DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 11th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default Keeping /var/log/pflog clean from NetBIOS and SSID junk

On a single NIC box with a recently installed OpenBSD 4.7 beta snapshot, which I use as workstation, I created a simple pf.conf.
Code:
# $Id: pf.conf,v 1.3 2010/02/10 06:12:57 j65nko Exp $

#EXT=fxp0

table <ftp_sites> { \
        ftp.openbsd.org \
        ftp.eu.openbsd.org \
        anga.funkfeuer.at \
        ftp.wu-wien.ac.at \
        ftp.nluug.nl }

# -- sysctls
# net.inet.ip.porthifirst=49152
# net.inet.ip.porthilast=65535

FTPfirst = 49152
#FFTPlast = 65535

TCPservices= "{ domain www https smtp whois ftp ssh }"
UDPservices= "{ domain ntp }"

set block-policy return
set skip on lo

# --- OUTGOING services: TCP
pass out quick on egress inet proto tcp from egress to any port $TCPservices
pass out quick on egress inet proto tcp from egress port >= 1023 to <ftp_sites> port >= $FTPfirst

# -- OUTGOING services: UDP
pass out quick on egress inet proto udp from egress to any port $UDPservices

# -- OUTGOING services: ICMP
# allow 'ping' and 'traceroute -P icmp' 
pass out quick on egress inet proto icmp from any to any icmp-type echoreq

# -- INCOMING services: TCP
pass in quick on egress inet proto tcp from egress:network to egress port ssh

# -- DEFAULT policy 
block log all
# -------------------------------------------------------------------------
# use 'tcpdump -eni pflog0' to watch blocked packets in real time
# use 'tcpdump -en -r /var/log/pflog' to read the blocked packets log file 
# ------------------------------------------------------------------------
By running a tcpdump on the pflog0 device I saw a lot of messages like these:
Code:
# tcpdump -eni pflog0 

22:24:23.073955 rule 12/(match) block in on fxp0: 192.168.222.5.1900 >
		 239.255.255.250.1900: udp 354
22:33:45.692356 rule 12/(match) block in on fxp0: 192.168.222.33.138 >
		 192.168.222.255.138: udp 201
22:34:23.333412 rule 12/(match) block in on fxp0: 192.168.222.33.138 >
		 192.168.222.255.138: udp 206
22:39:11.011960 rule 12/(match) block in on fxp0: 192.168.222.5.1900 >
		 239.255.255.250.1900: udp 289

To get rid of these annoying and repeating messages, I did the following:
  1. Changed set block-policy return into set block-policy drop
  2. Modified the 'DEFAULT policy'
    Code:
    # -- DEFAULT policy 
    block return log all
    block inet proto udp from any to any port { 138 139 }
    block inet proto udp from any port 1900 to any port 1900
    # -------------------------------------------------------

If a packet neither does match an existing state, nor is allowed to create a new state, pf will try to match the packet with the block return log all rule. Of course a packet from 192.168.222.5.1900 > 239.255.255.250.1900 will match.

But does pf now send a ICMP error packet, the return, and will it log this packet and block it?

No, because pf follows a last matching rule wins strategy, as described in the pf.conf man page:

Code:
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last.  For block and pass,
the last matching rule decides what action is taken; if no rule matches
the packet, the default action is to pass the packet.
So the 192.168.222.5.1900 > 239.255.255.250.1900 packet will be evaluated against block inet proto udp from any to any port { 138 139 }, which does not match.
But not being tired pf tries to see whether the following rule is applicable. Yes, the last rule block inet proto udp from any port 1900 to any port 1900 matches and thus will the packet be dropped.

After this modification and a reload of the ruleset:
Code:
22:54:02.967837 rule 12/(match) block in on fxp0: 192.168.222.5.1900 > 239.255.255.250.1900: udp 344
22:54:02.969619 rule 12/(match) block in on fxp0: 192.168.222.5.1900 > 239.255.255.250.1900: udp 354
22:57:45.164660 rule 12/(match) block in on fxp0: 192.168.222.33.138 > 192.168.222.255.138: udp 201
23:04:23.238220 rule 12/(match) block in on fxp0: 192.168.222.33.138 > 192.168.222.255.138: udp 206
^C
388 packets received by filter
0 packets dropped by kernel
root@vintrax[~]date
Wed Feb 10 23:54:50 CET 2010
As you can see, for nearly an hour no more pollution of the logs with neither Windows NetBIOS talk nor Netgear 'ssid' packets.

A Challenge

The new block rules expand to
Code:
# pfctl -sr
[snip]
block return log all
block drop inet proto udp from any to any port = netbios-dgm
block drop inet proto udp from any to any port = netbios-ssn
block drop inet proto udp from any port = ssdp to any port = ssdp
A more verbose view shows the evaluation counters and the number of packets affected:
Code:
# pfctl -vvsr
[snip]
@12 block return log all
  [ Evaluations: 214       Packets: 40        Bytes: 3508        States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@13 block drop inet proto udp from any to any port = netbios-dgm
  [ Evaluations: 214       Packets: 42        Bytes: 9454        States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@14 block drop inet proto udp from any to any port = netbios-ssn
  [ Evaluations: 210       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
@15 block drop inet proto udp from any port = ssdp to any port = ssdp
  [ Evaluations: 210       Packets: 132       Bytes: 45507       States: 0     ]
  [ Inserted: uid 0 pid 17874 State Creations: 0     ]
If we would want to optimize these block rules for speed (less evaluations by pf) what are some of the possibilities?

For the forum regulars with more than 100 posts there is an embargo of three days, before these experts are allowed to respond to this challenge.

For the newcomers, don't be afraid to respond, if you don't get it right, we will be gentle with you
Attached Files
File Type: txt pf.conf.txt (1.4 KB, 312 views)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump

Last edited by J65nko; 11th February 2010 at 01:24 AM. Reason: Hit ENTER too fast ;)
Reply With Quote
  #2   (View Single Post)  
Old 26th April 2010
mfaridi's Avatar
mfaridi mfaridi is offline
Spam Deminer
 
Join Date: May 2008
Location: Afghanistan
Posts: 320
Default

very nice conf ,
I want use this for my pf.conf
but I have two Lan card ,
main Lan card use valid IP and another Lan Card use invalid IP ,
my vlaid IP can see in all of the world and my invalid IP can see only in my network , How I can change this rule for mine
I run Samba and other user in my network can use my Samba .
__________________
http://www.mfaridi.com
First site about FreeBSD and OpenBSD in persian or Farsi.
Reply With Quote
Reply

Tags
/var/log/pflog, pf.conf, pflog0

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pflog not logging. bsdnewbie999 OpenBSD General 9 13th March 2009 11:19 PM
NetBIOS name resolution from FreeBSD? Bruco FreeBSD General 5 6th March 2009 05:09 PM
How to clean up /usr? nihonto OpenBSD General 5 22nd June 2008 09:23 AM
Why PFLOG can't LOG anything????? chamnanpol FreeBSD General 1 18th June 2008 07:09 PM
Keeping ports in multiple jails up to date cajunman4life FreeBSD Installation and Upgrading 1 9th May 2008 11:51 PM


All times are GMT. The time now is 02:05 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick