[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF rule+twig



Hi all,

I'm having some problems troubleshooting the pf rule below and twig. I'm running OpenBSD3.1. Everything works great except whenever I try to access my twig webpage (port 9080), it takes about 3-4 minutes to log me in, and it takes the same amount of time for each other page to load.
Now if I were to rem the "Standard services we want to access in the world" rule, twig response in less than 2 secs (normal) but I loose internet connectivity to the outside world, and if I were to unrem "pass out quick on $Ext all keep state" and keep the "Standard services we want to access in the world" remmed, I'm back to the same 3-4 minute problem.


Thank you.



# Definitions
Ext = "tun0"            # External interface
Int = "xl0"             # Internal interface
Loop = "lo0"            # Loopback interface
IntNet="10.0.3.0/24"    # Internal network

NoRoute = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,  \
             255.255.255.255/32 }"

InServicesTCP = "{ ssh, smtp, auth, http, https, pop3, imap, 993, \
                   9080, 10200, 9090, 3306}"
# InServicesUDP = "{ domain }"
OutServicesTCP = "{ http, https, smtp, pop3, imap, 993, whois,  \
                    domain, ssh, telnet, ftp, ftp-data, nntp, auth,   \
                    ntp, 10200, 2628, 9080, 9090, 3306 }"
OutServicesUDP = "{ ntp, domain, 10200 }"

XMMS = "{ 6000, 7500, 8000, 8004, 8044, 8034, 8052, 8038, 8010, 8400, \
          8014, 8026, 8048, 8002, 8024, 8028, 8080, 5190 }"

#-----------------------------------------------------------------------
# Defaults
# block and log everything
block             out log on $Ext           all
block             in  log on $Ext           all
block return-rst  out log on $Ext proto tcp all
block return-rst  in  log on $Ext proto tcp all
block return-icmp out log on $Ext proto udp all
block return-icmp in  log on $Ext proto udp all
#-----------------------------------------------------------------------
# loopback packets left unmolested
pass in quick on $Loop all
pass out quick on $Loop all
#-----------------------------------------------------------------------

#-----------------------------------------------------------------------
# Immediate blocks
# fuzz any 'nmap' attempt
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in log quick on $Ext from $NoRoute to any
block out log quick on $Ext from any to $NoRoute

# silently drop broadcasts (cable modem noise)
block in quick on $Ext from any to 255.255.255.255
#-----------------------------------------------------------------------

#-----------------------------------------------------------------------
# PASS rules

# ALL  -- we don't normally do that. For debugging only.
#pass out quick on $Ext all keep state


# Services we provide to the outside world
#pass in quick on $Ext inet proto udp from any to any port $InServicesUDP keep state
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP \
flags S/SA keep state


# Standard services we want to access in the world
pass out quick on $Ext inet proto udp from any to any port $OutServicesUDP \
keep state
pass out quick on $Ext inet proto tcp from any to any port $OutServicesTCP \
flags S/SA modulate state




Visit your host, monkey.org