[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cant pass traffic in to internal ip address




The application may not be NAT compatible. For example, what if it graps your desktop nic ip and tells someone outside your firewall to connect to 555.555.555.555


Some applications have a user setting that might help... Citix (clusters), for example, had a setting for this situation.

Mike


On Tue, 18 Jan 2005, Matt Pearce wrote:


Hi All,

I'm new to pf so bear with me if i'm asking a silly question.

ok, backround info. I have an external ip of 444.444.444.444/32 (real world routable) and a block of addresses 333.333.333.333/29 (also real world routeable). Now on my desktop pc 555.555.555.555 I am running a p2p program. Now part of this is set to listen to port 50000 on tcp so other p2p programs can connect to me. The problem is that no matter what I try I can not pass the data straight in to my desktop pc without opening things way up, this defeats the purpose of a firewall.

Below is the block log pflog gives me for this, now as you can see the request is being blocked to an incomming address of 444.444.444.444 (my external ip), however this shouldnt be as the request is actually being sent from 555.555.555.555 . Does anyone have any idea why pf is doing this and how to fix it ??

Below are my pc.conf rules and my pflog output.

Thanks for your help,

Matt.


Pflog output:-


19. 784629 rule 36/0(match): block in on tun0: IP 213.186.46.164.49399 > 444.444.444.444.50000: . ack 1 win 5840
7. 559214 rule 36/0(match): block in on tun0: IP 213.186.46.164.49497 > 444.444.444.444.50000: S 745051178:745051178(0) win 5840 <mss 1440,sackOK,timestamp[|tcp]>
1. 945630 rule 36/0(match): block in on tun0: IP 213.186.46.164.49497 > 444.444.444.444.50000: S 745051178:745051178(0) win 5840 <mss 1440,sackOK,timestamp[|tcp]>
5. 999828 rule 36/0(match): block in on tun0: IP 213.186.46.164.49497 > 444.444.444.444.50000: S 745051178:745051178(0) win 5840 <mss 1440,sackOK,timestamp[|tcp]>


(the 36/0 rule also matches 0/0 rule if the 36/0 rule is commented out)


pf.conf:-


#################Setup macros here
ext_if = "tun0"
dsl_if = "sis0"
int_if = "sis1"
vpn_if = "gif0"
vpn_addr = "{111.111.111.111/32, 222.222.222.222/30, 10.0.0.0/8}"
lan_net = "333.333.333.333/29"
ext_ip = "444.444.444.444"
matt_ip = "555.555.555.555"
#tcp_in_opts = "flags S/SA modulate state"
tcp_in_opts = "flags S/SA synproxy state"
#tcp_opts = "flags S/SA modulate state"
tcp_opts = "flags S/SA synproxy state"
udp_opts = "keep state"

# People we don't want to talk to
table <badies> persist { 65.244.133.103, 192.0.34.166, 69.93.206.106 }

# Networks that aren't assigned and/or aren't allowed to be routed on the internet
table <reserved> persist { \
0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 7.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, \
27.0.0.0/8, 31.0.0.0/8, 36.0.0.0/7, 39.0.0.0/8, 41.0.0.0/8, 42.0.0.0/8, \
49.0.0.0/8, 50.0.0.0/8, 58.0.0.0/7, 70.0.0.0/7, 72.0.0.0/5, 83.0.0.0/8, \
84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/3, 169.254.0.0/16, 172.16.0.0/12, \
173.0.0.0/8, 174.0.0.0/7, 176.0.0.0/5, 184.0.0.0/6, 189.0.0.0/8, \
190.0.0.0/8, 192.0.2.0/24, 192.168.0.0/16, 197.0.0.0/8, 198.18.0.0/15, \
223.0.0.0/8, 224.0.0.0/3, 255.255.255.255 \
}


# Evil advertizing spam
table <doubleclick> persist { \
216.73.80.0/20, 204.253.104.0/24, 205.138.3.0/24, 208.184.29.0/24, \
206.65.183.0/24 \
}

table <mediaforce> persist { \
2.23.190.0/24, 65.247.105.0/24, 65.215.137.0/24, 208.251.137.0/24 \
}

table <verisign> persist { 64.94.110.11 }
table <x10> persist { 63.211.210.20 }

#################Set OPTIONS policies here

set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set optimization aggressive
#set optimization conservative
set require-order yes
set limit {states 20000, frags 10000}

##################Scrub fragments etc for processing #### NORMALIZATION
scrub out on $ext_if random-id no-df
scrub in on $ext_if fragment reassemble
scrub on $ext_if reassemble tcp

###############ALTQ QoS goes here ####QUEUEING

# We can have 15 different priorities
altq on $ext_if bandwidth 200Kb qlimit 100 priq queue { q_ssh_shell_out, q_ssh_bulk_out, q_out, q_http_out, q_dns_out, q_vpn_out, q_mail_out, q_wwwb_out, q_dn
queue q_udp_out priority 15 priq
queue q_icmp_out priority 14 priq
queue q_ack_out priority 13 priq
#queue q_voip_out priority 12 priq
queue q_dnsb_out priority 11 priq
queue q_wwwb_out priority 10 priq
queue q_mail_out priority 9 priq
queue q_ssh_shell_out priority 8 priq
queue q_ssh_bulk_out priority 7 priq
queue q_vpn_out priority 4 priq #(red)
queue q_dns_out priority 3 priq #(red)
queue q_http_out priority 2 priq #(red)
queue q_out priority 1 priq(default)


###################default deny policy on external interface
block in log on $ext_if
block out on $ext_if
block in quick on $ext_if from { <verisign>, <x10>, <doubleclick>, <mediaforce>, <reserved>, <badies> }


block in quick on $ext_if inet6
block out quick on $ext_if inet6

################Antispoofing stuff here
#antispoof log quick for $ext_if

################External interface Out rules here
pass out quick on $ext_if inet proto tcp from any to any port = 22 $tcp_opts queue (q_ssh_shell_out, q_ssh_bulk_out)
pass out quick on $ext_if inet proto tcp from any to any port = 53 $tcp_opts queue q_dnsb_out
pass out quick on $ext_if inet proto tcp from any to any port {80, 119} $tcp_opts queue q_wwwb_out
pass out quick on $ext_if inet from any to $vpn_addr queue q_vpn_out
pass out quick on $ext_if inet proto udp from $ext_ip port = 53 to any $udp_opts queue q_dns_out
pass out quick on $ext_if inet proto tcp from $ext_ip port = 53 to any $tcp_opts queue q_dns_out
pass out quick on $ext_if inet proto tcp from $ext_ip port = 80 to any $tcp_opts queue q_http_out
pass out quick on $ext_if inet proto icmp $udp_opts queue q_icmp_out
pass out quick on $ext_if inet proto udp $udp_opts queue q_udp_out
pass out quick on $ext_if inet proto tcp $tcp_opts queue ( q_out, q_ack_out )


################Block specific outbound traffic

block out quick on $ext_if from any to 192.168.0.0/16
block out quick on $ext_if all

###############How to handle data comming into the external interface

#pass in quick on $ext_if proto tcp from any to $ext_ip port = 21 $tcp_in_opts

#SSH, Mail, DNS, WWW ports here for TCP
pass in quick on $ext_if inet proto tcp from any to $ext_ip port { 22, 25, 53, 80 } $tcp_in_opts


#DNS port here for UDP
pass in quick on $ext_if inet proto udp from any to $ext_ip port = 53 $udp_opts


#Matts P2P ports to PC here
pass in quick on $ext_if inet proto tcp from any to $matt_ip port = 4662 $tcp_in_opts
pass in quick on $ext_if inet proto tcp from any to $matt_ip port = 50000 $tcp_in_opts
pass in quick on $ext_if inet proto tcp from any to $matt_ip port = 50001 $tcp_opts
pass in quick on $ext_if inet proto udp from any to $matt_ip port = 12395 $udp_opts


#VPN Ports here
pass in quick on $ext_if inet proto udp from any port = 500 to $ext_ip port = 500 $udp_opts
pass in quick on $ext_if inet proto esp from any to $ext_ip $udp_opts


#block anything comming in that isnt authorized
block in log quick on $ext_if inet

################Internal interface rules here
pass in quick on $int_if from $lan_net to any
pass out quick on $int_if from any to $lan_net
block quick on $int_if all

################ Pass all data to and from loopback interface
pass quick on lo0
block quick on lo0

################VPN Data rules here for once the tunnel is established
#pass quick on $vpn_if
#block in quick on $vpn_if from any to 192.168.0.0/16
#block out quick on $vpn_if from any to 192.168.0.0/16

############### Sis0 interface that the ADSL modem is connected to, probably not needed but handy if you can access stats on modem
pass quick on $dsl_if