I have a "old PC" (Celleron 900) which i use as router and firewall.
Running OpenBSD 3.6 and Squid in transparent mode. (I know it is a old
"unsuported" version!)

3 Network interfaces:
dc0 --> "outside" (towards the ISP
dc1 --> to the local network and public WiFi
dc2 --> for the office

All www traffic from "dc1" goes through squid (and a "porn filter")
All traffic from "dc2" goes directly to the internet.

This setup works well since setup.

But now; i want to limit the Wifi to only a few protocols:
(ftp, ssh, http, mail(pop3 and imap), nntp, ntp, https, and mail over ssl)
DHCP and DNS is served localy.
ping and "friends" should also work.

I tried various versions of block and pass in pf.conf, but none with the
desired result :-(
----------------------------------------------------------
address range":
xxx.xxx.xxx.xxx : "public interface to the ISP "dc0"
192.168.222.1 : Router/firewall "dc2
192.168.123.1 : Router/firewall "dc1"
192.168.123.2-191 : Various "fix" assinged computers
incl. 2 wireless access points
192.168.123.192-254 : For wireless "customers"
-----------------------------------------------------------
current pf.conf:

# macros
office = "dc2"
int_if = "dc1"
ext_if = "dc0"

tcp_services = "{ 22, 113 }"
icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
outside = "xxx.xxx.xxx.xxx"
wifi = "192.168.123.192/26"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $office:network to any -> ($ext_if)

rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

# filter rules
block all

pass quick on lo0 all
antispoof quick for $int_if inet
antispoof quick for $office inet

block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass in on $office from $office:network to any keep state
pass out on $office from any to $office:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state

-------------------------------------------------------------

I tried first the following:
#
block return in on $int_if proto { tcp udp icmp } from $wifi to any
pass on $int_if proto icmp from $wifi to any keep state
pass on $int_if proto tcp from $wifi to any port { ftp ssh domain gopher www pop3 nntp ntp imap https imaps pop3s } keep state
pass on $int_if proto tcp from $wifi to any port { ftp ssh domain gopher www pop3 nntp ntp imap https imaps pop3s } keep state
#
Does not work :-(

Then:
#
block return in on $int_if proto { tcp udp } from $wifi to any port { 1025:65535 }
pass in on $int_if proto { tcp udp } from $wifi to any port { < 1025 }
#
I could ping, but no connection for http ...
nmap showed 80 closed ... :-)

What did i do wrong?

Thanks
Rudy

God Rudy <rudy@rudyspc.attic.ccc> wrote:
> I have a "old PC" (Celleron 900) which i use as router and firewall.
> Running OpenBSD 3.6 and Squid in transparent mode. (I know it is a old
> "unsuported" version!)

So upgrade?

> 3 Network interfaces:
> dc0 --> "outside" (towards the ISP
> dc1 --> to the local network and public WiFi
> dc2 --> for the office
>
> All www traffic from "dc1" goes through squid (and a "porn filter")
> All traffic from "dc2" goes directly to the internet.
>
> This setup works well since setup.
>
> But now; i want to limit the Wifi to only a few protocols:
> (ftp, ssh, http, mail(pop3 and imap), nntp, ntp, https, and mail over ssl)
> DHCP and DNS is served localy.
> ping and "friends" should also work.

A few ports, you mean - or at least, I hope. pf(4) does not know about
such protocols.

Also, http and probably https should be handled exclusively by your
Squid proxy.

> I tried various versions of block and pass in pf.conf, but none with the
> desired result :-(
> ----------------------------------------------------------
> address range":
> xxx.xxx.xxx.xxx : "public interface to the ISP "dc0"
> 192.168.222.1 : Router/firewall "dc2
> 192.168.123.1 : Router/firewall "dc1"
> 192.168.123.2-191 : Various "fix" assinged computers
> incl. 2 wireless access points
> 192.168.123.192-254 : For wireless "customers"
> -----------------------------------------------------------
> current pf.conf:
>
> # macros
> office = "dc2"
> int_if = "dc1"
> ext_if = "dc0"
>
> tcp_services = "{ 22, 113 }"
> icmp_types = "echoreq"
>
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> outside = "xxx.xxx.xxx.xxx"
> wifi = "192.168.123.192/26"
>
> # options
> set block-policy return
> set loginterface $ext_if
>
> # scrub
> scrub in all
>
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> nat on $ext_if from $office:network to any -> ($ext_if)

`to any' can be dropped, at least in recent versions. Add `:0' after
$ext_if to guard for future aliases, if desired.

> rdr on $int_if inet proto tcp from any to any port www \
> -> 127.0.0.1 port 3128
> pass in on $int_if inet proto tcp from any to 127.0.0.1 \
> port 3128 keep state
>
> pass out on $ext_if inet proto tcp from any to any port www keep state

Those two rules are useless if you place `block all' after them. Add
`quick' or move them down.

Again, http should be handled by your proxy, and actually is - so why
specify http rules? You only need to allow localhost access, not
everyone.

> # filter rules
> block all
>
> pass quick on lo0 all

Should be `set skip on lo0', which is more efficient.

> antispoof quick for $int_if inet
> antispoof quick for $office inet

Why no inet6 protection? Be careful about ip6 traffic... you might want
to simply `drop quick inet6', if you have no interest in ip6 yet.

> block drop in quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets
>
> pass in inet proto icmp all icmp-type $icmp_types keep state
>
> pass in on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> pass in on $office from $office:network to any keep state
> pass out on $office from any to $office:network keep state

That's a very liberal policy, but should work.

You are aware that $int_if:network and $office:network can reach each
other this way, yes? This is not necessarily a bad thing, but if it's
not required it would be better to adjust it - and some additional
filtering might be useful, to turn $int_if:network into something much
more reminiscent of a DMZ.

> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state

Okay.

> -------------------------------------------------------------
>
> I tried first the following:
> #
> block return in on $int_if proto { tcp udp icmp } from $wifi to any

`block' is superfluous; you already have `set block-policy return'.

Also, are you *really* sure you want to allow, for instance, esp traffic
out (see ipsec(4))? Combined with allowing everything from
$office:network, which contains $wifi, the above rule does just that.

> pass on $int_if proto icmp from $wifi to any keep state

$icmp_types might be used here, too. This allows any ICMP message to
$int_if:network and $office:network, for instance.

> pass on $int_if proto tcp from $wifi to any port \
> { ftp ssh domain gopher www pop3 nntp ntp imap https imaps \
> pop3s } keep state

This is best macro'ed; also see my note at the top about using your
proxy.

Also, are you *very* certain you do not wish to limit this to
non-internal hosts? Note that, if you do decide to limit this, ! { ... }
is not a good idiom (as it expands to `! a', `! b', and so on in turn;
usually, everything matches at least one of those rules); use a table.

> pass on $int_if proto tcp from $wifi to any port \
> { ftp ssh domain gopher www pop3 nntp ntp imap https imaps \
> pop3s } keep state

That's the same rule, is it not?

> #
> Does not work :-(

What part doesn't work, and where is the tcpdump -nvvvi pflog0 output?

> Then:
> #
> block return in on $int_if proto { tcp udp } from $wifi \
> to any port { 1025:65535 }
> pass in on $int_if proto { tcp udp } from $wifi to any port { < 1025 }
> #
> I could ping, but no connection for http ...
> nmap showed 80 closed ... :-)
>
> What did i do wrong?

Well, assuming you did define $wifi sensibly (i.e., $wifi =
192.168.123.0/26), I wouldn't know - it's probably a simple mistake, but
I read the ruleset twice and didn't find it easily. Try tcpdump -envvvi
pflog0, and post back if this is not sufficient.

Joachim

On Fri, 01 Sep 2006 20:43:30 +0000, jKILLSPAM.schipper wrote:

> God Rudy <rudy@rudyspc.attic.ccc> wrote:
>> I have a "old PC" (Celleron 900) which i use as router and firewall.
>> Running OpenBSD 3.6 and Squid in transparent mode. (I know it is a old
>> "unsuported" version!)
>
> So upgrade?
>
>> 3 Network interfaces:
>> dc0 --> "outside" (towards the ISP
>> dc1 --> to the local network and public WiFi dc2 --> for the office
>>
>> All www traffic from "dc1" goes through squid (and a "porn filter") All
>> traffic from "dc2" goes directly to the internet.
>>
>> This setup works well since setup.
>>
>> But now; i want to limit the Wifi to only a few protocols: (ftp, ssh,
>> http, mail(pop3 and imap), nntp, ntp, https, and mail over ssl) DHCP and
>> DNS is served localy.
>> ping and "friends" should also work.
>
> A few ports, you mean - or at least, I hope. pf(4) does not know about
> such protocols.
>
> Also, http and probably https should be handled exclusively by your Squid
> proxy.
>
>> I tried various versions of block and pass in pf.conf, but none with the
>> desired result :-(
>> ---------------------------------------------------------- address
>> range":
>> xxx.xxx.xxx.xxx : "public interface to the ISP "dc0" 192.168.222.1
>> : Router/firewall "dc2 192.168.123.1 : Router/firewall "dc1"
>> 192.168.123.2-191 : Various "fix" assinged computers
>> incl. 2 wireless access points
>> 192.168.123.192-254 : For wireless "customers"
>> ----------------------------------------------------------- current
>> pf.conf:
>>
>> # macros
>> office = "dc2"
>> int_if = "dc1"
>> ext_if = "dc0"
>>
>> tcp_services = "{ 22, 113 }"
>> icmp_types = "echoreq"
>>
>> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>> outside = "xxx.xxx.xxx.xxx"
>> wifi = "192.168.123.192/26"
>>
>> # options
>> set block-policy return
>> set loginterface $ext_if
>>
>> # scrub
>> scrub in all
>>
>> # nat/rdr
>> nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if
>> from $office:network to any -> ($ext_if)
>
> `to any' can be dropped, at least in recent versions. Add `:0' after
> $ext_if to guard for future aliases, if desired.
>
>> rdr on $int_if inet proto tcp from any to any port www \
>> -> 127.0.0.1 port 3128
>> pass in on $int_if inet proto tcp from any to 127.0.0.1 \
>> port 3128 keep state
>>
>> pass out on $ext_if inet proto tcp from any to any port www keep state
>
> Those two rules are useless if you place `block all' after them. Add
> `quick' or move them down.
>
> Again, http should be handled by your proxy, and actually is - so why
> specify http rules? You only need to allow localhost access, not everyone.
>
>> # filter rules
>> block all
>>
>> pass quick on lo0 all
>
> Should be `set skip on lo0', which is more efficient.
>
>> antispoof quick for $int_if inet
>> antispoof quick for $office inet
>
> Why no inet6 protection? Be careful about ip6 traffic... you might want to
> simply `drop quick inet6', if you have no interest in ip6 yet.
>
>> block drop in quick on $ext_if from $priv_nets to any block drop out
>> quick on $ext_if from any to $priv_nets
>>
>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>
>> pass in on $int_if from $int_if:network to any keep state pass out on
>> $int_if from any to $int_if:network keep state pass in on $office from
>> $office:network to any keep state pass out on $office from any to
>> $office:network keep state
>
> That's a very liberal policy, but should work.
>
> You are aware that $int_if:network and $office:network can reach each
> other this way, yes? This is not necessarily a bad thing, but if it's not
> required it would be better to adjust it - and some additional filtering
> might be useful, to turn $int_if:network into something much more
> reminiscent of a DMZ.
>
>> pass out on $ext_if proto tcp all modulate state flags S/SA pass out on
>> $ext_if proto { udp, icmp } all keep state
>
> Okay.
>
>> -------------------------------------------------------------
>>
>> I tried first the following:
>> #
>> block return in on $int_if proto { tcp udp icmp } from $wifi to any
>
> `block' is superfluous; you already have `set block-policy return'.
>
> Also, are you *really* sure you want to allow, for instance, esp traffic
> out (see ipsec(4))? Combined with allowing everything from
> $office:network, which contains $wifi, the above rule does just that.
>
>> pass on $int_if proto icmp from $wifi to any keep state
>
> $icmp_types might be used here, too. This allows any ICMP message to
> $int_if:network and $office:network, for instance.
>
>> pass on $int_if proto tcp from $wifi to any port \
>> { ftp ssh domain gopher www pop3 nntp ntp imap https imaps \ pop3s }
>> keep state
>
> This is best macro'ed; also see my note at the top about using your proxy.
>
> Also, are you *very* certain you do not wish to limit this to non-internal
> hosts? Note that, if you do decide to limit this, ! { ... } is not a good
> idiom (as it expands to `! a', `! b', and so on in turn; usually,
> everything matches at least one of those rules); use a table.
>
>> pass on $int_if proto tcp from $wifi to any port \
>> { ftp ssh domain gopher www pop3 nntp ntp imap https imaps \ pop3s }
>> keep state
>
> That's the same rule, is it not?
>
>> #
>> Does not work :-(
>
> What part doesn't work, and where is the tcpdump -nvvvi pflog0 output?
>
>> Then:
>> #
>> block return in on $int_if proto { tcp udp } from $wifi \
>> to any port { 1025:65535 }
>> pass in on $int_if proto { tcp udp } from $wifi to any port { < 1025 } #
>> I could ping, but no connection for http ... nmap showed 80 closed ...
>> :-)
>>
>> What did i do wrong?
>
> Well, assuming you did define $wifi sensibly (i.e., $wifi =
> 192.168.123.0/26), I wouldn't know - it's probably a simple mistake, but I
> read the ruleset twice and didn't find it easily. Try tcpdump -envvvi
> pflog0, and post back if this is not sufficient.
>
> Joachim

Thanks

I will "play" again tonight with it and look at the pflog.

And yes i'm planing a upgrade of the OS to 3.9 or 4.0
Just have to find another box to prepare the disk ...

Rudy

On Fri, 01 Sep 2006 16:29:02 -0500, God Rudy wrote:

<Snip a lot of pf-filter stuff>
....
>>> Then:
>>> #
>>> block return in on $int_if proto { tcp udp } from $wifi \
>>> to any port { 1025:65535 }
>>> pass in on $int_if proto { tcp udp } from $wifi to any port { < 1025 } #
>>> I could ping, but no connection for http ... nmap showed 80 closed ...
>>> :-)
>>>
>>> What did i do wrong?
>>
>> Well, assuming you did define $wifi sensibly (i.e., $wifi =
>> 192.168.123.0/26), I wouldn't know - it's probably a simple mistake, but I
>> read the ruleset twice and didn't find it easily. Try tcpdump -envvvi
>> pflog0, and post back if this is not sufficient.
>>
>> Joachim
>
> Thanks
>
> I will "play" again tonight with it and look at the pflog.
>
> And yes i'm planing a upgrade of the OS to 3.9 or 4.0
> Just have to find another box to prepare the disk ...
>
> Rudy

"Stupid little me" missed the redirection for Squid from port 80 to 3128.
This port# is blocked :-( ...
added a rule to pass port 3128 ...
The tip with "tcpdump" helped a LOT!

Thanks again!
Rudy

P.S.
Added a rule for inet6
Update of the OS will be very soon!