From nobody Sat Nov 02 15:30:48 2024 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4XghWB0L7pz5cCGf; Sat, 02 Nov 2024 15:30:14 +0000 (UTC) (envelope-from driesm@freebsd.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4XghW96w1sz4Cv9; Sat, 2 Nov 2024 15:30:13 +0000 (UTC) (envelope-from driesm@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730561414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=y0dmCJBkOQIY3WU1nfWe83dVvBZq5eICve+cpes6dYY=; b=fyF/1ZWrVr10X4P9PM/vH0u+DJwcUHoofl8b0ZCohl0X7ZedH6t2iJzN2YQLJ1ncpOCqPE QBUWdnyJytB3ZhlnVZzUmsB4lv20QSSzN8ohvymKpAbr+U6OuDwg9ZkGyPK03g5sFGWHzd u5ybn5wRl/TI7sJKKedgUhqMzPOREMZCQlgmuq02vqlLwDVlwvLmVfwAoEuOtDKY9whXWy KtJn8jAKRujP9DNHC+Ekeu8aakaIhDrnTySB0pZm5rxyXV2XeouLe8TObsPT1JS5WHdaIz FOuAM6kNdkbZnoOG12duY6fBqEn8kPu51XBTfgECIGF9Ije4OWlD4mSARetb0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1730561414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type; bh=y0dmCJBkOQIY3WU1nfWe83dVvBZq5eICve+cpes6dYY=; b=uJBeSlaHFmL2Znrvodg/R7O83Nl5NkxQ7xM51HPiXiULIBCiVX6YSk/eH9FCHsS02//Gcd sKvD+X4XjAA21X/lpU0aNSk6TUn5sl7Zec6O+mDMNswWySDMS4eH5YZ+Bmk2geHPccRKcf DuCRmTu4ZWY2f7GnSlNaXPcAy4Er5RZ8ALChfws7z/iaCPhB+f+g4yIEhLj4buCz08L/sA kvloGVlELARIQX8/XC1Spbd40MMQIy+YUZ6EqjL+4FYqIcEfsu467Ien7G9Ax5R57I4ddl LkPwRRlVZaQSC6SiYwhOKdIR2pktAJ3Ce/wLKxOS1VemISN4o3ptQPfCSbX1CQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1730561414; a=rsa-sha256; cv=none; b=hIVmRpzLEF0WELvr64i4FJkEcVYRQd5XR7YWuHtEyc5+JDcMpTAxnetdIpY0SRAZKkYPZb pQlem+ewXrtF5pmXHHTzIvXTybipDYdyz0RPsCuaLw/Mz5HGdsHC8Z6n8RO9T+DTItY9WC A8KBE11I8PCsX/yC9RqGpXHCSSFdkk6MDvJGIIq//bTeAybOrRDXyPTLclgL4IHHCiJCF9 XO04qYYEam51ar7DVFFLpQWLMlmHQlH5oS7fZ8SZT5ov6NN9yloxTfFb0sauvKmwrfUvAI 90Vyp6FOhapbK+QuXRdTKTi7Qv3fdTOXcUOzLVMd+EohbLtmADEI2BtLoVnicw== Received: from mail-oo1-f47.google.com (mail-oo1-f47.google.com [209.85.161.47]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) (Authenticated sender: driesm) by smtp.freebsd.org (Postfix) with ESMTPSA id 4XghW96MGQzbG1; Sat, 2 Nov 2024 15:30:13 +0000 (UTC) (envelope-from driesm@freebsd.org) Received: by mail-oo1-f47.google.com with SMTP id 006d021491bc7-5eb9ee4f14cso1314431eaf.1; Sat, 02 Nov 2024 08:30:13 -0700 (PDT) X-Forwarded-Encrypted: i=1; AJvYcCVT6xfGizVm4/TNw1Yk/PgKe5sa/79wvWMqaJjiK2+ahiDSMUi3d9ahYlGESzHzeFX8rFTAOwp7QtK6+g==@freebsd.org, AJvYcCVZVrC/PVs8wJyhhsd/sd5uVc0Y3jRzAwZrVBG5D9ALpdFNtlt+vDxufGemqjGm49aE/Smx7YE8aaht9g==@freebsd.org X-Gm-Message-State: AOJu0YzpUqgoR4Yfl03ipzKcEiQCGq943IWkbfajOAhaNyJ6wi6w01Eg 6/oonj/SWWIzNy/rtgfZgwHTUCXM8ZM/pN+1GnKeAgF2ThYUuXY5drD8DhClt381zaCMZzSe1e8 M0ckVqDLykt3L/bIftMTJr0GRar0= X-Google-Smtp-Source: AGHT+IEHCpKmRYDMmk0KMjEFJ8yDUL+ui6NqGPQ1z2SHdtXBH6h0XQybUYkhnE4T6vHLNyK2sQ4MzS2kUA1DI/7cf7A= X-Received: by 2002:a05:6820:50c:b0:5eb:c6ba:7835 with SMTP id 006d021491bc7-5ede6186e91mr3825091eaf.0.1730561412945; Sat, 02 Nov 2024 08:30:12 -0700 (PDT) List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 From: Dries Michiels Date: Sat, 2 Nov 2024 16:30:48 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: IPFW statefull firewall ruleset - some sites or applications do not work as expected To: freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net Content-Type: multipart/alternative; boundary="00000000000047eadd0625efba9d" --00000000000047eadd0625efba9d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello, So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below. Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges. 00001 reass ip from any to any in 00010 allow ip from any to any via table(trustedif) 00050 deny log ip from any to any not antispoof in 00100 nat 1 ip4 from any to any in recv igc0 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default 09998 deny log tcp from any to any 09999 deny log udp from any to any 10000 nat 1 ip4 from any to any out xmit igc0 65535 allow ip from any to any Now comes the tricky part. There are some applications that don't work correctly with this ruleset. For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work. Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue? Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?=C2=A3 I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications. Regards Dries --00000000000047eadd0625efba9d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello,

So I have a very basic ruleset, = as described in the FreeBSD handbook, see below. I have "blurred"= my open ports as seen in the ruleset below.
Igc0 is my WAN port = and in the table "trusted_if" are like my LAN if and some bridges= .

00001 reass ip from any to any in
00010 allow= ip from any to any via table(trustedif)
00050 deny log ip from any to a= ny not antispoof in
00100 nat 1 ip4 from any to any in recv igc0
0050= 0 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default<= br>00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default=
05000 allow tcp from any to me *some open ports* in recv igc0 setup kee= p-state :default
05001 allow udp from any to me *some open ports* in rec= v igc0 keep-state :default
09998 deny log tcp from any to any
09999 d= eny log udp from any to any
10000 nat 1 ip4 from any to any out xmit igc= 0
65535 allow ip from any to any

Now comes the = tricky part. There are some applications that don't=C2=A0work correctly= with this ruleset.
For example, itsme (belgium application) to i= dentify yourself with a lot of accounts, does not=C2=A0work.
Rece= ntly my banking=C2=A0website also stopped working. So now I'm wondering= how do I start to troubleshoot=C2=A0this issue?
Are there any ce= avets=C2=A0with this ruleset when redirects are happening for example? I= 9;m also wondering if Belgian PF users have the same issue?=C2=A3

I'm hopeful=C2=A0to get to the bottom of this as its qu= ite annoying needing to switch wifi channels to my ISP's router which d= oes work with these applications.

Regards
Dries


--00000000000047eadd0625efba9d--