[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: some problems with pf losing state information in



Hi, regarding the forum posting I made to deadly.org, I made a
cut-and-paste error with the pf.conf lines quoted in it -- I posted the
wrong lines. Sorry for that. Here is a better example of in and out
rules for http and https traffic:
	pass in on $ext_if proto tcp from $approved_outside_net to
$www_int_ip port {www,https} keep state label
"ext_if_in_$srcaddr->$dstaddr_$dstport"
	pass in on $ext_if proto tcp from $www_int_ip port {www,https}
to $approved_outside_net keep state label
"ext_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line
I added the second line because I would watch the pf device using
tcpdump and see a small number of packets blocked that were coming from
the web server on port 80 or port 443 to an outside machine. My
understanding of pf is that the "keep state" condition on the incoming
traffic rule should allow reply packets through. One poster on
deadly.org simply suggested increasing timeouts, which could well
address this issue.
The full ruleset is below, and the blocked packets logs are available
for download at http://www.eweek.com/article2/0,3959,743410,00.asp or I
can e-mail them to anyone who wants them. They are quite large, however.
Regards,
Tim Dyck
eWEEK Labs
==
#
# www.ms.openhack.com pf configuration file
#
# See pf.conf(5) for syntax and examples
#
# set variables
int_if = "rl0"
int_net = "10.0.5.0/24"
www_int_ip = "10.0.5.10"
name_server_ip = "209.20.153.100"
mail_server_ip = "209.20.153.102"
approved_mgmt_net = "{xx, xx, xx}"
#approved_outside_net = "{xx, xx}"
approved_outside_net = "any"
ext_if = "rl1"
ext_ip = "209.20.153.105"
blocked_net = "{209.20.153.110, 209.20.153.108, 10.0.10.0/24}" # Oracle
machines
# Normalize: reassemble fragments and resolve or reduce traffic
ambiguities
scrub in all fragment reassemble
# all internal traffic to this gateway is NATed going out
nat on $ext_if from $int_net to any -> $ext_ip
# http and https are redirected to the internal Web server
rdr on $ext_if proto tcp from any to $ext_ip port www -> $www_int_ip
port www
rdr on $ext_if proto tcp from any to $ext_ip port https -> $www_int_ip
port https
# filter rules
# the implicit first two rules are
# pass in all
# pass out all
# default rule
block in log all label "block_in_all"
# prevent spoofed packets
antispoof for {$int_if, $ext_if} inet
# explicit deny rules
block in quick log from $blocked_net to any label
"blocked_net_in_$srcaddr"
# block but don't log this traffic
block in quick proto tcp from $mail_server_ip to $ext_if port auth label
"blocked_$srcaddr->$dstaddr_$dstport" # sendmail does an auth connection
back to the sender and we don't care about this
# local interface rules
pass in inet from lo0 to lo0 label "lo0_if_in"
pass out inet from lo0 to lo0 label "lo0_if_out"
# external interface rules
pass in on $ext_if proto tcp from $approved_outside_net to $www_int_ip
port {www,https} keep state label
"ext_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $ext_if proto tcp from $www_int_ip port {www,https} to
$approved_outside_net keep state label
"ext_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line
pass in on $ext_if proto udp from $www_int_ip to $name_server_ip port
domain keep state label "ext_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $ext_if proto tcp from $www_int_ip to $mail_server_ip port
smtp keep state label "ext_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $ext_if proto tcp from $mail_server_ip port smtp to $ext_if
keep state label "ext_if_in_$srcaddr_$srcaddr->$dstaddr" # shouldn't
need this line
pass in on $ext_if proto tcp from $approved_mgmt_net to $ext_if port ssh
keep state label "ext_if_in_$srcaddr->$dstaddr_$dstport"
pass out on $ext_if proto {tcp,udp,icmp} all keep state label
"ext_if_out_$proto"
# internal interface rules
pass in on $int_if proto tcp from $www_int_ip port {www,https} to
$approved_outside_net keep state label
"int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't need this line
pass in on $int_if proto udp from $www_int_ip to $name_server_ip port
domain keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $int_if proto tcp from $www_int_ip to $mail_server_ip port
smtp keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $int_if proto tcp from $approved_mgmt_net to $int_if port ssh
keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
pass out on $int_if proto {tcp,udp,icmp} all keep state label
"int_if_out_$proto"
# for testing only
#pass in proto icmp all keep state label "icmp_in"
#pass out proto icmp all keep state label "icmp_out"
-----Original Message-----
From: Dries Schellekens [mailto:[email protected]] 
Sent: Monday, December 09, 2002 12:17
To: [email protected]
Cc: Dyck, Timothy
Subject: some problems with pf losing state information in
Taken from deadly.org
some problems with pf losing state information in
by Timothy Dyck, eWEEK Labs ([email protected]) on Monday,
December 09 @04:30AM
One thing people will notice in the pf.conf files is some rules that
explicitly allow reply traffic through the firewall when a "keep state"
parameter on the incoming traffic rule should have taken care of this
automatically.
Here's an example:
pass in on $int_if proto tcp from $mail_relay_ok_net to $int_if port
smtp
keep state label "int_if_in_$srcaddr->$dstaddr_$dstport"
pass in on $int_if proto udp from $name_server_ip port domain to $int_if
keep state label "int_if_in_$srcaddr_$srcport->$dstaddr" # shouldn't
need
this line
When I watched the log of blocked packets, I'd find that a small number
of
reply packets were getting blocked until I added reply rules like the
second one above. It appeared that pf was losing track of the state of
certain incoming connections and so generated reply traffic wasn't being
correctly associated with incoming traffic.
Anyone experienced this? It wasn't a big problem, but I shouldn't have
needed those extra rules. This is with release OpenBSD 3.2.
Thanks,
Tim Dyck
eWEEK Labs