[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF rule+twig

To: misc@openbsd.org
Subject: PF rule+twig
From: Monah Baki <mbaki@infoa.com>
Date: Sun, 18 Aug 2002 10:39:58 -0400

Hi all,

I'm having some problems troubleshooting the pf rule below and twig. I'm 
running OpenBSD3.1. Everything works great except whenever I try to 
access my twig webpage (port 9080), it takes about 3-4 minutes to log me 
in, and it takes the same amount of time for each other page to load.
Now if I were to rem  the "Standard services we want to access in the 
world" rule, twig response in less than 2 secs (normal) but I loose 
internet connectivity to the outside world, and if I were to unrem "pass 
out quick on $Ext all keep state"  and keep the "Standard services we 
want to access in the world" remmed, I'm back to the same 3-4 minute 
problem.

Thank you.



# Definitions
Ext = "tun0"            # External interface
Int = "xl0"             # Internal interface
Loop = "lo0"            # Loopback interface
IntNet="10.0.3.0/24"    # Internal network

NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,  \
              255.255.255.255/32 }"

InServicesTCP = "{ ssh, smtp, auth, http, https, pop3, imap, 993, \
                    9080, 10200, 9090, 3306}"
# InServicesUDP = "{ domain }"
OutServicesTCP = "{ http, https, smtp, pop3, imap, 993, whois,  \
                     domain, ssh, telnet, ftp, ftp-data, nntp, auth,   \
                     ntp, 10200, 2628, 9080, 9090, 3306 }"
OutServicesUDP = "{ ntp, domain, 10200 }"

XMMS = "{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400, \
           8014, 8026, 8048, 8002, 8024, 8028, 8080, 5190 }"

#-----------------------------------------------------------------------
# Defaults
# block and log everything
block             out log on $Ext           all
block             in  log on $Ext           all
block return-rst  out log on $Ext proto tcp all
block return-rst  in  log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in  log on $Ext proto udp all
#-----------------------------------------------------------------------
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#-----------------------------------------------------------------------

#-----------------------------------------------------------------------
# Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#-----------------------------------------------------------------------

#-----------------------------------------------------------------------
# PASS rules

# ALL  -- we don't normally do that. For debugging only.
#pass out quick on $Ext all keep state


# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port 
$InServicesUDP keep state
pass in quick on $Ext inet proto tcp from any to any port 
$InServicesTCP \
flags S/SA keep state

# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port 
$OutServicesUDP \
keep state
pass out quick on $Ext inet proto tcp from any to any port 
$OutServicesTCP \
flags S/SA modulate state

Follow-Ups:
- Re: PF rule+twig
  - From: "David S." <davids@idiom.com>

Prev by Date: dial-in problem
Next by Date: Re: ftp install failures
Prev by thread: dial-in problem
Next by thread: Re: PF rule+twig
Index(es):
- Date
- Thread