Im trying to block port 23 on the internal interface on my firewall (very
last line at bottom), I think its coz of NAT passing everything over I
cant seem to block this port on the inside. Could something please let me
know whats wrong with my rules (: thankyou




nat.conf
nat on rl0 from rl1:network to any -> (rl0)


pf.conf
PrvIF = "rl1"
ExtIF = "rl0"
RESERVED= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8,169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"

set block-policy drop
scrub in all
block in all
block out all
block return-rst in log inet proto tcp all
block return-rst out log inet proto tcp all
block return-icmp out log inet proto udp all
block return-icmp in log inet proto udp all
block in quick inet6 all
block out quick inet6 all
block in quick on enc0 all
block out quick on enc0 all
block out quick on $ExtIF inet from ! $ExtIF to any
block in quick on $ExtIF inet from $RESERVED to any
block out quick on $ExtIF inet from any to $RESERVED

block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
block in quick on $ExtIF inet proto tcp from any to any flags SF/SFRA
block in quick on $ExtIF inet proto tcp from any to any flags /SFRA

block in quick on $ExtIF inet proto tcp from any to any port 10000 flags
S/SA
block in quick on $ExtIF inet proto tcp from any to 200.200.200.200/32
port 23
pass in quick on lo0 all
pass out quick on lo0 all

block in quick on $ExtIF proto { tcp, udp } from any to $ExtIF \
port { 69, 136, 139, 445, 593, netbios-ns, netbios-dgm,
netbios-ssn, 514 } flags S/SA

block out quick on $ExtIF proto { tcp, udp } from $ExtIF to any \
port { 69, 136, 139, 445, 593,
netbios-ns, netbios-dgm, netbios-ssn, 514 } flags S/SA

pass in quick on $ExtIF proto { tcp, udp } from any to any \
port smtp flags S/SA keep
state

pass in quick on $ExtIF proto tcp from any to any \
port https flags S/SA keep state

pass in quick on $ExtIF proto tcp from $ExtIF to any port > 49151

pass out quick on $ExtIF inet proto tcp from $ExtIF to any \
flags S/SA modulate state

pass out quick on $ExtIF inet proto { udp, icmp } from $ExtIF to any keep
state

pass out on $PrvIF all
pass in on $PrvIF all

block in quick on $PrvIF inet proto tcp from 10.0.0.0/8 to any port 23 flags
S/SA

Monkey Boy wrote:
> Im trying to block port 23 on the internal interface on my firewall (very
> last line at bottom), I think its coz of NAT passing everything over I
> cant seem to block this port on the inside. Could something please let me
> know whats wrong with my rules (: thankyou

Because you use the quick keyword on nealry every rule the last rule
won't be evaluated.

Greetings
Markus

I took about every "quick" keyword and only used "quick" for one blocking
rule to block telnet traffic. nop still didn't work. doesn't matter where
I put it internal/external interface in & out or global I still can't block
telnet traffic. hmm I have pf.conf and nat.conf in seperate files, it
plays up if I have it as one file which some examples show u can do.
somethings broken. would having modulate state in there cause troubles
with my blocking problem?

"Markus Hennecke" <hennecke@web.de> wrote in message
news:vo80b1-56j.ln1@zerberus.hades.wg...
> Monkey Boy wrote:
> > Im trying to block port 23 on the internal interface on my firewall
(very
> > last line at bottom), I think its coz of NAT passing everything over I
> > cant seem to block this port on the inside. Could something please let
me
> > know whats wrong with my rules (: thankyou
>
> Because you use the quick keyword on nealry every rule the last rule
> won't be evaluated.
>
> Greetings
> Markus

On Tue, 16 Dec 2003 17:43:58 +1100, "Monkey Boy" <phase00@hotmail.com>
wrote:

>I took about every "quick" keyword and only used "quick" for one blocking
>rule to block telnet traffic. nop still didn't work. doesn't matter where
>I put it internal/external interface in & out or global I still can't block
>telnet traffic. hmm I have pf.conf and nat.conf in seperate files, it
>plays up if I have it as one file which some examples show u can do.
>somethings broken. would having modulate state in there cause troubles
>with my blocking problem?

Dear Monkey Boy,

1. Try to avoid top posting.

2. What version of OBSD are you using? Starting with 3.2 nat.conf and
pf.conf were merged.

3. Please provide your currently broken pf.conf

sorry for the top posting, wasn't aware. Im running 3.2 and my rules are
within my first posting under this subject. I've kept pf & nat rules in
seperate files and initialise them seperately. maybe thats why Im getting
strange behaviour. (ie. if I so pfctl -F rules -f /etc/pf.conf, when I
portscan the firewall it reports that every single port openned but then if
I flush/reload pf.conf and then run pfctl -F nat -f /etc/nat.conf the
rules properly blocking is expected on external interface. The only
problem I have is that blocking doesn't work at all on internal interface.
I have a quick block on port 23 then I have a normal allow all traffic
in/out after the quick block. hmmmm I have to try and combine my pf.conf
& nat.conf first maybe that will resolve the issue. hmmm had lots of
problems trying to combine those files last time. hmmm

thanxs for the reponse.




"Monkey Boy" <phase00@hotmail.com> wrote in message
news:brm9h3$p0g$1@perki.connect.com.au...
> I took about every "quick" keyword and only used "quick" for one blocking
> rule to block telnet traffic. nop still didn't work. doesn't matter
where
> I put it internal/external interface in & out or global I still can't
block
> telnet traffic. hmm I have pf.conf and nat.conf in seperate files, it
> plays up if I have it as one file which some examples show u can do.
> somethings broken. would having modulate state in there cause troubles
> with my blocking problem?
>
> "Markus Hennecke" <hennecke@web.de> wrote in message
> news:vo80b1-56j.ln1@zerberus.hades.wg...
> > Monkey Boy wrote:
> > > Im trying to block port 23 on the internal interface on my firewall
> (very
> > > last line at bottom), I think its coz of NAT passing everything over
I
> > > cant seem to block this port on the inside. Could something please
let
> me
> > > know whats wrong with my rules (: thankyou
> >
> > Because you use the quick keyword on nealry every rule the last rule
> > won't be evaluated.
> >
> > Greetings
> > Markus
>
>

On Wed, 17 Dec 2003 15:19:18 +1100, "Monkey Boy" <phase00@hotmail.com>
wrote:

>sorry for the top posting, wasn't aware. Im running 3.2 and my rules are
>within my first posting under this subject. I've kept pf & nat rules in
>seperate files and initialise them seperately. maybe thats why Im getting
>strange behaviour. (ie. if I so pfctl -F rules -f /etc/pf.conf, when I
>portscan the firewall it reports that every single port openned but then if
>I flush/reload pf.conf and then run pfctl -F nat -f /etc/nat.conf the
>rules properly blocking is expected on external interface. The only
>problem I have is that blocking doesn't work at all on internal interface.
>I have a quick block on port 23 then I have a normal allow all traffic
>in/out after the quick block. hmmmm I have to try and combine my pf.conf
>& nat.conf first maybe that will resolve the issue. hmmm had lots of
>problems trying to combine those files last time. hmmm

why are you top posting again?

anyway, i asked for your pf.conf because you say you made changes (in
particular with the 'quick' keyword'). please provide your latest
tested pf.conf.

are you running a clean install of 3.2 or is it an upgrade?

this command is flawed: pfctl -F nat -f /etc/nat.conf
the -f switch is meant to load a rule file only. what *you* are
taking as a nat config pf is taking as simply another rule file
(containing the 'nat' keyword).

try this:

# pfctl -F rules -f /etc/pf.conf
# pfctl -s nat { your nat.conf shouldn't be loaded }

when you issue the second command you have not flushed your rules but
load that second config file (nat.conf). apparently this appends your
nat rule. to prove this, continue with these commands:

# pfctl -s rules
# pfctl -F nat -f /etc/nat.conf
# pfctl -s rules

the '-F nat' shouldn't do anything since you shouldn't (better not)
have any nat rules loaded. so does the third command give you
anything different from the first command? what does this give you
now:

# pfctl -s nat

we haven't even begun to analyse your rule set all because you refuse
to put everything in one file.