FreeBSD bridging security router
The Doctor
doctor at
Wed Apr 1 01:37:10 UTC 2020
Found it. The bridging was not set properly.
However I run into a new problem.
This is suppose to be a border gateway, but when I plug in the
external interface, wireshark say traffic is flowing, but I test the browsers
and they cannot find their target.
So I have
1) pf.conf
## Set your public interface ##
##Internal bridge for virtually hosted machines
## Set your server public IP address ##
intnet = $int_if:network
#Proxy for FTP
#All virtal machines go here!
#In case you need a whole group
vhosts =" {,,, }"
## Set and drop these IP ranges on public interface and any other troublemakers ##
martians = "{,,, \,,, \, }"
## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}"
# Radius
radiusports = "{1645,1646,1812,1813 }"
## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}"
int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
int_radius_services = "{1645,1646,1812,1813 }"
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ##
set skip on lo
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
################### TRANSLATION #############
#### NAT and RDR start
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $intnet from $bridge0 to any -> ($intnet)
nat on $bridge0 from $kali to any -> ($bridge0)
nat on $bridge0 from $win2019 to any -> ($bridge0)
nat on $bridge0 from $kali to any -> ($bridge0)
## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
## Set default policy ##
block return in log all
block out all
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 49151
pass out quick on egress inet proto tcp from any to flags S/SA
pass out quick on egress inet proto tcp from any to flags S/SA
#set up virtual switch
pass in quick on bridge0 all
pass quick on tap0 all
pass quick on tap1 all
pass quick on tap2 all
pass quick on tap3 all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
## Blocking spoofed packets
antispoof quick for $int_if
antispoof quick for $ext_if
antispoof quick for $vhosts
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $int_if port 22
#pass in inet proto tcp to $ext_if port 22
pass in inet proto tcp to $vhosts port 22
pass in inet proto tcp to $int_if port 36941
#pass in inet proto tcp to $ext_if port 36941
pass in inet proto tcp to $vhosts port 36941
# Allow Ping-Pong stuff. Be a good sysadmin
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
# All access to our Nginx/Apache/Lighttpd Webserver and other ports
pass proto tcp from any to $int_if port $webports
pass proto udp from any to $int_if port $webports
pass proto udp from any to $int_if port $radiusports
#pass proto tcp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports
pass in on $int_if proto tcp from any to any port = 36941 keep state
pass in on $vhosts proto tcp from any to any port = 36941 keep state
pass in on $kali proto tcp from any to any port = 36941 keep state
# Allow essential outgoing traffic
pass out quick on $int_if proto tcp to any port $int_tcp_services
pass out quick on $int_if proto udp to any port $int_udp_services
pass out quick on $int_if proto udp to any port $int_radius_services
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1812 keep state
pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 36941 keep state
pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
pass out quick all flags S/SA keep state
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
## I wonder if sshguard works with pf.
2) rc.conf
## Set your public interface ##
##Internal bridge for virtually hosted machines
## Set your server public IP address ##
intnet = $int_if:network
#Proxy for FTP
#All virtal machines go here!
#In case you need a whole group
vhosts =" {,,, }"
## Set and drop these IP ranges on public interface and any other troublemakers ##
martians = "{,,, \,,, \, }"
## Set http(80)/https (443) port here and other ports that need accessing ##
webports = "{http, https,8443,119,561,110,143,993,995,20,21,23,25,464,465,587,53,513,783,88,135,137,138,139,445,69,43,636,1024:65535}"
# Radius
radiusports = "{1645,1646,1812,1813 }"
## enable these services ##
int_tcp_services = "{domain, ntp, smtp,nntp, smtps,submission, www, https,20,88,ftp, ssh,110,139,137,138,135,143,636,993,995,443,445,464,561,636,783,7500,8443,43,63,1024:65535}"
int_udp_services = "{domain, ntp,69,88,137,138,139,445,464}"
int_radius_services = "{1645,1646,1812,1813 }"
## Skip loop back interface - Skip all PF processing on interface bridge and virtual hosts ##
set skip on lo
set skip on bridge0
set skip on tap0
set skip on tap1
set skip on tap2
set skip on tap3
## Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ##
set loginterface $ext_if
set fingerprints "/etc/pf.os"
# Deal with attacks based on incorrect handling of packet fragments
scrub in all
################### TRANSLATION #############
#### NAT and RDR start
nat on $ext_if from $intnet to any -> ($ext_if)
nat on $intnet from $bridge0 to any -> ($intnet)
nat on $bridge0 from $kali to any -> ($bridge0)
nat on $bridge0 from $win2019 to any -> ($bridge0)
nat on $bridge0 from $kali to any -> ($bridge0)
## PLease note for virtual machines you are passing the packects via the
## Virtual switch so treat as michine (tap) into switch (Bridge) into
## your macine acting as the host (exit)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
# Redirect ftp traffic to proxy
rdr pass proto tcp from any to any port ftp -> $proxy port $proxyport
## Set default policy ##
block return in log all
block out all
# We need to have an anchor for ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 20
pass out proto tcp from $proxy to any port 21
pass out on $int_if inet proto {tcp, udp} from $int_if to any port ftp:ftp-proxy
pass in on egress proto tcp to port 21
pass in on egress proto tcp to port 20
pass in on egress proto tcp to port > 49151
pass out quick on egress inet proto tcp from any to flags S/SA
pass out quick on egress inet proto tcp from any to flags S/SA
#set up virtual switch
pass in quick on bridge0 all
pass quick on tap0 all
pass quick on tap1 all
pass quick on tap2 all
pass quick on tap3 all
# Drop all Non-Routable Addresses
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop in quick on $vhosts from $martians to any
block drop out quick on $vhosts from any to $martians
## Blocking spoofed packets
antispoof quick for $int_if
antispoof quick for $ext_if
antispoof quick for $vhosts
# Open SSH port which is listening on port 22 from VPN 139.xx.yy.zz Ip only
# I do not allow or accept ssh traffic from ALL for security reasons
#pass in quick on $ext_if inet proto tcp from to $ext_if_ip port = ssh flags S/SA keep state label "USER_RULE: Allow SSH from"
## Use the following rule to enable ssh for ALL users from any IP address #
## pass in inet proto tcp to $ext_if port ssh
### [ OR ] ###
pass in inet proto tcp to $int_if port 22
#pass in inet proto tcp to $ext_if port 22
pass in inet proto tcp to $vhosts port 22
pass in inet proto tcp to $int_if port 36941
#pass in inet proto tcp to $ext_if port 36941
pass in inet proto tcp to $vhosts port 36941
# Allow Ping-Pong stuff. Be a good sysadmin
icmp_types = "{ echoreq, unreach }"
pass inet proto icmp all icmp-type $icmp_types keep state
# allow out the default range for traceroute(8):
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $int_if inet proto udp from any to any port 33433 >< 33626 keep state
pass out on $vhosts inet proto udp from any to any port 33433 >< 33626 keep state
# All access to our Nginx/Apache/Lighttpd Webserver and other ports
pass proto tcp from any to $int_if port $webports
pass proto udp from any to $int_if port $webports
pass proto udp from any to $int_if port $radiusports
#pass proto tcp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $webports
#pass proto udp from any to $ext_if port $radiusports
pass proto tcp from any to $vhosts port $webports
pass proto udp from any to $vhosts port $webports
pass in on $int_if proto tcp from any to any port = 36941 keep state
pass in on $vhosts proto tcp from any to any port = 36941 keep state
pass in on $kali proto tcp from any to any port = 36941 keep state
# Allow essential outgoing traffic
pass out quick on $int_if proto tcp to any port $int_tcp_services
pass out quick on $int_if proto udp to any port $int_udp_services
pass out quick on $int_if proto udp to any port $int_radius_services
pass out quick on $ext_if proto tcp to any port $int_tcp_services
pass out quick on $ext_if proto udp to any port $int_udp_services
pass out quick on $ext_if proto udp to any port $int_radius_services
pass out quick on $vhosts proto tcp to any port $int_tcp_services
pass out quick on $vhosts proto udp to any port $int_udp_services
#For radius make certain for older syatems port 1645 and current 1812
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $int_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1812 keep state
pass in log quick on $int_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $int_if proto tcp from any to any port = 1645 flags S/SA keep state
pass in log quick on $int_if proto udp from any to any port = 1645 keep state
pass in log quick on $ext_if proto tcp from any to any port = 1812 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 1812 keep state
pass in log quick on $ext_if proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $ext_if proto udp from any to any port = 36941 keep state
pass in log quick on $vhosts proto tcp from any to any port = 36941 flags S/SA keep state
pass in log quick on $vhosts proto udp from any to any port = 36941 keep state
pass out quick all flags S/SA keep state
# Add custom rules below
block quick from <bruteforce>
pass quick proto { tcp, udp } from any to any port ssh \
flags S/SA keep state \
(max-src-conn 15, max-src-conn-rate 5/3, \
overload <bruteforce> flush global)
## I wonder if sshguard works with pf.
2) rc.conf
ifconfig_bce0="inet netmask promisc "
ifconfig_bce1="up media 100baseTX mediaopt full-duplex promisc "
ifconfig_bce2="up promisc"
ifconfig_bce3="up promisc"
cloned_interfaces="bridge0 tap0 tap1 tap2 tap3"
ifconfig_bridge0="addm bce2 addm tap0 addm tap1 addm tap2 addm tap3 up"
#cloned_interfaces="bce0 bce1"
ifconfig_bridge1="addm bce0 addm bce1 up"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
What are anything internal not able to see the external world from a web
browser? Further, My Android cell phone chokes.
Member - Liberal International This is Ici
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism
There shall be eternal summer in the grateful heart. -Celia Thaxter
Member - Liberal International This is Ici
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising! Look at Psalms 14 and 53 on Atheism
There shall be eternal summer in the grateful heart. -Celia Thaxter
More information about the freebsd-pf
mailing list