Releasing all outgoing ports for a particular IP.

Fleuriot Damien ml at my.gd
Thu Feb 14 18:22:38 UTC 2013 

On Feb 14, 2013, at 7:06 PM, Lisa Muir <34.24.34 at gmail.com> wrote:

> Hi Guys,
> 
> Hope you might be able to help me with a query. Am a little past the
> newbie stage with pf, and moderately comfortable with it, but by no
> means a guru yet, finding my way.
> 
> Have one firewall which has a public interface with multiple ip's and
> 5 private lans with the usual private lan space ip's. The machine has
> been running fine for a year and a bit, and I have various port
> forwarding things going, internal redirection for dmz hosts being
> accessed from the lan, port forwarding for public ip aliases's on the
> external interface. Two things have left me with questions, one is
> about UDP port forwarding which I got working but am not 100% happy
> with, and I'll come back to that in another thread, and today's one
> which is releasing all tcp ports for a particular IP which is in the
> "DMZ" vlan. In this case, the vlans are implemented at the switches,
> and a seperate interface on the pf firewall links into each vlan, no
> kernel based vlan in operation.
> 
> As a rule, we restrict outgoing ports, we only allow out what we know
> about and approve, but we're putting in a CCTV transmitter into the
> DMZ which requires access to every tcp port for outgoing. Here is a
> cut down version of my pf.conf with the relevant data, starting with
> the definitions for interfaces, the host in question that I am testing
> with, and the ports:
> 
> #####################
> # Definitions
> #
> # interfaces
> 
> # Vlan1 is the switch management vlan
> vlan1_if = "em1"
> 
> # Vlan2 is the business vlan
> vlan2_if = "em2"
> 
> # Vlan3 is the topsec secretary vlan
> vlan3_if = "em3"
> 
> # Vlan4 is the "dmz"
> vlan4_if = "em4"
> 
> # Vlan5 is the domestic house vlan
> vlan5_if = "em5"
> 
> # Wlan is the wireless lan in the building
> wlan_if = "msk0"
> 
> # The em0 vlan is a direct cat-5 cable link to wireless broadband kit
> for public internet
> ext_if = "em0"
> 
> # The em0_alias0 is a virtual interface for additional public ip
> stc_dvr_ext_if = "173.47.184.4"
> 
> tunnel_if = "gif0"
> vpn_if = "tun0"
> 
> # Host that we are testing our rules with
> emailserver = "10.168.3.99"
> 
> # Ports that we want to open for this host, all tcp going out
> all_ports = "{ 1:65535 }"
> 
> 
> 
> The lans, 1, 2, 3, wireless and are restricted to only trafficing on
> ports such as 80, 443, 25, 587, 143 etc.
> 
> But I want my email server to go out on any port, so the following
> lines were added, which work:
> 
> 
> pass in on $vlan4_if proto tcp from $emailserver to any port $all_ports
> pass out on $ext_if proto tcp from $ext_if to any port $all_ports
> 
> 
> 
> The first line of that is suitably restrictive, it only allows that
> one single host in the DMZ to traffic out on all tcp ports.
> 
> its the next pass rule that bothers me. Because all lans nat through
> to the ext_if, this next line effectively opens up all ports to get
> out into the wild if any of them are accidently opened to get into the
> gateway. I'd like to be able to restrict that particular pass rule to
> a single host.
> 
> Is that possible? or do I just have to live with the fact that I have
> it restricted at the pass in stage?
> 
> When i get more info, I may be able to restrict the outgoing
> destination to a list of ip's rather than passing out to any, which
> will help tighten the rule up, but it seems a little unrestricted for
> my liking as is.
> 
> Lisa.


I think what you want to do is not possible in this way, people more experienced will correct me if needed.

Perhaps you could try adjusting your outgoing NAT rules however ?


Example:

nat on $ext_if inet proto tcp from $emailserver to any
nat on $ext_if inet proto tcp from $dmz:network to any port { 80 443 25 465 … }
nat on $ext_if inet proto udp from $dmz:network to any port { 53 … }

See the approach here ?
Your packets from hosts other than the emailserver (which effectively has access to everything over TCP) won't go through.



Now, why do you bother with "ports $all_ports" at all ?
Just use:
pass in on $vlan4_if proto tcp from $emailserver to any


Next, if you only use ipv4 you might want to use the "inet" keyword in your rules, as such:
pass in on $vlan4_if inet proto …


Last, unless you have specific reasons not to, why not make use of the "quick" keyword so that PF stops processing rules right where you want ?
pass in quick on $vlan4_if inet proto tcp…



I hope this helps.

More information about the freebsd-pf mailing list