From nobody Thu Nov 14 10:17:27 2024 X-Original-To: freebsd-pf@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Xpx0d3Vnsz5cS0j; Thu, 14 Nov 2024 10:17:21 +0000 (UTC) (envelope-from ronald@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R10" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Xpx0d2Hvgz41tD; Thu, 14 Nov 2024 10:17:21 +0000 (UTC) (envelope-from ronald@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731579441; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZVK8gy+8UQt2EwyiwZBL5/YRmGrWj9PKaPMrutYZqDw=; b=F6KzPzZWAH64T+nO1VirVkqLDgrW51/04GeKeMoJFhLwOgktua5yOkLmFUjBjWHMXcKwi3 qDhZPyfIFUmdCLU4SdmyJcFtrizZbNCYdN58Hv1DXM4uShc+yqKJMGlUH1QmymbdRy0yls x41ot7UcsmQsmzyF+xPTa98VY3qvzEXMp1ovpbFVSaKj4NG4BI5Zw3oJ2yMt6Rui+msyfT e1ae1QqM3ghME+T5A8nFi0B4fek2D0rMX7NejMPcPIS5sgRlCXZEr36UcnXs7b0tuZUXGw 6CTjukWGyJUoMHUBfSvXHyuxAF0OX/IYIra8V+wJf74UwGjMOZ4yJJ6UZUXCIg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1731579441; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ZVK8gy+8UQt2EwyiwZBL5/YRmGrWj9PKaPMrutYZqDw=; b=VwrW3ygbBhyOJbQNCZimypZh2Bzn6Ffsiv48yicoF/1kYlXDgM2EBedH6QJFaPKFd/klLn okERt5ZMxDtB2/xHS13ZRF5D1qY8dor/9AxhfJ7XuyEtxwI0YpZdGthO2RYIw1cfC5jqNJ 20PpquTYiewPJCsEo3k0oVQtwDKHVeoS3gXh7laX72x82xJ36Zzzl1D09BNgogXTU/LLtZ tKiR9cPfHaCJTpRqXgGhL7XVapoo/7FWNTxNyf2S0imfzWko+LuMR5dDORYJHp1cKdsrrZ IPpLJmIIolKl/L6e3NgG3o41wsFiYrTMyz4b/7ydS8HOQ2whWR0K72GyGRw2MA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1731579441; a=rsa-sha256; cv=none; b=XccoV5n0CAK3Hvygbe9HhHUlCs8BNjHTYcslvis/pZAQgiUeHcJZkAQVruKdc1A/yeXFgs socMwKwKnC/DAS6QSlz7lIDbvXJ4befZBKvmUakfnL1KxuiyYKQLuGpBM9D5ZwfKT3YIMb jxSGoWPKynEWL8+VmDiSoTiFrfP898I+7DXyzInLBgtUZ+gGouhLBpzCo0ATsgWlfFjmwz nH+KDL1Pdk2EnZsmTMUrD0QbvNvERpUP3uh0jajKnSorrGGvlZx5xCP89KN6jRPECqNPKE t5jeraNj3ER+WQJQW43tyv1usRYClIXsJYiLGl+nVFEtqIveCUj/OyZsmDUcaA== Received: from [IPV6:2001:1c00:2709:2010:6dfc:66fc:af9:61c9] (2001-1c00-2709-2010-6dfc-66fc-0af9-61c9.cable.dynamic.v6.ziggo.nl [IPv6:2001:1c00:2709:2010:6dfc:66fc:af9:61c9]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: ronald/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4Xpx0c5hnlzdkT; Thu, 14 Nov 2024 10:17:20 +0000 (UTC) (envelope-from ronald@FreeBSD.org) Message-ID: <610cbd98-0e4c-474f-b352-9786fc9e6a70@FreeBSD.org> Date: Thu, 14 Nov 2024 11:17:27 +0100 List-Id: Technical discussion and general questions about packet filter (pf) List-Archive: https://lists.freebsd.org/archives/freebsd-pf List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-pf@freebsd.org Sender: owner-freebsd-pf@FreeBSD.org MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: IPFW statefull firewall ruleset - some sites or applications do not work as expected To: Dries Michiels , freebsd-ipfw@freebsd.org, freebsd-pf@freebsd.org, FreeBSD Net References: Content-Language: en-US From: Ronald Klop In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Op 02-11-2024 om 16:30 schreef Dries Michiels: > Hello, > > So I have a very basic ruleset, as described in the FreeBSD handbook, see below. I have "blurred" my open ports as seen in the ruleset below. > Igc0 is my WAN port and in the table "trusted_if" are like my LAN if and some bridges. > > 00001 reass ip from any to any in > 00010 allow ip from any to any via table(trustedif) > 00050 deny log ip from any to any not antispoof in > 00100 nat 1 ip4 from any to any in recv igc0 > 00500 skipto 10000 tcp from any to any out xmit igc0 setup keep-state :default > 00501 skipto 10000 udp from any to any out xmit igc0 keep-state :default > 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default > 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default > 09998 deny log tcp from any to any > 09999 deny log udp from any to any > 10000 nat 1 ip4 from any to any out xmit igc0 > 65535 allow ip from any to any > > Now comes the tricky part. There are some applications that don't work correctly with this ruleset. > For example, itsme (belgium application) to identify yourself with a lot of accounts, does not work. > Recently my banking website also stopped working. So now I'm wondering how do I start to troubleshoot this issue? > Are there any ceavets with this ruleset when redirects are happening for example? I'm also wondering if Belgian PF users have the same issue?£ > > I'm hopeful to get to the bottom of this as its quite annoying needing to switch wifi channels to my ISP's router which does work with these applications. > > Regards > Dries > > Hi, It is a while ago that I build ipfw firewalls, but doesn't rule 10 match all internal (from LAN) traffic, preventing outgoing (to WAN) packets to get to the nat rules? I would suggest something like this: 00001 reass ip from any to any in 00050 deny log ip from any to any not antispoof in 00100 nat 1 ip4 from any to any via igc0 00300 check-state :default 00200 allow ip from any to any in table(trustedif) keep-state :default 05000 allow tcp from any to me *some open ports* in recv igc0 setup keep-state :default 05001 allow udp from any to me *some open ports* in recv igc0 keep-state :default 09999 deny log ip from any to any 65535 allow ip from any to any Regards, Ronald.