eRacks Forums

eRacks Open Source Systems forums for discussion, ideas, and support.

eRacks Forums » support

Setting PFW Rules

(6 posts)

  1. kenneth2k1
    Member

    So, I am getting into this pfw now, and I have some questions about setting these rules.

    1. I assume "interface" means my network card. Part of the basic configuration involved setting a macro, where ext_if was set as the lo0. If I am translating this right, does the ext_if stand for the network interface lo0? In my case, my net adapters are re0 and re1. If so, why do I set the interface to $ext_if instead of just using the re0?

    And what does the $ mean?

    2. Does the syntax "any" work as a source or destination?

    3. If I need to put in a port number, what makes it dependent upon whether I put it in the source or destination section?

    4. Is a protocol always necessary?

    5. What does the Family Address represent? What does inet mean and when should I use it?

    6 What would be the rule if I wanted to block incoming pings?

    In the next post, I will show you what I have. I know there are errors, but perhaps I could get some pointers?

    Thanks!!!

    Posted 2 years ago #

  2. kenneth2k1
    Member

    # ruleset automatically generated by pfw
    #

    ext_if = "re0" # External interface
    int_if = "re1" # Internal interface

    block log all # Default block rule
    pass in on re0 all # Allow everything on localhost

    # Antispoof rules
    antispoof for $ext_if

    # General rules
    pass in log on $ext_if inet proto tcp from any to $ext_if port { ssh https } keep state # Allow administration of the firewall

    # Network Rules
    pass in log on $ext_if from ipsec_users to 172.20.0.0 # Any in
    pass out log on $ext_if from 172.20.0.0 to ipsec_users # Any out
    pass in on $ext_if proto tcp from any to 172.20.255.108 port 5190 # AOL in
    pass out log on $ext_if proto tcp from 172.20.255.108 to any port 5190 # AOL out
    pass in on $ext_if from any to 172.20.255.108 port 5190 # AOL in
    pass out log on $ext_if proto tcp from 172.20.1.110 port 80 to any # Filtered-HTTP
    pass in on $ext_if proto tcp from any to 172.20.255.108 port 25 # Filtered-SMTP in
    pass out log on $ext_if proto tcp from 172.20.255.108 port 25 to any # Filtered-SMTP out
    pass in log on $ext_if proto FTP from 208.57.255.187 port 21 to 172.20.99.6 # FTP in
    pass out log on $ext_if proto FTP from 172.20.99.6 to any port 21 # FTP out
    pass in log on $ext_if proto tcp from 208.57.255.187 port 443 to 172.20.255.189 # HTTPS_Synxis in

    Posted 2 years ago #

  3. kenneth2k1
    Member

    Well after reading about PF, I answered a few of my own questions.

    ext_if is a macro for my interfaces.

    "Any" will work as a valid source/destination according to the literature.

    It said a protocol will be assumed based on the transmission if I don't specify

    Family address is inet for IPv4, inet6 for IPv6
    _____________________________________________________________

    But I still have questions!!

    1. I have specified my external interface in my macro. When do I need to specify my internal interface?

    2. If I need to put in a port number, what makes it dependent upon whether I put it in the source or destination section?

    Thanks.

    Posted 2 years ago #

  4. joe
    Moderator

    Ken,

    1) As a rule, you want to apply your incoming filter rules to the external interface. Unless you want to restrict or filter the outbound traffic from your internal LAN users, you usually want to just pass all outbound traffic on the internal interface.

    2) You can put the port number in both the source/dest matching expression ("Pass in on $ext_if from any to $mail_server port 25"), or in the destination expression (the part after the "->"), which will remap the port.

    Question 1 is covered in the "PACKET FILTERING" section of the pf.conf maunal, and question 2 is covered in the "TRANSLATION" section.

    See also the FILTERING EXAMPLES and TRANSLATION EXAMPLES sections for handy cut/pasteable examples for common usage scenarios.

    Many of your questions show that you could really benefit from close scrutiny of the manuals -
    Remember the "man pf.conf" and "man pfctl" commands are your friend.

    Here is a great "Getting started" guide for pf:

    http://home.nyc.rr.com/computertaijutsu/pf.html

    And here is a great OpenBSD example for SOHO use:

    http://www.openbsd.org/faq/pf/example1.html

    Posted 2 years ago #

  5. kenneth2k1
    Member

    Thanks for the reply. I have been reading a lot of the manual, and I have a better understanding of what is going on. I also found another good resource:

    http://home.nuug.no/~peter/pf/

    But, none of them deal specifically with pfw. And, bumping around in it, it seems to not have the "rdr" command, which I apparently need.

    There are rules on my current fw that allow incoming connections to internal IPs. They look something like: Incoming from Any to 208.57.255.188 -> 172.20.255.82 port tcp:5632 tcp:5631.

    These rules are set because our hotel system talks to an external server that sends reservation information. After doing some research, I think my rule should look like:

    rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 5632 5631 }

    THEN from what I understand I need to tag them, and then the pass rules will evaluate them.

    tag OPERAOWS -> 172.20.255.82
    #OPERAOWS is what I want to use because Opera is our hotel system.

    THEN the pass rule can evaluate it:

    pass in on $ext_if inet proto tcp tagged OKPKTS synproxy state

    So am I completely off? I appreciate you taking the time to help. I am really trying to learn.

    Posted 2 years ago #

  6. joe
    Moderator

    You need the "->" to set the destination -

    Assuming the following macros:

    external_ip = 208.57.255.188
    internal_ip = 208.57.255.188

    And assuming that the old fw rule you show above intends to redirect both 5632 and 5631 to the new internal IP (rather than remap 5632 to 5631), the rdr rule would be something like:

    rdr on $ext_if proto tcp from any to $external_ip port { 5632 5631 } -> $internal_ip

    And if you wanted to remap 5632 to 5631, it would be something like:

    rdr on $ext_if proto tcp from any to $external_ip port 5632 -> $internal_ip port 5631

    ANd if you want to declare a filter rule to pass the traffic related to this NAT rule, just add 'pass', thusly:

    rdr pass on $ext_if proto tcp from any to $external_ip port { 5632 5631 } -> $internal_ip

    We rarely/seldom need to use tags except for the most esoteric/complex setups, which it does not sound like you need.

    Also, pfw does indeed handle rdr rules - not sure why you think it doesn't!

    Here's the pfw page, see 'nat rules':

    http://www.allard.nu/pfw

    And here's a screenshot showing an rdr rule - it's near the bottom of the list:

    http://www.allard.nu/pfw/pics/nat1.png

    Posted 2 years ago #

RSS feed for this topic

Reply

You must log in to post.