Re: pf firewall config file help needed please

On Thu, 25 May 2006 14:11:57 GMT, Mike Scott
<usenet.10@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

I've been trying out pf for the first time, and simply /cannot/ get this
right.

The (non-ideal) situation is a fbsd (6.1) m/c acting as wan
gateway/router and mail server for two lan segments. The goal is to
prevent all clients on the lans from accessing smtp, pop and imap ports
except on the gateway box, which will handle all mail for them. The
rule setup I have is (leaving out the obvious macros and other clutter)

...
nat on $IF_WAN from $IF_LAN_WIRED:network to any -> ($IF_WAN)
nat on $IF_WAN from $IF_LAN_WLESS:network to any -> ($IF_WAN)

I try to avoid the use of 'any' in rules. It's not good practice.

Create a table of valid source addresses and change the nat rule to
something like


nat on $IF_WAN from <ValidSource> to !<ValidSource> -> ($IF_WAN)

only use the () notation if IF_WAN has a dynamic address.


...

Your 1st packet filtering rule should always be

block log all

It's easier to open holes in a default block policy than to close holes in
a default open one.

I would also set the following options in the appropriate part of pf.conf

set skip on lo0

and

set block-policy return

so your internal applications are politely told to go forth and multiply.

block in log quick on $IF_LAN_WIRED proto tcp from any to any port
{smtp, pop3, imap}
block in log quick on $IF_LAN_WLESS proto tcp from any to any port
{smtp, pop3, imap}

These become unnecessary with a default block policy.

pass out log quick on $IF_WAN proto tcp from ($IF_WAN) to any port
{smtp, pop3, imap} flags S/SA modulate state
...

This doesn't have the desired effect though - requests always match the
'pass' rule and the block rules never match.

Assuming you're allowing access to those services hosted on the gateway
box, the rule should be something along the lines of...

pass in log quick on {$Lan1, $Lan2} $TCP from <ValidSource> to
<TableofValidDests> port $ValidServices $KSF

where the macros $TCP and $KSF are defined as....

TCP="inet proto tcp"
KSF="keep state flags S/A"

modulating state to connect to services on your own network is a bit
pointless.


This was never that hard with ipf; I assume I'm missing something
glaringly obvious here - can anyone put me straight please?

Having travelled that journey with the release of OpenBSD 3.3, you're not
in kansas anymore :-) with pf.

Direction is everthing with pf, when doing nat or rdr, you have to code
explicit ingress and egress rules on ingress and egress interfaces if you
want logging.


Once you get used to it, a pf policy will be about half the size of the
equivalent ipf one.



greg
--
Every Villian Is Lemons
.

Relevant Pages

  • Re: Why is e-mail being rejected when sending to an external domai
    ... It's not a POP or IMAP account. ... SMTP account. ... public IP to our mail server the user at our company has been unable ...
    (microsoft.public.windows.server.dns)
  • Mail sent from Mac through Groupwise to some recipients have blank message body.
    ... to send messages using our Groupwise 7+ mail server using IMAP and ... SMTP. ...
    (microsoft.public.mac.office.entourage)
  • Re: SMTP infrastructure
    ... The Pix does do basic smtp inspection (see Cisco documentation on: ... There are advantages and disadvantages to running with a mail gateway ... I have postfix operating as an smtp gateway in our network, ... > SMTP server which in turn relays it to the main mail server located on ...
    (comp.security.misc)
  • Re: SMTP infrastructure
    ... The Pix does do basic smtp inspection (see Cisco documentation on: ... There are advantages and disadvantages to running with a mail gateway ... I have postfix operating as an smtp gateway in our network, ... > SMTP server which in turn relays it to the main mail server located on ...
    (comp.os.linux.security)
  • Re: [SLE] Set up a mail server
    ... Depends on what you need from your mail server. ... POP3, IMAP, SMTP, POP3s, ...
    (SuSE)