Discussion:
SPAMD stop passing mail from WHITE-list
Владимир Капустин
2007-02-02 19:35:11 UTC
Permalink
Hi, all!

I have spamd configured like in
http://home.nuug.no/~peter/pf/en/spamd.html
with greylisting enabled

and i meet some problems with it:

1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First one - when spamd grows to 500 Megabytes. Second - 350 Meg.
When I do:
cat /dev/null > /var/db/spamd
all starts to work again

I wright small script which clears spamdb, but I don't think that it is the best idea.

2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get into WHITE-list and my malware can spam as much as it must?
Peter N. M. Hansteen
2007-02-03 19:37:25 UTC
Permalink
???????? ???????? <***@mail.ru> writes:

> I have spamd configured like in
> http://home.nuug.no/~peter/pf/en/spamd.html
> with greylisting enabled
>
> and i meet some problems with it:

Well, you have my attention. I am would be very interested in getting
to know about any inaccuracies in that document, and certainly any
that trip people up.

> 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First
> one - when spamd grows to 500 Megabytes. Second - 350 Meg.

At the point where things stop working, what content does the
whitelist table have? ie, anything recognizable or (incredibly) zero
size? One possibility - a far fetched one, admittedly - is that
hosts in your whitelist got themselves greytrapped (if you did set
that up).

> When I do:
> cat /dev/null > /var/db/spamd
> all starts to work again

This sounds like somehow your initally whitelisted hosts got
themselves blacklisted, or the whitelist is somehow bypassed.

> 2. If i have some malware on my PC and use mail-client program. If I
> send the same message some times I automatically get into WHITE-list
> and my malware can spam as much as it must?

If your malware manages to behave RFC-correctly, that is, resend after
what the greylisting host considers a reasonable interval, it will
manage to send whatever it's trying to send.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Volker
2007-02-04 12:47:23 UTC
Permalink
On 12/23/-58 20:59, ;048<8@ 0?CAB8= wrote:
> 2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get into WHITE-list and my malware can spam as much as it must?

Not really related to your spamd problem, but probably useful...

If you need to limit an internal client system for sending out mail
through your system, IMO you may also use pf's limit functions.

Imagine something like:

pass in quick on $int_if from any to $int_if port smtp keep state
(max-src-conn 1, max-src-conn-rate 2/60)

This should limit an internal client to one concurrent connection
and a maximum of 2 connections per 60 seconds and so mass mailing by
abusing your mail gateway should be impossible.

Combining this by a rule like 'block in quick on $int_if from any to
! $int_if port smtp' should efficiently block spam originating from
your internal net.

And for the malware issues, I would like to recommend not to install
and use malware! ;)

Greetings,

Volker
e***@encontacto.net
2007-02-08 17:17:55 UTC
Permalink
Quoting Volker <***@vwsoft.com>:

> On 12/23/-58 20:59, ;048<8@ 0?CAB8= wrote:
>> 2. If i have some malware on my PC and use mail-client program. If
>> I send the same message some times I automatically get into
>> WHITE-list and my malware can spam as much as it must?
>
> Not really related to your spamd problem, but probably useful...
>
> If you need to limit an internal client system for sending out mail
> through your system, IMO you may also use pf's limit functions.
>
> Imagine something like:
>
> pass in quick on $int_if from any to $int_if port smtp keep state
> (max-src-conn 1, max-src-conn-rate 2/60)
>
> This should limit an internal client to one concurrent connection
> and a maximum of 2 connections per 60 seconds and so mass mailing by
> abusing your mail gateway should be impossible.
>
> Combining this by a rule like 'block in quick on $int_if from any to
> ! $int_if port smtp' should efficiently block spam originating from
> your internal net.

Has anyone tried using a table and blocking smtp connections similar
to the ssh brute force solution that I've often seen on the list and
have been using happily for some time?

Something like:

pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep state
(max-src-conn 1, max-src-conn-rate 2/60, overload <smtp-excess>
flush global)
block drop in quick on $ext_if from <smtp-excess>

Could it work and be controlable or would it make a bad situation worse?

Thanks,

ed

>
> And for the malware issues, I would like to recommend not to install
> and use malware! ;)
>
> Greetings,
>
> Volker
Volker
2007-02-09 13:00:44 UTC
Permalink
Ed,

On 12/23/-58 20:59, ***@encontacto.net wrote:
> Quoting Volker <***@vwsoft.com>:
>
>> On 12/23/-58 20:59, ;048<8@ 0?CAB8=rote:
>>> 2. If i have some malware on my PC and use mail-client program. If I
>>> send the same message some times I automatically get into WHITE-list
>>> and my malware can spam as much as it must?
>>
>> Not really related to your spamd problem, but probably useful...
>>
>> If you need to limit an internal client system for sending out mail
>> through your system, IMO you may also use pf's limit functions.
>>
>> Imagine something like:
>>
>> pass in quick on $int_if from any to $int_if port smtp keep state
>> (max-src-conn 1, max-src-conn-rate 2/60)
>>
>> This should limit an internal client to one concurrent connection
>> and a maximum of 2 connections per 60 seconds and so mass mailing by
>> abusing your mail gateway should be impossible.
>>
>> Combining this by a rule like 'block in quick on $int_if from any to
>> ! $int_if port smtp' should efficiently block spam originating from
>> your internal net.
>
> Has anyone tried using a table and blocking smtp connections similar to
> the ssh brute force solution that I've often seen on the list and have
> been using happily for some time?

Yes, I'm doing this on some mail hubs. You should make sure not to
block legitimate smtp clients by these rules, so take values high
enough to let backup MXes etc. deliver their mail.

For me, values of conn-src-rate 80/90 (maximum 80 connections in 90
seconds) work well. Using max-src-conn-rate of 30/90 caused problems
when the machine has been offline for some reason and the backup MX
wanted to send all buffered mail messages. Your mileage will vary! ;)

> Something like:
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
> state
> (max-src-conn 1, max-src-conn-rate 2/60, overload <smtp-excess>
> flush global)
> block drop in quick on $ext_if from <smtp-excess>

Nope, that's the wrong way. You let pass smtp (by a quick rule) but
the block rule is after that. That is rendering your blocklist
useless as all traffic is passing by the first rule.

AFAIK the first connection causing an overload is being dropped but
subsequent connections are still passing (as long as they don't
overload).

It should look like:

block drop in quick on $ext_if from <blockhosts> to any

pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
keep state ( max-src-conn [ANYVAL], max-src-conn-rate
[ANYVAL]/[ANYTIME], overload <blockhosts> flush global )

Whenever any host is overloading ssh or smtp access, I'm loading
their IP address into the blockhosts table and so the machine will
never again talk to that IP address (forever!). You may want to do
it different (for example flushing the table once a week or at
midnight). One machine running this for months has already blocked
1400 IP addresses and as far as I've checked, all have been dynamic
zombies (no regular mail clients have been blocked by that).

I haven't found a way to use that mechanism to block such hosts for,
say 120 minutes (which would be a great feature).

> Could it work and be controlable or would it make a bad situation worse?

You may use a blocking mechanism like that for any other host
service, too. If you're going to use that for UDP "connections" you
should be aware that they're connectionless and so options like "
max-src-connXXX" don't match here.

HTH,

Volker
Peter N. M. Hansteen
2007-02-10 14:18:41 UTC
Permalink
Volker <***@vwsoft.com> writes:

> I haven't found a way to use that mechanism to block such hosts for,
> say 120 minutes (which would be a great feature).

pfctl is in the process of growing an expire feature (in
OpenBSD-current now, in all likelihood part of the OpenBSD 4.1
release), but timed table expiry is already available with Henrik
Gustafsson's expiretable (in ports as /usr/ports/security/expiretable).

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
e***@encontacto.net
2007-02-11 14:54:03 UTC
Permalink
Quoting Volker <***@vwsoft.com>:

> Ed,
>
<SNIP />

Hi Volker,

I just set up a machine using your suggestions, correctly I hope ;)

> Nope, that's the wrong way. You let pass smtp (by a quick rule) but
> the block rule is after that. That is rendering your blocklist
> useless as all traffic is passing by the first rule.
>
> AFAIK the first connection causing an overload is being dropped but
> subsequent connections are still passing (as long as they don't
> overload).
>
> It should look like:
>
> block drop in quick on $ext_if from <blockhosts> to any
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
> keep state ( max-src-conn [ANYVAL], max-src-conn-rate
> [ANYVAL]/[ANYTIME], overload <blockhosts> flush global )

I have set it up as:

block drop in quick on $ext_if from <blocksmtp> to any

pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
keep state \
( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp>
flush global )

I'm still not flushing the table with tableexpire as I do with my
bruteforce ssh table from crontab. I want to evaluate the entries for
a while first.

I chose max-src-conn 5 because that is the max number of connections
per IP in courier. I assume that should work and if I change it, I
would think that I should probably change the courier esmtpd
configuration also. Time will tell I guess.
> Whenever any host is overloading ssh or smtp access, I'm loading
> their IP address into the blockhosts table and so the machine will
> never again talk to that IP address (forever!). You may want to do
> it different (for example flushing the table once a week or at
> midnight). One machine running this for months has already blocked
> 1400 IP addresses and as far as I've checked, all have been dynamic
> zombies (no regular mail clients have been blocked by that).

> I haven't found a way to use that mechanism to block such hosts for,
> say 120 minutes (which would be a great feature).

For my ssh-bruteforce table I am using a crontab entry to expire the
entries every 30 minutes. Just in case I shoot myself in the foot,
the pain is reduced to half an hour. ;)

*/30 * * * * root \
/usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1

Thanks so much for sharing your configuration and advice.

ed
>
>> Could it work and be controlable or would it make a bad situation worse?
>
> You may use a blocking mechanism like that for any other host
> service, too. If you're going to use that for UDP "connections" you
> should be aware that they're connectionless and so options like "
> max-src-connXXX" don't match here.
>
> HTH,
>
> Volker
>
Volker
2007-02-11 16:55:50 UTC
Permalink
Ed,

On 02/11/07 15:54, ***@encontacto.net wrote:
> Quoting Volker <***@vwsoft.com>:
>
> I just set up a machine using your suggestions, correctly I hope ;)
> I have set it up as:
>
> block drop in quick on $ext_if from <blocksmtp> to any
>
> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
> state \
> ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush
> global )
>
> I'm still not flushing the table with tableexpire as I do with my
> bruteforce ssh table from crontab. I want to evaluate the entries for a
> while first.
>
> I chose max-src-conn 5 because that is the max number of connections per
> IP in courier. I assume that should work and if I change it, I would
> think that I should probably change the courier esmtpd configuration
> also. Time will tell I guess.

Your rules are looking good so far. For the max-src-conn value you
have to check what value will be best for you. If you're using any
other server as a backup MX and you're final destination, a value of
5 may be bad as postfix (for example) is using 5 as a concurrency
destination limit per default which might easily blow your overload
rule and your backup MX might get blocked. You should check if that
value really works for you so as to have not legitimate hosts being
blocked.

>> I haven't found a way to use that mechanism to block such hosts for,
>> say 120 minutes (which would be a great feature).
>
> For my ssh-bruteforce table I am using a crontab entry to expire the
> entries every 30 minutes. Just in case I shoot myself in the foot, the
> pain is reduced to half an hour. ;)
>
> */30 * * * * root \
> /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1

It's ok if it does fit your needs but remember if a host is being
blocked by your overload rules at 12:29 it's getting unblocked at
12:30. I haven't checked expiretable (really had it forgotten) which
might be a better solution as far as I remember expiretable right
from the ML discussion.

> Thanks so much for sharing your configuration and advice.

You're welcome!

I've just written a small periodic script to have newly blocked IP
addresses being visible in the daily security report.

If you'll want to use it, change the table name and copy the file to
/usr/local/etc/periodic/security/... and chmod it executable:


/usr/local/etc/periodic/security/710.blockedhosts:
#!/bin/sh
# show changes in IP addresses being blocked by pf

# If there is a global system configuration file, suck it in.
if [ -r /etc/defaults/periodic.conf ]
then
. /etc/defaults/periodic.conf
source_periodic_confs
fi

. /etc/periodic/security/security.functions

rc=0

blocktable=${blocktable-"blockhosts"}
cmd=${cmd-"pfctl -t ${blocktable} -Ts"}
nc=`${cmd} | wc -l`

${cmd} | check_diff blockhosts - "${host} blocking host changes
(total ${nc} IP):"
#EOF

Greetings,

Volker
e***@encontacto.net
2007-02-12 10:09:24 UTC
Permalink
Quoting Volker <***@vwsoft.com>:

> Ed,
>
> On 02/11/07 15:54, ***@encontacto.net wrote:
>> Quoting Volker <***@vwsoft.com>:
>>
>> I just set up a machine using your suggestions, correctly I hope ;)
>> I have set it up as:
>>
>> block drop in quick on $ext_if from <blocksmtp> to any
>>
>> pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp keep
>> state \
>> ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp> flush
>> global )
>>
>> I'm still not flushing the table with tableexpire as I do with my
>> bruteforce ssh table from crontab. I want to evaluate the entries for a
>> while first.
>>
>> I chose max-src-conn 5 because that is the max number of connections per
>> IP in courier. I assume that should work and if I change it, I would
>> think that I should probably change the courier esmtpd configuration
>> also. Time will tell I guess.
>
> Your rules are looking good so far. For the max-src-conn value you
> have to check what value will be best for you. If you're using any
> other server as a backup MX and you're final destination, a value of
> 5 may be bad as postfix (for example) is using 5 as a concurrency
> destination limit per default which might easily blow your overload
> rule and your backup MX might get blocked. You should check if that
> value really works for you so as to have not legitimate hosts being
> blocked.

Hi Volker,

I'm keeping my eye on that, thanks,

>>> I haven't found a way to use that mechanism to block such hosts for,
>>> say 120 minutes (which would be a great feature).
>>
>> For my ssh-bruteforce table I am using a crontab entry to expire the
>> entries every 30 minutes. Just in case I shoot myself in the foot, the
>> pain is reduced to half an hour. ;)
>>
>> */30 * * * * root \
>> /usr/local/sbin/expiretable -t 3600 ssh-bruteforce >/dev/null 2&>1
>
> It's ok if it does fit your needs but remember if a host is being
> blocked by your overload rules at 12:29 it's getting unblocked at
> 12:30. I haven't checked expiretable (really had it forgotten) which
> might be a better solution as far as I remember expiretable right
> from the ML discussion.

It was/is a bit confusing but according to the examples in the manual
and in my testing a few months ago for ssh bruteforce, it seems to
work as the

EXAMPLES
The following removes any entries in table int.users older than one hour:

# expiretable -v -t 3600 int.users

This example removes any entries in table int.users older than one and a
half hour:

# expiretable -v -t 1h30m int.users

I'm not using it yet for smtp but probably will eventually but with a
minimum of a few days,

>
>> Thanks so much for sharing your configuration and advice.
>
> You're welcome!
>
> I've just written a small periodic script to have newly blocked IP
> addresses being visible in the daily security report.
>
> If you'll want to use it, change the table name and copy the file to
> /usr/local/etc/periodic/security/... and chmod it executable:
>
>
> /usr/local/etc/periodic/security/710.blockedhosts:
> #!/bin/sh
> # show changes in IP addresses being blocked by pf
>
> # If there is a global system configuration file, suck it in.
> if [ -r /etc/defaults/periodic.conf ]
> then
> . /etc/defaults/periodic.conf
> source_periodic_confs
> fi
>
> . /etc/periodic/security/security.functions
>
> rc=0
>
> blocktable=${blocktable-"blockhosts"}
> cmd=${cmd-"pfctl -t ${blocktable} -Ts"}
> nc=`${cmd} | wc -l`
>
> ${cmd} | check_diff blockhosts - "${host} blocking host changes
> (total ${nc} IP):"
> #EOF
>
I was still missing the script and am going to install it now.

Thanks

ed

P.S. The smtp settings seem to be working as expected so far.
> Greetings,
>
> Volker
>
>
>
>
Vladimir Kapustin
2007-02-05 16:39:20 UTC
Permalink
> > I have spamd configured like in
> > http://home.nuug.no/~peter/pf/en/spamd.html
> > with greylisting enabled
> >
> > and i meet some problems with it:
>
> Well, you have my attention. I am would be very interested in getting
> to know about any inaccuracies in that document, and certainly any
> that trip people up.
>
> > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First
> > one - when spamd grows to 500 Megabytes. Second - 350 Meg.
>
> At the point where things stop working, what content does the
> whitelist table have? ie, anything recognizable or (incredibly) zero
> size? One possibility - a far fetched one, admittedly - is that
> hosts in your whitelist got themselves greytrapped (if you did set
> that up).


Nothing unusual, but that the mail stops forwarding from the whitelist.
i.e. the sender resends the mail, gets in WHITE-list in spamd, but the mail
does not actually pass the router.
Many users started to complain and I forgot to look into

pfctl -t spamd-white -T show

but actually I have no BLACK list, and I still don't have a good idea
how to use TRAPs automatically...I try to put some adresses in TRAP-list
manually, but I can catch only myself in test purposes.


>
> > When I do:
> > cat /dev/null > /var/db/spamd
> > all starts to work again
>
> This sounds like somehow your initally whitelisted hosts got
> themselves blacklisted, or the whitelist is somehow bypassed.
>


As I wrote above they could not get into BLACK-list because i don't have
any. And it could not bypass anyhow, because I have such redirect rules:

pfctl -sn
rdr pass inet proto tcp from <spamd> to any port = smtp -> 127.0.0.1 port 8025
rdr pass inet proto tcp from ! <spamd-white> to any port = smtp -> 127.0.0.1 port 8025
....


> > 2. If i have some malware on my PC and use mail-client program. If I
> > send the same message some times I automatically get into WHITE-list
> > and my malware can spam as much as it must?
>
> If your malware manages to behave RFC-correctly, that is, resend after
> what the greylisting host considers a reasonable interval, it will
> manage to send whatever it's trying to send.


No...not malware...suppose that a user doesn't know about malware and uses Outlook to send
his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware?


tusen takk at du har blitt interessert i problemet mitt
Peter N. M. Hansteen
2007-02-07 15:06:03 UTC
Permalink
Vladimir Kapustin <***@mail.ru> writes:

> Nothing unusual, but that the mail stops forwarding from the
> whitelist. i.e. the sender resends the mail, gets in WHITE-list in
> spamd, but the mail does not actually pass the router.

That and the sheer size of your spamdb is weird.

> pfctl -sn
> rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
> rdr pass inet proto tcp from ! <spamd-white> to any port smtp -> 127.0.0.1 port 8025

try making your rdr interface specific, ie rdr pass on $ext_if and see
if it makes a difference

> No...not malware...suppose that a user doesn't know about malware
> and uses Outlook to send his mail. He'll get into THE WHITE-list
> and spamd can't stop HIS malware?

Mail from a whitelisted IP address will pass.

Please contact me off-list (the address works, with greylisting ;)) if
you want me to see if I can reproduce the problem here, I'll probably
need larger chunks of your config than you would sensibly put on a
public list.

> tusen takk at du har blitt interessert i problemet mitt

Når du følger min oppskrift, føler jeg at ansvaret faller mer på meg
enn ellers [you said you followed my recipe of sorts, so I do feel a
certain responsibility]

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Vladimir Kapustin
2007-02-05 16:56:07 UTC
Permalink
> > I have spamd configured like in
> > http://home.nuug.no/~peter/pf/en/spamd.html
> > with greylisting enabled
> >
> > and i meet some problems with it:
>
> Well, you have my attention. I am would be very interested in getting
> to know about any inaccuracies in that document, and certainly any
> that trip people up.
>
> > 1. My 2 FreeBSD routers stopped to pass mail from WHITE-list. First
> > one - when spamd grows to 500 Megabytes. Second - 350 Meg.
>
> At the point where things stop working, what content does the
> whitelist table have? ie, anything recognizable or (incredibly) zero
> size? One possibility - a far fetched one, admittedly - is that
> hosts in your whitelist got themselves greytrapped (if you did set
> that up).


Nothing unusual, but that the mail stops forwarding from the whitelist.
i.e. the sender resends the mail, gets in WHITE-list in spamd, but the mail
does not actually pass the router.
Many users started to complain and I forgot to look into

pfctl -t spamd-white -T show

but actually I have no BLACK list, and I still don't have a good idea
how to use TRAPs automatically...I try to put some adresses in TRAP-list
manually, but I can catch only myself in test purposes.


>
> > When I do:
> > cat /dev/null > /var/db/spamd
> > all starts to work again
>
> This sounds like somehow your initally whitelisted hosts got
> themselves blacklisted, or the whitelist is somehow bypassed.
>


As I wrote above they could not get into BLACK-list because i don't have
any. And it could not bypass anyhow, because I have such redirect rules:

pfctl -sn
rdr pass inet proto tcp from <spamd> to any port = smtp -> 127.0.0.1 port 8025
rdr pass inet proto tcp from ! <spamd-white> to any port = smtp -> 127.0.0.1 port 8025
....


> > 2. If i have some malware on my PC and use mail-client program. If I
> > send the same message some times I automatically get into WHITE-list
> > and my malware can spam as much as it must?
>
> If your malware manages to behave RFC-correctly, that is, resend after
> what the greylisting host considers a reasonable interval, it will
> manage to send whatever it's trying to send.


No...not malware...suppose that a user doesn't know about malware and uses Outlook to send
his mail. He'll get into THE WHITE-list and spamd can't stop HIS malware?


tusen takk at du har blitt interessert i problemet mitt
Vladimir Kapustin
2007-02-06 12:56:25 UTC
Permalink
>> 2. If i have some malware on my PC and use mail-client program. If I send the same message some times I automatically get >into WHITE-list and my malware can spam as much as it must?
>
>Not really related to your spamd problem, but probably useful...
>
>If you need to limit an internal client system for sending out mail
>through your system, IMO you may also use pf's limit functions.
>
>Imagine something like:
>
>pass in quick on $int_if from any to $int_if port smtp keep state
>(max-src-conn 1, max-src-conn-rate 2/60)
>
>This should limit an internal client to one concurrent connection
>and a maximum of 2 connections per 60 seconds and so mass mailing by
>abusing your mail gateway should be impossible.
>
>Combining this by a rule like 'block in quick on $int_if from any to
>! $int_if port smtp' should efficiently block spam originating from
>your internal net.
>

Yes, it seems to be a good idea, if I can combine this method with
spamd functionality. I have similar iptables filter on my recent
Linux gateway, but with the growth of network effectivity began to
decrease.

>And for the malware issues, I would like to recommend not to install
>and use malware! ;)
>

Earlier, I've caught some spammers and blocked their IP in LAN - it was a good
motivation to set up antiviruses and another useful soft.
I'm thinking about combination (if it this is possible) of these two methods
and I'd like to add some more functionality into your method :

any IP, that tries to send more than max-src-conn-rate will be put in
some table and all IPs from these tables will be automatically blocked
on smtp port and some other - to make more demonstrable to IP-keepers
that they have some malware.
Kevin K.
2007-02-06 13:35:55 UTC
Permalink
I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except
the fact that Windows Vista machines cant get through the network. I have
tried many things, including just using a skeleton PF configuration and I'm
still having trouble.

Just curious if anyone has experienced issues with this? If so, any
suggestions or resolutions would be appreciated.

Below is what we thought would fix the vista issue, but to no avail :


### Office for Vista issue -- no state

pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any
pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any
pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any
LI Xin
2007-02-06 13:42:11 UTC
Permalink
Kevin K. wrote:
> I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except
> the fact that Windows Vista machines cant get through the network. I have
> tried many things, including just using a skeleton PF configuration and I'm
> still having trouble.
>
> Just curious if anyone has experienced issues with this? If so, any
> suggestions or resolutions would be appreciated.
>
> Below is what we thought would fix the vista issue, but to no avail :
>
>
> ### Office for Vista issue -- no state
>
> pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any

Do you imply that you have other operating system behind your FreeBSD
wall, but have not this sort of issue? Is the problem Vista specific?

Cheers,
--
Xin LI <***@delphij.net> http://www.delphij.net/
FreeBSD - The Power to Serve!
Kevin K.
2007-02-06 13:48:58 UTC
Permalink
>Do you imply that you have other operating system behind your FreeBSD wall,
but have not this sort of issue? Is the >problem Vista specific?


Only FreeBSD machines are behind the firewall. The issue lies with a Vista
machine accessing the network through the firewall. The connection attempt
(regardless of protocol) eventually times out.
Kevin K.
2007-02-06 15:37:32 UTC
Permalink
>
> >Do you imply that you have other operating system behind your FreeBSD
> wall,
> but have not this sort of issue? Is the >problem Vista specific?
>
>
> Only FreeBSD machines are behind the firewall. The issue lies with a
> Vista
> machine accessing the network through the firewall. The connection
> attempt
> (regardless of protocol) eventually times out.
>

To clarify even further (sorry for the 2nd msg).

Most (if not all) other machines are able to access my network through the
PF firewall without any issues (xp/2000/nt , linux, bsd). As soon as a
Windows Vista machine tries to access my network, the connection attempt
times out (www, ftp, ssh).

I'd like to know if anyone else has experienced something similar with Vista
and their firewall. I realize it may be something with Vista, but this issue
seems to be related with PF firewalls and Vista.
Greg Hennessy
2007-02-07 08:20:15 UTC
Permalink
> I'd like to know if anyone else has experienced something similar with
> Vista and their firewall. I realize it may be something with Vista, but
this
> issue seems to be related with PF firewalls and Vista.
>

I have ran (and am running ) vista with CTCP enabled and disabled through PF
just fine.

Silly question, are all your tcp keep state rules establishing state on
flags S/SA only ?

What's the default block log all rule telling you regarding the connection ?


Have you tcpdumped an incoming session from that system through both ingress
and egress interfaces to see what's happening ?

Greg
Kevin K.
2007-02-06 17:30:29 UTC
Permalink
Dennis Berger wrote:
> We have a vista client and openbsd 3.9 pf box here. no problems at all.
> What you could try is something like this.
>
> pass in quick on $ext_if fastroute inet proto tcp from $somewhere to
> any
>


I'm going to try that, but I'm looking for a solution where I don't have to
add $somewhere for each vista machine trying to get in.
Volker
2007-02-07 12:42:54 UTC
Permalink
On 12/23/-58 20:59, Kevin K. wrote:
> I am using FreeBSD 6.2-release w/ PF. Everything seems to be okay, except
> the fact that Windows Vista machines cant get through the network. I have
> tried many things, including just using a skeleton PF configuration and I'm
> still having trouble.
>
> Just curious if anyone has experienced issues with this? If so, any
> suggestions or resolutions would be appreciated.
>
> Below is what we thought would fix the vista issue, but to no avail :
>
>
> ### Office for Vista issue -- no state
>
> pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.xxx/32 to any
> pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.xxx/32 to any

Kevin,

helping you with just this snippet of rules is like fishing in the dark.

Your rules do the following: A connection coming from a single IP
address (/32) is passing the firewall on the external IF. As it does
not create state (no keep state option) the answer to that incoming
connection will probably never reach the originating IP address.

As you're logging but do not keep state, you're getting a whole
bunch of log entries which might render your logs unreadable (every
packet is being logged instead of every connection).

If your rules work properly for other hosts (again, your snippet of
rules is useless for supporting you) I'm wondering if your Vista
machine does IPv6 and does not try v4? I don't know Vista at all but
I guess v6 support is built in.

Greetings,

Volker
Kevin K.
2007-02-07 15:24:57 UTC
Permalink
Volker wrote:
>
> Kevin,
>
> helping you with just this snippet of rules is like fishing in the
> dark.
>
> Your rules do the following: A connection coming from a single IP
> address (/32) is passing the firewall on the external IF. As it does
> not create state (no keep state option) the answer to that incoming
> connection will probably never reach the originating IP address.
>
> As you're logging but do not keep state, you're getting a whole
> bunch of log entries which might render your logs unreadable (every
> packet is being logged instead of every connection).
>
> If your rules work properly for other hosts (again, your snippet of
> rules is useless for supporting you) I'm wondering if your Vista
> machine does IPv6 and does not try v4? I don't know Vista at all but
> I guess v6 support is built in.
>
> Greetings,
>
> Volker


I was hoping that the issue was simple and common, due to Vista's emphasis
on ipv6 among other networking issues. Either way, below is my entire pf
configuration. I hope it helps.




### Firewalls are Sun Netra X1 UltraSPARC IIe 400

ext_if="dc1"
int_if="dc0"
loop_if="lo0"
internal_addr="xxx.xxx.xxx.x
external_addr="xx.xxx.xxx.xxx
internal_net="xxx.xxx.xxx.x
external_net="xx.xxx.xxx.xxx

### Load carp interfaces

c1="carp1"
c130="carp130"
c131="carp131"
c132="carp132"
c133="carp133"
c134="carp134"
c135="carp135"
c136="carp136"
c137="carp137"
c138="carp138"
c139="carp139"
c140="carp140"
c141="carp141"
c142="carp142"
c143="carp143"
c144="carp144"
c145="carp145"
c146="carp146"
c147="carp147"
c148="carp148"
c149="carp149"
c150="carp150"
c151="carp151"
c152="carp152"
c153="carp153"
c154="carp154"
c155="carp155"
c156="carp156"
c157="carp157"
c158="carp158"
c159="carp159"
c160="carp160"
c161="carp161"
c162="carp162"
c163="carp163"
c164="carp164"
c165="carp165"
c166="carp166"
c167="carp167"
c168="carp168"
c169="carp169"
c170="carp170"
c171="carp171"
c172="carp172"
c173="carp173"
c174="carp174"
c175="carp175"
c176="carp176"
c177="carp177"
c178="carp178"
c179="carp179"
c180="carp180"
c181="carp181"
c182="carp182"
c183="carp183"
c184="carp184"
c185="carp185"
c186="carp186"
c187="carp187"
c188="carp188"

InServicesTCP = "{ http, https }"
InServicesUDP = "{ domain, ntp, rpc }"
OutServicesTCP = "{ http, https, whois }"
OutServicesUDP = "{ ntp, domain, rpc }"
ProtoBlocked = "{ tcp, udp }"

table <carpext> const file "/etc/firewall/carp_extaddr.tbl"
table <private> const file "/etc/firewall/ip_localblock.tbl"
table <caught> persist file "/etc/firewall/ip_caught.tbl" file
"/etc/firewall/ip_exploit.tbl"
#table <excess_conns> file "/etc/firewall/excess_conns.tbl"
table <excess_conns_130> persist
table <excess_conns_131> persist
table <excess_conns_132> persist
table <excess_conns_133> persist
table <excess_conns_134> persist
table <excess_conns_135> persist
table <excess_conns_136> persist
table <excess_conns_137> persist
table <excess_conns_138> persist
table <excess_conns_139> persist
table <excess_conns_140> persist
table <excess_conns_141> persist
table <excess_conns_142> persist
table <excess_conns_143> persist
table <excess_conns_144> persist
table <excess_conns_145> persist
table <excess_conns_151> persist
table <excess_conns_ftp130> persist
table <excess_conns_ftp135> persist
table <excess_conns_ftp143> persist
table <webips> const file "/etc/firewall/web_server_ips.tbl"
#table <sshhacks> persist file "/etc/firewall/ssh_hackers.tbl"
table <sshhacks> persist
table <sendmail_hacks> persist file "/etc/firewall/sendmail_hacks.tbl"
table <blacklistproxies> persist file "/etc/firewall/blacklistproxies.tbl"
table <port_scans> persist file "/etc/firewall/port_scanners.tbl"

#### open for unabated users

table <unabated> { xx.xxx.xxx.xxx }

#### nfs table for hosts

#table <nfs> { xxx.xxx.xxx.x


##### Safe users

table <safeusers> { xxx.xxx.xxx.x }

# Options: tune the behavior of pf, default values are given.

set timeout { interval 30, frag 60, src.track 180 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set timeout { adaptive.start 0, adaptive.end 0 }
set limit { states 2000000, frags 1000000 }
set loginterface none
set optimization normal
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.

scrub in all


### rdr's

rdr on $ext_if proto tcp from any to ($c130) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c131) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c136) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c137) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c138) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c139) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c140) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c141) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c142) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c144) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c145) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c146) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c148) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c149) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c150) port 80 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 80 -> xxx.xxx.xxx.x

### Port 443 required mappings

rdr on $ext_if proto tcp from any to ($c131) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c132) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c133) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c134) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 443 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 443 -> xxx.xxx.xxx.x
#### Port 22 maps

rdr on $ext_if proto tcp from any to ($c130) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c147) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 22 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c169) port 22 -> xxx.xxx.xxx.x

##### Port 21 / FTP

rdr on $ext_if proto tcp from any to ($c130) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 21 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c130) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 2121 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 2121 -> xxx.xxx.xxx.x

##### Port 21 / FTP

rdr on $ext_if proto tcp from any to ($c130) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 20 -> xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 20 -> xxx.xxx.xxx.x

##### Passiv3 mod3 FtP

rdr on $ext_if proto tcp from any to ($c130) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c135) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c143) port 50000:50050 ->
xxx.xxx.xxx.x
rdr on $ext_if proto tcp from any to ($c151) port 50000:50050 ->
xxx.xxx.xxx.x

##### Port 873 for rsync

rdr on $ext_if proto tcp from any to ($c143) port 873 -> xxx.xxx.xxx.x


####### Nat back out for connections initiated behind the firewall

nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x
nat on $ext_if inet from xxx.xxx.xxx.x

### Carp specific pass rules

pass quick on { dc0 } proto pfsync
pass quick on { dc0 dc1 } proto carp keep state

#### Before block in all is turned back on make sure you don't get locked
out
#### allow safeusers

pass in quick on $ext_if inet proto tcp from <unabated> to any flags S/SA
keep state
pass in quick on $ext_if inet proto udp from <unabated> to any keep state
pass in quick on $ext_if inet proto icmp from <unabated> to any keep state

### Office for Vista issue -- no state

pass in log quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto udp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto icmp from xxx.xxx.xxx.x/32 to any
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to any



# Filtering ---- first up is the default block

block in all
#block in on $ext_if

### block private addresses

block drop in quick on $ext_if from <private> to any
block drop out quick on $ext_if from any to <private>


### Allow NFS traffic

pass in quick on $int_if inet proto tcp from <nfs> to xxx.xxx.xxx.x
pass in quick on $int_if proto udp from <nfs> to xxx.xxx.xxx.x
pass out quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass out quick on $int_if inet proto udp from xxx.xxx.xxx.x

# Allow safehost access to web / FTP

pass in quick on $ext_if inet proto tcp from <safeusers> to <webips> port
$InServicesTCP flags S/SA keep state
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from <safeusers> to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto icmp from <safeusers> to <webips> keep
state


#### Block sendmail hacks & port scans

block drop quick from <sendmail_hacks>
block drop quick from <port_scans>

#### Block Excess connections - DoS - SSH hackers - but allow for them to
recieve the generic message

block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_130> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_131> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_132> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_133> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_134> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_135> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_136> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_137> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_138> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_139> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_140> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_141> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_142> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_143> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_144> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_145> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_151> to
any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp130>
to any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp135>
to any
block drop quick on $ext_if proto $ProtoBlocked from <excess_conns_ftp143>
to any




### catch ssh hacks

pass in quick on $ext_if inet proto tcp from any to any port 22 flags S/SA
keep state (max-src-conn 1, max-src-conn-rate 1/200, overload <sshhacks>
flush global)
pass in quick on $int_if inet proto tcp from any port 22 to any flags
SA/SAFR keep state

### block caught

pass out quick on $ext_if from any to xx.xxx.xxx.xxx
pass in quick on $ext_if from xx.xxx.xxx.xxx
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
block drop in quick on $ext_if from <caught> to any
block drop in quick on $ext_if from <carpext> to any
block drop in quick on $ext_if from $ext_if to any
block drop out quick on $ext_if from any to <carpext>
block drop out quick on $ext_if from any to $ext_if

#### Explicit allow connections into the f/wall from the internal network

pass in quick on $int_if proto tcp from $internal_net to $internal_addr port
22 flags S/SA keep state
pass in quick on $int_if proto udp from $internal_net to $internal_addr port
53 keep state
pass in quick on $int_if proto icmp from $internal_net to $internal_addr
keep state

##### Apply anti-spoof blocks

block drop in quick on $int_if from any to <private>
block drop in quick on $int_if from any to $internal_net

##### loopback interface

pass in quick on $loop_if all
pass out quick on $loop_if all



## block web access to this hosts BASE

block drop in quick on $ext_if proto tcp from any to $external_addr port 443




pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x

#### FtP SerViCeS --- 21 and PasSiVe

pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
###(max-src-conn 74, max-src-conn-rate 100/2, overload <excess_conns_ftp130>
flush global)
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x


pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from any to xxx.xxx.xxx.x


###### allow mail rsync, etc

pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $ext_if inet proto tcp from xxx.xxx.xxx.x/32 to
xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if inet proto tcp from xxx.xxx.xxx.x


pass out quick on $ext_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $ext_if inet proto udp from any to any port 2620
pass in quick on $ext_if inet proto tcp from any to any port 2620 flags S/SA
keep state
pass in quick on $ext_if inet proto udp from any to any port 2620

pass out quick on $int_if inet proto tcp from any to any port 2620 flags
S/SA keep state
pass out quick on $int_if inet proto udp from any to any port 2620



##### dns services have to be allowed

pass in quick on $ext_if inet proto udp from any to $external_addr port 53
keep state
pass in quick on $ext_if inet proto udp from any port 53 to $internal_net
keep state
pass in quick on $ext_if inet proto udp from any port 53 to any keep state

#### temp. ftp outbound for port updates / src updates / etc

#pass in quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass in quick on $int_if inet proto tcp from any to any port 21 keep state
#pass out quick on $ext_if inet proto tcp from any to any port 21 keep state
#pass out quick on $int_if inet proto tcp from any to any port 21 keep state



##### with the block in all allow ns-2 full acess

######## END OF INBOUND allows on the ExTeRnAL InterFac3 ########

### allow SA responses back to initial SYN inbounds

pass in quick on $int_if proto tcp from <webips> port 80 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 443 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 21 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 20 to any flags
SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> port 50000:50050 to any
flags SA/SAFR keep state
pass in quick on $int_if proto tcp from <webips> to <unabated> flags SA/SAFR
keep state
pass in quick on $int_if proto udp from <webips> to <unabated> keep state
pass in quick on $int_if proto icmp from <webips> to <unabated> keep state
pass in quick on $int_if proto tcp from <webips> to <safeusers> flags
SA/SAFR keep state
pass in quick on $int_if proto udp from <webips> to <safeusers> keep state
pass in quick on $int_if proto icmp from <webips> to <safeusers> keep state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

### Vista rules

pass in log quick on $int_if proto tcp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto udp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto icmp from <webips> to xxx.xxx.xxx.x/32
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

############ Some outbound rules ###########

pass out quick on $ext_if proto udp from $external_addr to any port 123 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 22 flags
S/SA keep state
pass out quick on $ext_if proto udp from $external_addr to any port 53 keep
state
pass out quick on $ext_if proto tcp from $external_addr to any port 80 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 43 flags
S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 443
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to any port 5999
flags S/SA keep state
pass out quick on $ext_if proto tcp from $external_addr to xxx.xxx.xxx.x/32
port 25 flags S/SA keep state



#allow traceroute from fw -> host , this is really slow and doesnt work
properly
#pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep
state
#pass out quick on $ext_if inet proto udp from any to any port 33433 ><
33626 keep state


pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
block in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto udp from $internal_net to any port 53 keep
state
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

pass in quick on $int_if proto udp from $internal_net to any port 123 keep
state
pass in quick on $int_if proto icmp from $internal_net to any keep state
pass in quick on $int_if proto tcp from $internal_net to any port 43 flags
S/SA keep state

pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x

#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
#pass in quick on $int_if proto tcp from xxx.xxx.xxx.x
Daniel Hartmeier
2007-02-09 18:13:51 UTC
Permalink
On Wed, Feb 07, 2007 at 10:24:57AM -0500, Kevin K. wrote:

> I was hoping that the issue was simple and common, due to Vista's emphasis
> on ipv6 among other networking issues. Either way, below is my entire pf
> configuration. I hope it helps.

I'm afraid you'll have to do the usual debug routine:

1) enable debug logging (pfctl -xm, output in /var/log/messages)
2) run pfctl -si and store the output
3) pick one external host that reliably reproduces the problem
4) on the external interface, run
tcpdump -s 1600 -nvvvSpi $ext_if host $ip and tcp
5) reproduce the problem once, from initial SYN to the point where
the connection fails
6) run pfctl -vvss, and note any state entries related to the
failed connection
7) re-run pfctl -si and store the output (of interest are any counters
increasing besides the obvious ones)
8) check /var/log/messages for any output from pf (related to the
failed connection, or at least the host $ip)

If you provide the output of those steps, that could narrow it down.

In case the results are too large, put them on a web page somehwere
and post the URL instead.

Daniel
Kevin K.
2007-02-08 03:00:30 UTC
Permalink
> David Nguyen wrote:
> >I've installed Vista recently and it detected the network drivers and
> "seemed" to be working (default drivers with >Vista). I thought it was
> the network, but it was actually the network drivers that came with
> vista (nForce). I would >retrieve a DHCP, but would not communicate. no
> ping, no dns
> >
> >I then installed the ones from nVidia site and everything worked. So
> it may be the drivers are broken, have you tried >installing the
> manufacturers drivers. I hope this helps.
> >
> >Cheers
> >David
>
>


I think the issue is with Vista working fine with other networks /
firewalls (as far as I can tell) ,but with my freebsd PF firewall it is
not able to connect to anything behind it.
Vladimir Kapustin
2007-02-08 21:10:46 UTC
Permalink
>> Nothing unusual, but that the mail stops forwarding from the
>> whitelist. i.e. the sender resends the mail, gets in WHITE-list in
>> spamd, but the mail does not actually pass the router.
>
>That and the sheer size of your spamdb is weird.
>

I have about 1000 users behind each router, and many of them have malware on
theirs PCs.

>> pfctl -sn
>> rdr pass inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port 8025
>> rdr pass inet proto tcp from ! <spamd-white> to any port smtp -> 127.0.0.1 port 8025
>
>try making your rdr interface specific, ie rdr pass on $ext_if and see
>if it makes a difference
>

Now all is OK. Should I change rdr-rules only if the situation repeats to
see if it really helps?

Is there any way to combine the spamd functionality with max-src-conn-rate
limitation?
I worried only about spam FROM my LOCAL NET. And the spamd itself doesn't save me from
getting into different spam-lists. If only I could limit the spam-rate on $int_if
by PF-rules and then use spamd on $ext_if, I think it would be a good help.

>> No...not malware...suppose that a user doesn't know about malware
>> and uses Outlook to send his mail. He'll get into THE WHITE-list
>> and spamd can't stop HIS malware?
>
>Mail from a whitelisted IP address will pass.
>
>Please contact me off-list (the address works, with greylisting ;)) if
>you want me to see if I can reproduce the problem here, I'll probably
>need larger chunks of your config than you would sensibly put on a
>public list.

Jeg vil gjerne sende deg hvilke som helst stykker av min configs. Kan du
spesifisere hva jeg bor sende?
Vladimir Kapustin
2007-02-14 11:38:18 UTC
Permalink
>I have set it up as:
>
>block drop in quick on $ext_if from <blocksmtp> to any
>
>pass in quick on $ext_if proto tcp from any to ($ext_if) port smtp
>keep state \
> ( max-src-conn 5, max-src-conn-rate 80/90, overload <blocksmtp>
>flush global )

Strange thing, this rules don't whant to work on FreeBSD 6.0, but
work on 6.2
Loading...