
# External interface (outgoing)
# allow dhcp out
pass out quick on $ext_if inet proto udp from $ext_if to any port bootps
# allow UDP requests to port 53 from firewall to exit ext_if
# in order to contact internet nameservers (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to $nameservers port 53 keep state
# allow UDP requests to port 123 from firewall to exit ext_if
# in order to contact internet ntp servers
# (keep state on this connection)
pass out quick on $ext_if inet proto udp from $ext_if to any port 123 keep state
# Allow traffic from lan clients to exit $ext_if
# (After natting is performed) in order to contact internet servers
# (Keep state on this connection)
pass out quick on $ext_if inet proto tcp from $ext_if to any port $lan_to_int_services flags S/SA keep state
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out quick on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
# Internal interface (incoming)
# allow lan broadcasts
pass in quick on $int_if proto { tcp, udp } from $lan_net to $int_if:broadcast
# allow UDP requests to port 53 from lan clients to enter LAN
# in order to perform dns queries on the firewall
# (keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port 53 keep state
# allow UDP requests to ports 67, 68, and 123 from lan clients to enter lan
# in order to perform dhcp and ntp queries on the firewall
# ( Keep state on this connection)
pass in quick on $int_if inet proto udp from $lan_net to $int_if port { 67, 68, 123 } keep state
# allow lan traffic from lan clients to enter lan
# in order to contact internet servers (keep state on this connection)
pass in quick on $int_if inet proto tcp from $lan_net to any port $lan_to_int_services flags S/SA keep state
# allow requests from lan admin to enter LAN
# in order to ping/traceroute any system (firewall, dmz server, and internet hosts)
pass in quick on $int_if inet proto icmp from $lan_net to any icmp-type 8 keep state
# Internal interface (Outgoing)
# Allow internet requests to exit lan
# in order to contact internet servers
pass out quick on $int_if inet proto tcp from any to $lan_server port $int_to_lan_services keep state
# Firewall connects to the lan server via scp/ssh for backup purposes
pass out quick on $int_if inet proto tcp from $int_if to $lan_server port 22 flags S/SA keep state
pass in quick inet proto icmp icmp-type 8 code 0 keep state
pass out quick inet proto icmp icmp-type 8 code 0 keep state