FreeBSD 10.3, pf, and rtp, definite firewall issue

David Mehler dave.mehler at gmail.com
Tue Mar 21 12:52:45 UTC 2017 

Hello,

 I've included my firewall rules below. Can someone take a look at
them and give me an assessment? They are working for the most part
except with asterisk in a jail and rtp.

 I've got a single server a vps and one public IP. On the server
 (Freebsd 10.3 trying to decide whether to go 11 opinions?), it has two jails
 running services one of which is Asterisk.

 I get to the point where I can connect a soft phone app zoiper it
 works, but I hear no audio from the Asterisk. I finally got the
 debugging going and determined that Asterisk is working fine. So what
 I did was take the line in the attached ruleset

 block all

 and changed it to

 pass all

 and removed all other rules.

 That worked, telling me I've got a firewall issue. I've been working
 on that for the last day and getting nowhere, rtp is definitely not
 working in my configuration, kind of like ftp thank god I don't have
 to do that.

 Anyway I was wondering if you could take a look? The pf.conf1 file is
 the modified file that does work, while the pf.conf file is my ruleset
 that i'd like to use.

 Thanks.
 Dave.

non-working pf.conf:
	#

#
################ FreeBSD pf.conf ##########################
# Required order: options, normalization, queueing, translation, filtering.
# Note: translation rules are first match while filter rules are last match.
# 12/27/15: added in ipv6 firewall rules

################ Macros ###################################
### Interfaces ###
ext_if="vtnet0"
int_if = "lo1"
jailnet = $int_if:network
icmp_types="{echoreq, unreach}"
icmp6_types="{ 2, 128 }" # packet too big, echo request (ping6)
# Neighbor Discovery Protocol (NDP) (types 133-137):
#   Router Solicitation (RS), Router Advertisement (RA)
#   Neighbor Solicitation (NS), Neighbor Advertisement (NA)
#   Route Redirection
icmp6_types_ext_if="{ 128, 133, 134, 135, 136, 137 }"
synstate ="flags S/SA synproxy state"
tcpstate ="flags S/SA modulate state"
udpstate ="keep state"

# Name and IP of jails
webmail="10.0.0.15"
webmail2="10.0.0.16"
# Name and IP of jailed ssh server
jssh1="10.0.0.15"
jssh2="10.0.0.16"
jssh3="10.0.0.17"
# The Asterisk Server
asterisk="10.0.0.17"
voipports = "{ 5060, 5061, 10000:20000 }"

# allowed traffic
tcp_services="{7, bootpc, bootps, ftp-data, ftp, ssh, smtp, domain,
http, imap, https, imaps, 2703, 587, 43}"
tcp6_services="{ssh, smtp, domain, http, imap, https, imaps, 43}"
udp_services="{bootpc, bootps, domain, ntp, 3690, 6277, 24441}"
udp6_services="{domain, ntp, 546}"

# Options
# block-policy can be either drop or return
set block-policy return
set skip on lo0
set skip on lo1
#scrub on $ext_if all reassemble tcp no-df random-id max-mss 1440

# Normalization
# normalize all incoming traffic. Set ttl 254: limits mapping of hosts behind
# firewall. Set random-id to help same.
# Set mss to ATM network frame size for easy splitting upstream.
#scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble
tcp fragment reassemble

# NAT
#nat on $ext_if inet from $jailnet to any -> ($ext_if)
nat on $ext_if from $jailnet to any -> ($ext_if) static-port

# Nat internal hosts
#nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
#nat on $int_if from lo1:network to any -> ($int_if)

# Redirect any packets requesting ports 2220, 2221, or 2222 to jailed ssh server
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2220 ->
$jssh1 port 2220
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2221 ->
$jssh2 port 2221
rdr pass on $ext_if inet proto tcp from any to $ext_if port 2222 ->
$jssh3 port 2222
# Redirect traffic to the asterisk server
# SIP on UDP port 5060, 5061 for secure signaling.
# Used for signals such as "hang up"
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
# RTSP ports 10000 to 20000
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
# IAX2- the IAX protocol
# UDP 4569
#rdr pass on $ext_if inet proto udp from any to $ext_if port 4569 ->
$asterisk port 4569
# IAX - old IAX protocol
# port UDP 5036
#rdr pass on $ext_if inet proto udp from any to $ext_if port 5036 ->
$asterisk port 5036

# Tables
#table <badips> persist file "/etc/pf/badips"
table <bruteforce> persist file "/etc/pf/bruteforce"
table <droplasso> persist file "/etc/pf.drop.lasso.conf"
table <fail2ban> persist file "/etc/pf/fail2ban"

# Pass anything on the lo* interfaces
#antispoof quick for lo0 inet
pass quick on lo0 all
#pass quick on lo1 all

# Block by default
block all

# Try to block nmap scans
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP

# Explicitly block unroutable addresses
#antispoof quick for ($ext_if)
#block in quick on $ext_if from <badips> to any
#block out quick on $ext_if from any to <badips>

# Explicitly block anything in the bruteforce table
block in quick from <bruteforce>

# Explicitly block anything in the fail2ban table
block in quick from <fail2ban>

# Explicitly block anything in the droplasso table
block in quick from <droplasso>

# Pass out only the desired ports from host and jails
pass quick proto tcp from {self} to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto tcp from $jailnet to port $tcp_services keep state
(max-src-conn 20, max-src-conn-rate 15/5, overload <bruteforce> flush
global)
pass quick proto {tcp, udp} from {self} to port $udp_services keep state
pass quick proto {tcp, udp} from $jailnet to port $udp_services keep state

# allow ping and host unreach
pass inet proto icmp icmp-type $icmp_types keep state

# Traceroute
# allow out the default range for traceroute(8):
  # ”base+nhops*nqueries-1” (33434+64*3-1)
pass inet proto udp to port 33433:33626 # For IPv4

# tag packets in on $int_if and pass them out on $ext_if
#pass in quick on $int_if from any to any tag INTNET
#pass in on $ext_if proto tcp from any to $webmail port http flags
S/SA synproxy state

# allow https traffic out from the jails
pass out proto tcp from $jailnet port https to any keep state

 # Allow ssh connections in from the internet
pass in inet proto tcp from any to $ext_if port ssh keep state

# Pass in http traffic from the internet
pass in inet proto tcp to $ext_if port 80 keep state

# Pass in https traffic from the internet
pass in inet proto tcp to $ext_if port 443 keep state

# Pass in smtp traffic from the internet
pass in inet proto tcp to $ext_if port 25 keep state

# Pass in submission traffic from the internet
pass in inet proto tcp to $ext_if port 587 keep state

# Pass in imaps traffic from the internet
pass in inet proto tcp to $ext_if port 993 keep state

# Pass out port 80 to the jailed web servers
pass out inet proto tcp from $int_if to $webmail port 80 keep state
pass out inet proto tcp from $int_if to $webmail2 port 80 keep state

# pass traffic from the asterisk server
pass quick inet proto udp from $asterisk to any port $voipports keep state

# IPv6
# allowing in ping
pass quick on $ext_if inet6 proto ipv6-icmp icmp6-type $icmp6_types keep state
pass quick on $ext_if inet6 proto ipv6-icmp from any to { ($ext_if ),
ff02::/16 } icmp6-type $icmp6_types_ext_if keep state

# Allow outgoing services
pass out on $ext_if inet6 proto tcp to any port $tcp_services
pass out on $ext_if inet6 proto udp to any port $udp_services

# Trace route out
pass out on $ext_if inet6 proto udp from any to any port 33433 ><
33626 keep state

# allow incoming traffic
#pass in on $ext_if inet6 proto tcp from any to $http_servers6 port
http keep state
#pass in on $ext_if inet6 proto tcp from any to $mail_servers6 port
$mail_ports keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to any port
	#$tcp46_services flags S/SA keep state
#pass in quick on $ext_comcast_if inet6 proto tcp from any to
	#( $ext_comcast_if ) port $tcp46_services_ext_if flags S/SA
	#keep state
#pass in quick on $ext_comcast_if inet6 proto udp from any to
	#( $ext_comcast_if ) port $udp6_services_ext_if keep state

#pass quick on $jailnet all keep state

working but totally open pf.conf1:
ext_if="vtnet0"
int_if = "lo1"
jailnet = $int_if:network
asterisk="10.0.0.17"
set block-policy return
set skip on lo0
nat on $ext_if inet from $jailnet to any -> ($ext_if)
rdr pass on $ext_if inet proto udp from any to $ext_if port 5060 ->
$asterisk port 5060
rdr pass on $ext_if inet proto udp from any to $ext_if port 5061 ->
$asterisk port 5061
rdr pass on $ext_if inet proto udp from any to $ext_if port
10000:20000 -> $asterisk port 10000:20000
pass all

More information about the freebsd-pf mailing list