pf config error

[Stellar]

my box setup only have 1 nic detected as em0,i will add more ethernet card as soon i finished all the server setup,for know the nic i used both for internal and internet traffic,search arround found an article on : http://bash.cyberciti.biz/firewall/pf-firewall-script/ , added some slight modification,here we goes :

Code:

#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.1/24"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in all
block return 
 
# keep stats of outgoing connections
pass out keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log for $ext_if
 
#Block RFC 1918 addresses
block drop in log (all)  quick on $ext_if from $martians to any
block drop out log (all) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (all)  quick on $ext_if from <blockedip> to any
block drop out log (all) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out on $ext_if proto tcp to any port $tcp_services
pass out on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy modulate state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##

boom!error

Quote:

-bash-3.2# pfctl -vf /etc/pf.conf
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
table <blockedip> persist file "/etc/pf.blockip.conf"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
adminrange = "192.168.1.1/24"
ext_if = "em0"
/etc/pf.conf:27: syntax error
set skip on { lo0 em0 }
/etc/pf.conf:54: syntax error
/etc/pf.conf:81: syntax error
pfctl: Syntax error in config file: pf rules not loaded

as you can see there is 3 error,but i have no idea to debug the error,like the first error if translate correctly 27 as line no? line 27 is empty space,line 54 is this comment "#Block RFC 1918 addresses" ,and 81 is eof :/

[jggimi]

Please don't use php code blocks for code which is not actually PHP. The useless colors it produces are distracting, to say the least.

I think there is a line number transposition. Can you upload the file somewhere, rather than copy/paste it? When I run your code through pfctl here, I get syntax errors in lines 4,5,7, and 10.

Your link is invalid, by the way. But it doesn't matter, Stellar. Since I recommended you not use 3rd party "howto" documents, and you ignored my advice, perhaps you could ask the author of the guide you decided to follow for assistance, instead?

[jggimi]

It's your damned php block. When I grab the raw text out of the php code block, rather than copy/pasting from the browser, then I can see the correct errors: lines 26 and 78: scrub and a synproxy error

Your "scrub" is in error because, I believe, you are running -current. See the April 6 entry of the Following -current FAQ. See the man page for pf.conf(5).

Your "synproxy modulate state" is in error because synproxy is a state. See the man page for pf.conf(5).

[Stellar]

relax man... ,sory i wass asleep for 2 days lol,didn't see when i paste into the ssh client it has some wrong terminated string,thx worked as your advice,here is the config,any advice for redundant rules elimination?,need help to make the security more tight(block port scanner/syn stealth scan?)

Code:

#### First declare a couple of variables ####
### Outgoing tcp / udp port ####
### 43 - whois, 22 - ssh ###
tcp_services = "{ ssh, smtp, domain, www, https, 22, ntp, 43,ftp, ftp-data}"
udp_services = "{ domain, ntp }"
### allow ping / pong ####
icmp_types = "{ echoreq, unreach }"
 
#### define tables. add all subnets and ips to block
table <blockedip> persist file "/etc/pf.blockip.conf"
 
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
 
### admin server ranges ###
adminrange = "192.168.1.101"
 
# connected to internet
ext_if = "em0"
 
##### ftp proxy
#proxy="127.0.0.1"
#proxyport="8021"
 
#### Normalization
#scrub provides a measure of protection against certain kinds of attacks based on incorrect handling of packet fragments
scrub in all
 
#### NAT and RDR start
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"
 
# redirect ftp traffic
#rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
 
# Drop incoming everything
block in log (to pflog0) all
block return 
 
# keep stats of outgoing connections
pass out log(all) keep state
 
# We need to have an anchor for ftp-proxy
#anchor "ftp-proxy/*"
 
# unlimited traffic  for loopback and lan / vpn
set skip on {lo0, $ext_if}
 
# activate spoofing protection for all interfaces
block in quick from urpf-failed
 
#antispoof is a common special case of filtering and blocking. This mechanism protects against activity from spoofed or forged IP addresses
antispoof log (to pflog0) for $ext_if
 
#Block RFC 1918 addresses
block drop in log (to pflog0)  quick on $ext_if from $martians to any
block drop out log (to pflog0) quick on $ext_if from any to $martians
 
# Block all ips
# pfctl -t blockedip -T show
block drop in log (to pflog0)  quick on $ext_if from <blockedip> to any
block drop out log (to pflog0) quick on $ext_if from any to <blockedip>
 
# allow outgoing
pass out log(to pflog0) on $ext_if proto tcp to any port $tcp_services
pass out log(to pflog0) on $ext_if proto udp to any port $udp_services
 
# Allow trace route
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
 
# Allow admin to get into box
pass in log(to pflog0) on $ext_if from $adminrange to any
 
# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##

attached below,anyway got other problem the pflogd seem writing into /var/log/pflog but strangely the pf cann't pass the log into pflog0 interface as defined on rules.it just nothing happened on pflog0 when iam using tcpdump
my interface

Quote:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33204
priority: 0
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0c:29:07:9b:68
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet 192.168.1.88 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::20c:29ff:fe07:9b68%em0 prefixlen 64 scopeid 0x1
enc0: flags=0<> mtu 1536
priority: 0
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33204
priority: 0
groups: pflog

pftop just 0

Quote:

pfTop: Up State no entries, View: default, Order: none, Cache: 10000 16:23:05

PR DIR SRC DEST STATE AGE EXP PKTS BYTES

runned the pf,and checked it's not displayed in process list???

Quote:

# ps -aux | grep pf
root 5525 0.0 0.0 612 392 ?? Is 3:17PM 0:00.00 pflogd: [priv] (pflogd)
_pflogd 2219 0.0 0.0 676 308 ?? S 3:17PM 0:00.06 pflogd: [running] -s 116 -i pflog0 -f /var/log/pflog (pflogd)
root 32108 0.0 0.2 1616 1888 p0 T 4:05PM 0:00.01 pftop
root 22696 0.0 0.2 1604 1908 p0 T 4:23PM 0:00.01 pftop

[s2scott]

Code:

# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if proto tcp from any to any port ssh  flags S/SA synproxy state
pass in on $ext_if proto udp from any to any port domain
pass in on $ext_if proto tcp from any to any port domain flags S/SA synproxy state
pass in on $ext_if proto tcp from any to any port http flags S/SA synproxy state
pass inet proto icmp all icmp-type $icmp_types keep state
## add your rule below ##

consider,

Code:

# Allow incoming ssh, http, bind traffic
# pass in  on $ext_if proto tcp from any to any port 25
pass in on $ext_if inet proto tcp \
 from !<blockedip> to ($ext_if) port ssh flags S/SA synproxy state
pass in on $ext_if inet proto udp \
 from !<blockedip> to ($ext_if) port domain
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port domain flags S/SA synproxy state
pass in on $ext_if inet proto tcp \
 from !<blockedips> to ($ext_if) port http flags S/SA synproxy state

Among the alternatives to consider, "($ext_if)" is far better then "any."

[Stellar]

ok thank you...