Answer the question
In order to leave comments, you need to log in
I
I
Ivan2015-08-19 06:29:19
Ivan, 2015-08-19 06:29:19
When NAT'a is enabled in PF on FreeBSD 9.1, full access to the Internet is immediately opened, although it is forbidden by the rules. What's the catch?
Task: Give certain IP access to the Internet to certain resources.
Problem: As soon as I enable NAT for these IPs, they get full access to the Internet, although there is no allow rule for this.
I ask for help, comrades.
pf.conf listing: (addresses changed :-)
####################
int_if="lan0"
ext_ip="10.10.10.1"
ext_if="isp1"
tun= "tun0"
## DMZ
dmz_if="dmz0"
dmz_ip="192.168.201.10"
dmz_lan="192.168.201.0/24"
## Networks
trusted_lan="192.168.10.0/24"
vpn_lan="192.168.202.0/24"
localnet= "127.0.0.0/8"
wifi_lan="192.168.203.0/24"
it="{ 192.168.10.5, 192.168.10.6 }"
## Private nets
private_nets="{ 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24 , 192.168.0.0/16, 240.0.0.0/4 }"
## Hosts with full Internet access
vip_ip="{ 192.168.10.24, 192.168.10.32 }"
## 1C services
1c_kontur="{ 46.17.203.10, 46.17.203.240 , 46.17.203.245 }"
## Malware
bad_ip="{ 184.168.47.225, 50.31.164.165, 92.51.0.227 }"
######################## ########
## 2. Tables ##
################################
table persist
table persist
table persist
################################
3.Options ##
#############################
set block-policy return
set optimization normal
set skip on lo0
set skip on $int_if
set skip on $ dmz_if
set loginterface $ext_if
set timeout { frag 10, tcp.established 3600 }
################################# ###
## 4. Normalization ##
#####################################
scrub in all
###############################
## 5. ALTQ queues ##
########### ####################
############################## #########
## 6. Forwading and NAT ##
################################ #######
###################
## NAT ##
###################
nat on $ext_if from $vpn_lan to any -> $ext_ip
nat on $ext_if from $wifi_lan to any -> $ext_ip
nat on $ext_if from $vip_ip to any -> $ext_ip
nat on $ext_if from $dmz_lan to any -> $ext_ip
nat on $ext_if inet from $it to any -> ($ext_if:0)
## RDR 1C
rdr on $ext_if proto tcp from any to $ext_ip port $1c_ports -> $term_srv
## RDR MAIL
rdr on $ext_if proto tcp from any to $ext_ip port $mail_ports -> $mail
## ftp-proxy
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
pass in on $ext_if inet proto tcp to $ext_ip port 21 flags S/SA keep state
anchor"ftp-proxy/*"
##
#########################################
## 7. Filter rules ##
##########################################
antispoof quick for { lo0, $int_if, $ext_if }
block all
block drop in quick on $ext_if from $private_nets to any
block drop out quick on $ext_if from any to $private_nets
block drop in log quick on $ext_if from $bad_ip to any
block drop out log quick on $ext_if from any to $bad_ip
block drop out log quick on $ext_if proto tcp from $trusted_lan to any port smtp
block drop log quick inet proto tcp from $vpn_lan to any port smtp
block drop log quick on $ext_if from ddos to any #Table names in brackets. Removed, because the site does not pass.
block drop log quick on $ext_if from spamers to any
block drop log quick on $ext_if from brutforce to any
## Natim external interface
pass out on $ext_if from $ext_if to any keep state
## Release VPN outside
pass from $vpn_lan to any keep state
## OpenVPN
pass in quick on $ext_if inet proto {tcp} from any to self port 1194
## Gather pests in tables. (I have table names in brackets. I don’t skip them here)
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port www flags S/SA keep state (max-src-conn-rate 5/2, overload ddos flush global)
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port { pop3, pop3s } keep state (max-src-conn-rate 15/60, overload spamers flush global)
pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 keep state (max-src-conn-rate 1/40, overload brutforce flush global)
## OpenVPN
pass in log on tun0 from any to any keep state
pass out log on tun0 from any to any keep state
## Open services ##
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $ext_if port $1c_ports flags S/ SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port 53 keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port 53 keep state #Open
1C services
pass out on $ext_if inet proto tcp from $it to $1c_kontur keep state
pass in on $ext_if proto tcp from any to $ www port 80 keep state
pass in on $ext_ip proto tcp from any to $www port 80 keep state
pass in on $ext_if proto tcp from any to $mail port $mail_ports keep state
pass in on $ext_if proto tcp from any to $term_srv port $1c_ports keep state
pass log inet proto icmp all icmp-type $icmp_types
##### END CONFIG Tried
everything. As soon as I give nat on $ext_if inet from $it to any -> ($ext_if:0) I immediately get full access to the Internet. Although there is no permission.
1 answer(s)
@athacker
A
athacker, 2015-08-20 @athacker
Something I vaguely remember is that pf processes the rules in the order they appear in the config. Therefore, NAT is first done, and then the blocking / allowing rules are already applied. And therefore the rule
pass out on $ext_if from $ext_if to any keep state
allows everyone and everything, since after NAT'a all packets that passed through NAT will fall under this rule.
Similar questions
T
R
M
N
A
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question