why won't my table work?

[tomp]

I've been working on understanding rules in pf.conf and I've made some progress, but I don't pretend to really get it all yet. I've been trying to define some groupings among our users in order to allow traffic from only some users to some ports. My basic plan is to have rank and file users be served DHCP addresses from the firewall box, and have blocks of static addresses that will be given privileges as needed. Tables of IP addresses stored in files seems like the cleanest way to define these groupings.

Problem is that I can't seem to make a simple example work.

I've set up a closed test network, one PC with an http server, a site at port 80 and another at 81. That machine sits on the "outside" lan connected to my firewall's rl0 NIC, the other one which is serving as client sits on the inside on rl1.

I want "everyone" to be able to get to port 80 on the outside, but only developers to be able to get to 81.

Here's my pf.conf currently not working:

Code:

#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
#  RockyMountainTrail.com Packet Filter Config File: Aug 18, 2011
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ 80 }"
tcp_services_dev="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="echoreq"
table <developers> persist file "/etc/developers"
#table <developers> { 192.168.0.10 }
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
block log on $ext_if all
pass out inet proto tcp from <developers> to port $tcp_services_dev keep state
pass out inet proto { tcp, udp } from { self, $localnet } to port $tcp_services
pass inet proto { tcp, udp } from $outsidenet to $localnet port $netbios_services
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
# allow sh to come in from "outside"
pass in proto tcp from $outsidenet to $ext_if port { ssh }

I tried making the <developers> table a simple single IP address (you can see that attempt commented out, did not work either). Developers contains

Code:

192.168.0.8
192.168.0.9
192.168.0.10

Sorry if this is a totally stupid mistake. I have a feeling that it is and I don't want to waste anybody's time, but I'm just not finding anything that points me to what's wrong. And I've spent a stupid amount of time trying to figure it out. (Some of the rules you see are based on wild-ass guesses from multiple attempts to conjure a solution out of what the log is spitting out as the connection request for port 81 fails).

Thanks as always.

[tomp]

For the rest of the confused folks reading this who didn't know, my problem was not the table. I put the IP Addresses into a Macro and tried to refer to it, the rule still didn't work, so then I put the addresses literally into the rule and it still didn't work.

Eventually I figured out at least this riddle. This pf.conf works with my table, defined in the file /etc/developers:

Code:

ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, sftp, ntp, pop3, smtp, ms-sql-s }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# begin granular rules
block in log on $ext_if all
# allow sh to come in from "outside"
pass in quick proto tcp to $ext_if port { ssh }
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
pass inet proto tcp from $localnet to port $tcp_services
pass inet proto tcp from <developers> to port $tcp_dev_services
pass inet proto tcp from self

The final line, pass inet proto tcp from self, which should allow localhost to talk to any port on either side of the box, seems to be the enabler.

Just a bit more information for people like me who are still trying to figure this out. I'll post everything else I learn even if nobody else participates in this thread.

[tomp]

I have arrived at a pf.conf that works in my test environment. It has a couple port forwarding redirects that I won't include here because they are internal business. But this works for FTP from inside the firewall to the 'net, it allows MS SQL Server tcp client access to db servers outside the firewall from inside, and it allows a selection of tcp/ip ports to be passed.

I post it because I hope that another clueless newb who googles to this thread will find it useful.

Code:

# Macros:
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ www, https, ftp, ftp-data, ssh, sftp, ntp, pop3, smtp, ms-sql-s, 4022 }"
tcp_dev_services="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync, ms-sql-m }"
proxy="127.0.0.1"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="{ echoreq, unreach }"
# Tables:
table <developers> persist file "/etc/developers"
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
block log all
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
# block incoming traffic
block in log on $ext_if all
# FTP Proxy rules:
pass in quick on $int_if proto tcp to port 21 rdr-to $proxy port 8021
anchor "ftp-proxy/*"
# begin granular rules
pass inet proto tcp from self
# allow sh to come in from "outside":
pass in quick proto tcp to $ext_if port { ssh }
# list of acceptable services:
pass inet proto tcp from $localnet to port $tcp_services
# needed for SQL Server tcp/ip access:
pass inet proto udp from $localnet to port ms-sql-m
# UDP and ICMP rules:
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types

[jggimi]

I'm not sure, Tom, what trouble you were actually having, because I can't always just look at a configuration file and figure out what may be going wrong.

For me, I find it easiest to log every filter rule, pass or block, as a matter of course. I then use tcpdump(8) to confirm which rule is applicable to the packets of interest.

You probably already know it, but just in case:

• For any packet, the last matching rule in the file applies.

However, if a rule is "quick", a matching packet immediately stops all further tests, and the rule is applied. I avoid "quick" rules, to avoid confusing myself.