Solved Questions about a pf.conf

[quamenzullo]

In order to present these questions, I think it's necessary to tell all the following circumstances.

I'm playing with pf on a new server (not in production, no data on it yet, I can reinstall from scratch if necessary, but there's also a "rescue-bsd" mode that lets me mount the filesystems and edit configuration files to repair my mistakes).

First error: I forgot the line in /etc/pf.conf to allow outgoing traffic, so of course I got kicked off of my server. I restarted in rescue mode, added the missing line, restarted from hard disk and I could ssh again into the server. In the meanwhile, the provider of the server sent me a first e-mail telling there was a problem (of course), that they send a technician to handle this... then another mail telling the problem wasn't there any longer, so they don't send anyone. So far, no problem.

After that, I added a line to allow ftp traffic in. So the file, from this:

# INTERFACES
# check if ext_if matches the network card name (ifconfig tells it)
ext_if="em0"
# this one has been created for the jails
int_if = "lo1"
jailnet = $int_if:network

# PORTS
ftp_port=...
ssh_default_port=22
ssh_port=...

# IP ADDRESSES
admin_ip="..."
server_ip="..."
ftp_jail_ip="10.1.1.128"

# NORMALIZATION
scrub in all

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# RDR
rdr pass on $ext_if proto tcp from any to $server_ip port $ftp_port -> $ftp_jail_ip port $ftp_port

# INGOING CONNEXIONS blocked by default
block in on $ext_if

# ALLOW SSH FROM ADMIN
pass in on $ext_if proto tcp from $admin_ip to $ext_if port $ssh_default_port
pass in on $ext_if proto tcp from $admin_ip to $ext_if port $ssh_port

# ALLOW OUTGOING TRAFFIC
pass out on $ext_if proto { tcp, udp } all

Became this:

# INTERFACES
# check if ext_if matches the network card name (ifconfig tells it)
ext_if="em0"
# this one has been created for the jails
int_if = "lo1"
jailnet = $int_if:network

# PORTS
ftp_port=...
ssh_default_port=22
ssh_port=...

# IP ADDRESSES
admin_ip="..."
server_ip="..."
ftp_jail_ip="10.1.1.128"

# NORMALIZATION
scrub in all

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# RDR
rdr pass on $ext_if proto tcp from any to $server_ip port $ftp_port -> $ftp_jail_ip port $ftp_port

# INGOING CONNEXIONS blocked by default
block in on $ext_if

# ALLOW SSH FROM ADMIN
pass in on $ext_if proto tcp from $admin_ip to $ext_if port $ssh_default_port
pass in on $ext_if proto tcp from $admin_ip to $ext_if port $ssh_port

# ALLOW FTP FROM ANY IP
pass in on $ext_if proto tcp from any to $ext_if port $ftp_port

# ALLOW OUTGOING TRAFFIC
pass out on $ext_if proto { tcp, udp } all

I checked there was no error ( pfctl -vnf /etc/pf.conf) and then reloaded the rules. ( pfctl -F all -f /etc/pf.conf).
At this point I got kicked off again of my server (the ssh connection has been lost). I don't understand why, this time. Moreover, I could ssh at once again into the server, so I didn't care. It was late, I stopped working, watched a movie. After that, I checked my mails and discovered the provider sent another e-mail telling there was a problem (after the this last reloading of rules)... and that they've sent someone who did a hard-reboot. Since then, no problem anymore (though the same rules are loaded at startup).

Questions:
1. There is still something strange in this outgoing traffic rule, because I allow only tcp and udp traffic, so ping shouldn't work, should it? (ping uses icmp).
2. Soon I will want to add a line to allow tcp traffic on ports 80 and 443. Is there any risk things happen like when I added the line for ftp?
3. All comments and advices about the pf.conf file I use are welcome! (Its goal is to allow only what's necessary: ssh, ftp and later http/https, and what's usually needed from a server)

 

[Oko]

I stop reading you post after I saw that you have single port for ftp sever. Ftp uses tcp 21 to start connection but then open random port to transfer data. You will have to use anchors for ftp. Ping uses ICMP protocol which further reveals how little you know. It looked to me that you could benefit from reading the book of PF by Peter Hunsen

 

[quamenzullo]

Yes I am new to all the pf configuration and not really expert on networking... I was hesitating buying this book because I was afraid it would be all written for OpenBSD. If the FreeBSD parts are clear enough, I will buy (and read) it for sure.

The main thing I do not understand is why these rules break the ssh connection (but still allow a new one to happen).

Oh, and I was told once changing the default ports for some standard applications (like ssh, ftp...) is better for security. It makes configuration more complicated, but is it worth doing it to enhance security?

 

[quamenzullo]

Hum, I've found an old edition in my native language (that I can read quicker than english...) that covers the version in use in OpenBSD 4.6. As the documentation says "FreeBSD uses the same version of PF as OpenBSD 4.5", could this edition be enough, or should I care buying the most recent one?

 

[quamenzullo]

Well, I forget about the ftp server before reading the book of pf.

This more simple pf.conf breaks the ssh connection (but allow to start a new one) and I can't figure out why:

# INTERFACES
ext_if="em0"
int_if = "lo1"
jailnet = $int_if:network

# IP ADDRESSES
admin_ip="116.***.***.***"
server_ip="31.***.***.***"

# NORMALIZATION
scrub in all

# NAT
nat on $ext_if from $jailnet to any -> ($ext_if)

# INGOING CONNECTIONS blocked by default
block in on $ext_if

# ALLOW SSH FROM ADMIN
pass in on $ext_if proto tcp from $admin_ip to $ext_if port ssh

# ALLOW OUTGOING TRAFFIC
pass out on $ext_if proto { tcp, udp, icmp } all

# ALLOW icmp (for ping)
pass in on $ext_if proto icmp

 

[wblock@]

How are you loading the new configuration file? service pf restart will disconnect current connections. service pf reload leaves existing connections.

 

[quamenzullo]

I execute this: pfctl -F all -f /etc/pf.conf.I know '-F all' means "flush everything" but did not expect this to disconnect the current ssh connection. If I remove the 'block in on $ext_if' line, then I do not get disconnected when I execute pfctl -F all -f /etc/pf.conf. So there must be something missing to pass in to avoid the disconnection.

Is it anyway better to use service pf reload instead? I see it's not exactly the same: if I use it when the content of /etc/pf.conf hasn't changed, I don't get disconnected. But if I use it to load a new /etc/pf.conf (for instance I've removed the 'block in on $ext_if' and then put it again), then I also get disconnected.

 

[SirDice]

I execute this: pfctl -F all -f /etc/pf.conf.I know '-F all' means "flush everything" but did not expect this to disconnect the current ssh connection.

It also flushes existing states, terminating your current connection. A new state will only be created with a new connection, i.e. a new SYN-SYN/ACK-ACK handshake.

pfctl -f /etc/pf.conf or service pf reload.

 

[quamenzullo]

OK, so, as a conclusion:

1. It seems that out icmp traffic at least (certainly in also) has to be authorized to avoid the warnings from the server provider (who otherwise can't ping anymore)
2. The problem seem to be coming from pfctl [B]-F all[/B] (see SirDice's post above).
3. I have bought "the book of pf" (in my native language, hope this will be enough).

Many thanks!

 

[mrmarria]

is OKO refering to Peter N. M. Hansteen?? Doesn't seem to be a Peter Hunsen that wrote this that I can find.. .

 

[quamenzullo]

Yes, he is.