[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with PF



On Apr 11, 2005 1:04 PM, Abdul Rehman Gani <[email protected]> wrote:
> Hi,
---%< snip %<---
> 16:32:26.703535 196.35.86.108.3176 > 66.102.11.104.80: . ack 2498 win
> 8760 (DF)
> 16:32:27.274370 196.35.86.108.3176 > 66.102.11.104.80: . ack 3928 win
> 7330 (DF)
> 16:32:27.491531 196.35.86.108.3176 > 66.102.11.104.80: . ack 4717 win
> 8760 (DF)
> 16:33:32.336069 196.35.86.108.3176 > 66.102.11.104.80: R
> 1946755753:1946755753(0) win 0 (DF)
> ^C
> 333327 packets received by filter
> 0 packets dropped by kernel
> 
> System info:-
> 
> # uname -a
> OpenBSD rubberband.eastcoast.co.za 3.6 RUBBERBAND#0 i386
> # cd /usr/src/sys/arch/i386/conf/
> # diff RUBBERBAND GENERIC
does this problem manifest it self from a real GENERIC kernel?
http://www.openbsd.org/faq/faq5.html#Why
> # dmesg
> OpenBSD 3.6-stable (RUBBERBAND) #0: Sat Apr  2 12:48:16 SAST 2005
> 
> [email protected]:/usr/src/sys/arch/i386/compile/
> RUBBERBAND
> cpu0: Intel(R) Celeron(R) CPU 1.70GHz ("GenuineIntel" 686-class) 1.72
> GHz
> cpu0:
>
 ---%< snip %<---
> 
> # Macros: define common values, so they can be referenced and changed
> easily.
> ext_if="fxp0"   # replace with actual external interface name i.e., dc0
> int_if="rl0"    # replace with actual internal interface name i.e., dc1
> 
> # Tables: similar to macros, but more flexible for many addresses.
> table <dial> { 196.35.86.0/24, 196.33.34.64/26 }
> table <routers> { 196.33.34.237/32, 196.33.34.246/32, 196.33.34.247/32,
> 196.33.34.248/32, 196.33.34.249/32, 196.33.34.250/32, 196.33.34.251/32,
> 196.33.34.252/32, 196.33.34.253/32 }
> table <rfc1918> { 10/8, 172.16/12, 192.168/16 }
> table <scribe> { 196.33.34.233/32 }
> table <jamiat> { 196.33.34.217/32 }
> table <afriprod> { 196.33.34.221/32 }
are these static Tables? you might like to place a const between "> {"
> # Normalization: reassemble fragments and resolve or reduce traffic
> ambiguities.
> scrub in all
> 
> # Queueing: rule-based bandwidth control.
> altq on $int_if          bandwidth 3072Kb cbq (red, ecn) queue {
> dflt_i, mail_i, jamiat_i }
> queue dflt_i             bandwidth 2528Kb cbq (default, red, ecn)
> queue mail_i             bandwidth 512Kb cbq (borrow, red, ecn)
> queue jamiat_i           bandwidth 32Kb cbq (red, ecn)
> 
> altq on $ext_if          bandwidth 3072Kb cbq (red, ecn) queue {
> dflt_o, mail_o, jamiat_o }
> queue dflt_o             bandwidth 2528Kb cbq (default, red, ecn)
> queue mail_o             bandwidth 512Kb cbq (borrow, red, ecn)
> queue jamiat_o           bandwidth 32Kb cbq (red, ecn)
Do not need ECN + RED, as stated in pf.conf(5), ECN implies RED.
> # Filtering: the implicit first two rules are
> pass in all
> pass out all
Having a default block drop all followed by a pass on $interface1
$interface2 etc.. maybe be a better solution, would also make alot of
the block rules redundant, plus a few antispoof rules might be a good
idea?
> # restrict access to our routers
> block in quick on $ext_if from any to <routers>
> 
> # block rfc 1918 addresses in or out
> block in quick from any to <rfc1918>
> block in quick from <rfc1918> to any
> 
> # block smtp connects from our dial pool
> block in quick log on $int_if proto tcp from <dial> to any port smtp
> 
> # block ms networking shit and mydoom
> block in quick log proto { tcp, udp } from any to any port { 135, 137,
> 139, 3126><3199, 445, 1433 }
> 
> # assign traffic to queues
> pass out quick on $int_if proto tcp from any to <scribe> port { smtp,
> pop3, imap } keep state queue mail_i
> pass out quick on $int_if from any to <jamiat> keep state queue jamiat_i
> 
> pass out quick on $ext_if proto tcp from <scribe> to any port { smtp }
> keep state queue mail_o
> pass out quick on $ext_if from <jamiat> to any keep state queue jamiat_o
> #
> 
Do you REALLY need all those quick keywords in there? to be quite
honest I am suprised if this ruleset worked as you intended. The
OpenBSD pf will pass all traffic out because in 99.999% of the case,
all of the packets match these two rules:
# Filtering: the implicit first two rules are
pass in all
pass out all
I know what an "egress unit" is supposed to do but the above fails to
meet the target, un-intentionally.
Kimi
-- 
spamassassinexception