Need help: How to activate Layer7 P2P Blocker?



  • Dear Freaks,

    I'm trying to block most P2P traffic by pfSense 2.0 beta 5.

    I allready configured a list of Layer7  Applications to be blocked:

    What else do I have to do to get this Blocker working?
    Do I have to start a wizard or design some queues?

    Please give me a hint  :)
    Best wishes,
    Janosch111



  • Now add a floating rule, action "PASS", source "LAN", and at the bottom in "advanced features", select "block_p2p" in "Layer7".



  • Hello OyyoDams,

    many thanks for your quick answer :-)

    I just tried to configure everything you told me to do (please have a look at my new screenshot further down).

    But I'm still able to download Linux Images via Bittorent (this was my first test…).

    What's wrong?

    Why do you told me, to choose the action "PASS" instead of "BLOCK"???

    For your help, many thanks in advance,
    Janosch111



  • Try selection TCP and UDP under protocol



  • Hi Kevin!

    Thanks for your hint… I reconfigured that rule as you told me.
    Now I'm monitoring that system for P2P Traffic...

    Best wishes,
    Janosch111



  • Setting the ruke to "pass" means that (in your case any to any) packets will be sent thru this rule. This packets will be inspected by your L7-rule to block out P2P-traffic. When you set it to block, all traffic will be blocked and so not being filtered by your L7-rule.



  • @janosch111:

    Thanks for your hint… I reconfigured that rule as you told me.
    Now I'm monitoring that system for P2P Traffic...

    Is it working?



  • Hi Community,

    just another update of my struggle against P2P:
    I'm sorry, but it's still the same. I'm able to put a torrent download job on my Synology NAS an it starts downloading. After a minute the upload starts also.

    Has anyone some ideas what to try next?

    Best wishes,
    Janosch111



  • I'm experiencing the same issue, although all i would like to do is block outgoing p2p traffic.

    Has anyone got any further with this?



  • I'm assuming the following statement…

    If you don't turn off UPNP mapping in Pfsense, for your UPNP sensitive devices such as synology, then you're wasting your time with Layer 7 blocking and firewall rules?

    jits.



  • For a test I setup a L7 rule to block http traffic and it didn't block any http traffic. I'm thinking L7 is broken right now.. Can anyone else confirm this blocking other protocols?



  • Yes, just take a look at the ticket: http://redmine.pfsense.org/issues/636



  • Can you please retry testing layer7 after making the modification mentioned on the redmine ticket or updating to the latest snapshots from tomorrow?!



  • @ermal:

    Can you please retry testing layer7 after making the modification mentioned on the redmine ticket or updating to the latest snapshots from tomorrow?!

    I added the patch to my system but it didn't seem to help.. But keep in mind that I'm running '2.0-RC1-IPv6 (i386) built on Mon Feb 28 17:13:01 EST 2011' with daily gitsync to smos's repository as updates/merges are done.

    Steps I took: i added the patch, rebooted.. created the layer 7 http block. Added it to the last rule on my floating tab.. The rule is logging all the traffic as I see it in the fw log. Rebooted the box to make sure… Still didn't work but it was logging http traffic.... Moved the rule top of my floating rules... Sames results, rebooted once again.... Same results.

    I did notice in my logs that the http rule was picking up all http traffic(i didn't select an interface). Traffic to my web server, my outbound traffic, and traffic when i access the router web interface(this is on a non-standard port too).. To me its seems like the layer7 signatures are working but the router isn't blocking them..

    I hope others had better results then I did..



  • What if you remove that max-packets 10 completely?

    
    diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
    index 8fd042f..41e3708 100644
    --- a/etc/inc/filter.inc
    +++ b/etc/inc/filter.inc
    @@ -1913,8 +1913,6 @@ function filter_generate_user_rule($rule) {
                                                    $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " ";
                                                    $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot>flush global ";
                                            }
    -                                       if(!empty($aline['divert']))
    -                                               $aline['flags'] .= "max-packets 10 ";
    
                                            $aline['flags'] .= " ) ";
                                    }</virusprot> 
    


  • I ended up with errors after removing the 2 lines.

    I removed:

    -                                       if(!empty($aline['divert']))
    -                                               $aline['flags'] .= "max-packets 10 ";
    

    system logs:

    
    Mar 17 21:26:37 	php: : New alert found: There were error(s) loading the rules: /tmp/rules.debug:365: syntax error pfctl: Syntax error in config file: pf rules not loaded The line in question reads [365]: pass log inet proto tcp from any to any divert 51790 flags S/SA keep state ( ) label "USER_RULE"
    Mar 17 21:26:37 	php: : The command '/sbin/pfctl -o basic -f /tmp/rules.debug' returned exit code '1', the output was '/tmp/rules.debug:365: syntax error pfctl: Syntax error in config file: pf rules not loaded'
    
    


  • Hmm sorry this should be correct one

    
    diff --git a/etc/inc/filter.inc b/etc/inc/filter.inc
    index 36e7624..18f2d66 100644
    --- a/etc/inc/filter.inc
    +++ b/etc/inc/filter.inc
    @@ -1881,7 +1881,7 @@ function filter_generate_user_rule($rule) {
                    } else
                            $aline['flags'] .= "keep state ";
    
    -               if($noadvoptions == false || $l7_present)
    +               if($noadvoptions == false)
                            if( (isset($rule['source-track']) and $rule['source-track'] <> "") or
                                (isset($rule['max']) and $rule['max'] <> "") or
                                (isset($rule['max-src-nodes']) and $rule['max-src-nodes'] <> "") or
    @@ -1890,7 +1890,7 @@ function filter_generate_user_rule($rule) {
                                (isset($rule['max-src-conn-rates']) and $rule['max-src-conn-rates'] <> "") or
                                (isset($rule['max-src-states']) and $rule['max-src-states'] <> "") or
                                (isset($rule['statetimeout']) and $rule['statetimeout'] <> "") or
    -                           isset($rule['sloppy']) or $l7_present) {
    +                           isset($rule['sloppy'])) {
                                            $aline['flags'] .= "( ";
                                            if (isset($rule['sloppy']))
                                                    $aline['flags'] .= "sloppy ";
    @@ -1913,8 +1913,6 @@ function filter_generate_user_rule($rule) {
                                                    $aline['flags'] .= "max-src-conn-rate " . $rule['max-src-conn-rate'] . " ";
                                                    $aline['flags'] .= "/" . $rule['max-src-conn-rates'] . ", overload <virusprot>flush global ";
                                            }
    -                                       if(!empty($aline['divert']))
    -                                               $aline['flags'] .= "max-packets 5 ";
    
                                            $aline['flags'] .= " ) ";
                                    }</virusprot> 
    


  • I tried it and it didn't work… Since it didn't work, and I noticed there were some updates for ipv6(smos repos) i went ahead and gitsync which erase your patch I added. The last merge with the mainline code happen on Wed, so this gitsync didn't include the patches you added yesterday. Now for the fun part!!

    After I gitsync and rebooted, I noticed that the lcdproc process was timing out while trying to connect to LCDd. I'm like WTF..... To make a long story short, my test rule(Block: telnet,pop3,smtp) was blocking the the connection. Once I disabled my test rule, lcdproc connected right away to LCDd.

    So the layer7 stuff is working but for the loopback address it seems...I hope this bit of info helps... Maybe its the way we create the rules? That another rule overrides the layer7 one?



  • Can you show me your ruleset?
    The one that you expect to work?



  • Sure… Let me know if you need anything else

    Here is the rule I created:

    
    from config.xml
    		 <rule><id><type>pass</type>
    			<ipprotocol>inet</ipprotocol>
    			 <tag><tagged><direction>any</direction>
    			<floating>yes</floating>
    			 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><any></any></destination> 
    			 <descr><l7container>testblocking</l7container></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 
    from rules.debug
    pass inet proto tcp from any to any divert 41786 flags S/SA keep state ( max-packets 5 ) label "USER_RULE"
    
    

    Here is the whole rules.debug in case you need it

    
    #System aliases
    
    loopback = "{ lo0 }"
    WAN = "{ em3 }"
    LAN = "{ em2 }"
    OVPN_REMOTE = "{ ovpns1 }"
    OVPN_MATT = "{ ovpns2 }"
    WAN_IPV6 = "{ gif0 }"
    VERIZON3G = "{ ppp0 }"
    WLAN_GUEST = "{ em0_vlan5 }"
    IPsec = "{ enc0 }"
    OpenVPN = "{ openvpn }"
    
    #SSH Lockout Table
    table <sshlockout>persist
    table <webconfiguratorlockout>persist
    #pfSnortSam tables
    table <snort2c>table <pfsnortsamout>table <pfsnortsamin>table <virusprot># User Aliases
    
    set limit table-entries 900000
    table <allow_icmp>{ x.x.x.x }
    Allow_ICMP = "<allow_icmp>"
    table <easyruleblockhostsopt4>{ 178.239.57.253/32 }
    EasyRuleBlockHostsOPT4 = "<easyruleblockhostsopt4>"
    table <easyruleblockhostswan>{ 221.1.220.163/32 }
    EasyRuleBlockHostsWAN = "<easyruleblockhostswan>"
    table <game_consoles>{ 192.168.0.60 192.168.0.61 192.168.0.62 }
    Game_Consoles = "<game_consoles>"
    table <ipsec_subnets>{ 192.168.60.0/24 192.168.70.0/24 }
    IPSec_Subnets = "<ipsec_subnets>"
    ManagementPorts = "{ 22 222 445 443 }"
    table <managementsubnets>{ 192.168.0.0/24 192.168.200.0/24 }
    ManagementSubnets = "<managementsubnets>"
    table <openvpn_subnets>{ 192.168.200.0/24 192.168.201.0/24 192.168.50.0/24 }
    OpenVPN_Subnets = "<openvpn_subnets>"
    table <p2p_devices>{ 192.168.0.20 }
    P2P_Devices = "<p2p_devices>"
    table <penaltybox>{ 192.168.0.15 }
    PenaltyBox = "<penaltybox>"
    table <privatenetworks>{ 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.1/8 fc00::/7 }
    PrivateNetworks = "<privatenetworks>"
    table <safesubnets>{ 192.168.0.0/24 192.168.200.0/24 192.168.201.0/24 192.168.50.0/24 192.168.60.0/24 192.168.70.0/24 }
    SafeSubnets = "<safesubnets>"
    SMB_TCP = "{ 139 445 }"
    SMB_UDP = "{ 137 138 }"
    table <video_devices>{ 192.168.0.50 192.168.0.51 192.168.0.52 }
    Video_Devices = "<video_devices>"
    table <voip_devices>{ 192.168.0.8 }
    VoIP_Devices = "<voip_devices>"
    VoIP_Ports = "{ 10000:20000 4569 }"
    table <work_ips>{ x.x.x.x/24 }
    Work_IPs = "<work_ips>"
    
    # Gateways
    GWWAN = " route-to ( em3 x.x.x.x ) "
    GWHE_Net = " route-to ( gif0 2001:470:x.x.x.x::1 ) "
    GWVERIZON3G = " route-to ( ppp0 x.x.x.x ) "
    GWWanFailoverTo3G = " route-to { ( em3 x.x.x.x ) } "
    
    set loginterface em2
    set optimization normal
    set limit states 299000
    set limit src-nodes 299000
    
    set skip on pfsync0
    
    scrub in on $WAN all fragment reassemble
    scrub in on $LAN all fragment reassemble
    scrub in on $OVPN_REMOTE all fragment reassemble
    scrub in on $OVPN_MATT all fragment reassemble
    scrub in on $WAN_IPV6 all fragment reassemble
    scrub in on $VERIZON3G all fragment reassemble
    scrub in on $WLAN_GUEST all fragment reassemble
    
    altq on em3 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
    queue qACK on em3 priority 9 priq ( ecn )
    queue qDefault on em3 priority 3 priq ( ecn , default )
    queue qP2P on em3 priority 1 priq ( ecn )
    queue qVoIP on em3 priority 10 priq ( ecn )
    queue qGames on em3 priority 8 priq ( ecn )
    queue qVPN on em3 priority 7 priq ( ecn )
    queue qOthersHigh on em3 priority 4 priq ( ecn )
    queue qOthersLow on em3 priority 2 priq ( ecn )
    
    altq on em2 priq bandwidth 1Gb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
    queue qACK on em2 priority 9 priq ( ecn )
    queue qDefault on em2 priority 3 priq ( ecn , default )
    queue qP2P on em2 priority 1 priq ( ecn )
    queue qVoIP on em2 priority 10 priq ( ecn )
    queue qGames on em2 priority 8 priq ( ecn )
    queue qVPN on em2 priority 7 priq ( ecn )
    queue qOthersHigh on em2 priority 4 priq ( ecn )
    queue qOthersLow on em2 priority 2 priq ( ecn )
    
    altq on ovpns1 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
    queue qACK on ovpns1 priority 9 priq ( ecn )
    queue qDefault on ovpns1 priority 3 priq ( ecn , default )
    queue qP2P on ovpns1 priority 1 priq ( ecn )
    queue qVoIP on ovpns1 priority 10 priq ( ecn )
    queue qGames on ovpns1 priority 8 priq ( ecn )
    queue qVPN on ovpns1 priority 7 priq ( ecn )
    queue qOthersHigh on ovpns1 priority 4 priq ( ecn )
    queue qOthersLow on ovpns1 priority 2 priq ( ecn )
    
    altq on ovpns2 priq bandwidth 5Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
    queue qACK on ovpns2 priority 9 priq ( ecn )
    queue qDefault on ovpns2 priority 3 priq ( ecn , default )
    queue qP2P on ovpns2 priority 1 priq ( ecn )
    queue qVoIP on ovpns2 priority 10 priq ( ecn )
    queue qGames on ovpns2 priority 8 priq ( ecn )
    queue qVPN on ovpns2 priority 7 priq ( ecn )
    queue qOthersHigh on ovpns2 priority 4 priq ( ecn )
    queue qOthersLow on ovpns2 priority 2 priq ( ecn )
    
    altq on ppp0 priq bandwidth 1Mb queue { qACK, qDefault, qP2P, qVoIP, qGames, qVPN, qOthersHigh, qOthersLow }
    queue qACK on ppp0 priority 9 priq ( ecn )
    queue qDefault on ppp0 priority 3 priq ( ecn , default )
    queue qP2P on ppp0 priority 1 priq ( ecn )
    queue qVoIP on ppp0 priority 10 priq ( ecn )
    queue qGames on ppp0 priority 8 priq ( ecn )
    queue qVPN on ppp0 priority 7 priq ( ecn )
    queue qOthersHigh on ppp0 priority 4 priq ( ecn )
    queue qOthersLow on ppp0 priority 2 priq ( ecn )
    
    nat-anchor "natearly/*"
    nat-anchor "natrules/*"
    
    # Outbound NAT rules
    
    # Subnets to NAT
    table <tonatsubnets>{ 192.168.0.0/24 192.168.200.1/32 192.168.201.1/32 192.168.5.0/24 192.168.200.0/24 192.168.201.0/24 127.0.0.0/8 }
    nat on $WAN from <tonatsubnets>port 500 to any port 500 -> 67.250.121.14/32 port 500
    nat on $WAN from <tonatsubnets>to any -> x.x.x.x/32 port 1024:65535
    
    nat on $VERIZON3G from <tonatsubnets>port 500 to any port 500 -> 75.213.12.0/32 port 500
    nat on $VERIZON3G from <tonatsubnets>to any -> x.x.x.x/32 port 1024:65535
    
    # Load balancing anchor
    rdr-anchor "relayd/*"
    # TFTP proxy
    rdr-anchor "tftp-proxy/*"
    table <vpns>{ 192.168.60.0/24 }
    table <direct_networks>{ x.x.x.x/21 192.168.0.0/24 192.168.200.1/32 192.168.201.1/32 x.x.x.x/32 192.168.5.0/24 }
    # NAT Inbound Redirects
    rdr on em3 proto tcp from any to 67.250.121.14 port 80 -> 127.0.0.1 port 9080
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 80 tag PFREFLECT -> 127.0.0.1 port 19000
    
    rdr on em3 proto tcp from any to x.x.x.x port 443 -> 127.0.0.1 port 9443
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 443 tag PFREFLECT -> 127.0.0.1 port 19001
    
    rdr on em3 proto tcp from any to x.x.x.x port 3389 -> 192.168.0.10
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 3389 tag PFREFLECT -> 127.0.0.1 port 19002
    
    rdr on em3 proto tcp from any to x.x.x.x port 21 -> 192.168.0.10
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 21 tag PFREFLECT -> 127.0.0.1 port 19003
    
    rdr on em3 proto udp from any to x.x.x.x port 5198:5199 -> 192.168.0.10
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 5198:5199 tag PFREFLECT -> 127.0.0.1 port 19004:19005
    
    rdr on em3 proto tcp from any to x.x.x.x port 8100 -> 192.168.0.10 port 5198
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 8100 tag PFREFLECT -> 127.0.0.1 port 19006
    
    rdr on em3 proto tcp from any to x.x.x.x port 15000 -> 192.168.0.20
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 15000 tag PFREFLECT -> 127.0.0.1 port 19007
    
    rdr on em3 proto udp from any to x.x.x.x port 15004 -> 192.168.0.20
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 15004 tag PFREFLECT -> 127.0.0.1 port 19008
    
    rdr on em3 proto { tcp udp } from any to x.x.x.x port 8525 -> 192.168.0.20
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto { tcp udp } from any to x.x.x.x port 8525 tag PFREFLECT -> 127.0.0.1 port 19009
    
    rdr on em3 proto tcp from any to x.x.x.x port 554 -> 192.168.0.30
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto tcp from any to x.x.x.x port 554 tag PFREFLECT -> 127.0.0.1 port 19010
    
    rdr on em3 proto udp from any to x.x.x.x port 5000:5010 -> 192.168.0.30
    # Reflection redirects
    rdr on { em2 ovpns1 ovpns2 gif0 em0_vlan5 enc0 openvpn } proto udp from any to x.x.x.x port 5000:5010 tag PFREFLECT -> 127.0.0.1 port 19011:19021
    
    # UPnPd rdr anchor
    rdr-anchor "miniupnpd"
    
    anchor "relayd/*"
    #---------------------------------------------------------------------------
    # default deny rules
    #---------------------------------------------------------------------------
    block in log inet all label "Default deny rule IPv4"
    block out log inet all label "Default deny rule IPv4"
    block in log inet6 all label "Default deny rule IPv6"
    block out log inet6 all label "Default deny rule IPv6"
    
    # IPv6 ICMP is not auxilary, it is required for operation
    # See man icmp6(4)
    # 1 unreach Destination unreachable
    # 2 toobig Packet too big
    # 128 echoreq Echo service request
    # 129 echorep Echo service reply
    # 133 routersol Router solicitation
    # 134 routeradv Router advertisement
    # 135 neighbrsol Neighbor solicitation
    # 136 neighbradv Neighbor advertisement
    pass quick inet6 proto ipv6-icmp from any to any icmp6-type {1,2,135,136} keep state
    
    # Allow only bare essential icmpv6 packets (NS, NA, and RA, echoreq, echorep)
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {128,133,134,135,136} keep state
    pass out quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {128,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from ff02::/16 to fe80::/10 icmp6-type {129,133,134,135,136} keep state
    pass in quick inet6 proto ipv6-icmp from fe80::/10 to ff02::/16 icmp6-type {129,133,134,135,136} keep state
    
    # We use the mighty pf, we cannot be fooled.
    block quick inet proto { tcp, udp } from any port = 0 to any
    block quick inet proto { tcp, udp } from any to any port = 0
    block quick inet6 proto { tcp, udp } from any port = 0 to any
    block quick inet6 proto { tcp, udp } from any to any port = 0
    
    # pfSnortSam
    
    #countryblock
    table <countryblock>persist file '/usr/local/www/packages/countryblock/lists/countries.txt'
    table <countryblockw>persist file '/usr/local/www/packages/countryblock/countries-white.txt'
    pass quick from <countryblockw>to any label 'countryblock'
    pass quick from any to <countryblockw>label 'countryblock'
    block quick from <countryblock>to any label 'countryblock'
    block quick from <snort2c>to any label "Block snort2c hosts"
    block quick from any to <snort2c>label "Block snort2c hosts"
    block quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
    block quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
    
    # SSH lockout
    block in log quick proto tcp from <sshlockout>to any port 222 label "sshlockout"
    
    # webConfigurator lockout
    block in log quick proto tcp from <webconfiguratorlockout>to any port 445 label "webConfiguratorlockout"
    block in quick from <virusprot>to any label "virusprot overload table"
    table <bogons>persist file "/etc/bogons"
    table <bogonsv6>persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN from <bogons>to any label "block bogon IPv4 networks from WAN"
    block in log quick on $WAN from <bogonsv6>to any label "block bogon IPv6 networks from WAN"
    antispoof for em3
    # allow our DHCP client out to the WAN
    pass in on $WAN proto udp from any port = 67 to any port = 68 label "allow dhcp client out WAN"
    pass out on $WAN proto udp from any port = 68 to any port = 67 label "allow dhcp client out WAN"
    # Not installing DHCP server firewall rules for WAN which is configured for DHCP.
    antispoof for em2
    
    # allow access to DHCP server on LAN
    pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $LAN proto udp from any port = 68 to 192.168.0.1 port = 67 label "allow access to DHCP server"
    pass out on $LAN proto udp from 192.168.0.1 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # allow access to DHCPv6 server on LAN
    anchor "dhcpv6serverLAN"
    # We need inet6 icmp for stateless autoconfig and dhcpv6
    pass in on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 546 label "allow access to DHCPv6 server"
    pass in on $LAN inet6 proto udp from fe80::/10 to ff02::/16 port = 547 label "allow access to DHCPv6 server"
    pass in on $LAN inet6 proto udp from fe80::/10 to 2001:470:1f07:e7f::1 port = 546 label "allow access to DHCPv6 server"
    pass out on $LAN inet6 proto udp from 2001:470:1f07:e7f::1 port = 547 to fe80::/10 label "allow access to DHCPv6 server"
    table <bogonsv6>persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $OVPN_REMOTE from <bogons>to any label "block bogon IPv4 networks from OVPN_REMOTE"
    block in log quick on $OVPN_REMOTE from <bogonsv6>to any label "block bogon IPv6 networks from OVPN_REMOTE"
    antispoof for ovpns1
    table <bogonsv6>persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $OVPN_MATT from <bogons>to any label "block bogon IPv4 networks from OVPN_MATT"
    block in log quick on $OVPN_MATT from <bogonsv6>to any label "block bogon IPv6 networks from OVPN_MATT"
    antispoof for ovpns2
    table <bogonsv6>persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $WAN_IPV6 from <bogons>to any label "block bogon IPv4 networks from WAN_IPV6"
    block in log quick on $WAN_IPV6 from <bogonsv6>to any label "block bogon IPv6 networks from WAN_IPV6"
    table <bogonsv6>persist file "/etc/bogonsv6"
    # block bogon networks
    # http://www.cymru.com/Documents/bogon-bn-nonagg.txt
    # http://www.team-cymru.org/Services/Bogons/fullbogons-ipv6.txt
    block in log quick on $VERIZON3G from <bogons>to any label "block bogon IPv4 networks from VERIZON3G"
    block in log quick on $VERIZON3G from <bogonsv6>to any label "block bogon IPv6 networks from VERIZON3G"
    antispoof for ppp0
    # block anything from private networks on interfaces with the option set
    antispoof for $VERIZON3G
    block in log quick on $VERIZON3G from 10.0.0.0/8 to any label "Block private networks from VERIZON3G block 10/8"
    block in log quick on $VERIZON3G from 127.0.0.0/8 to any label "Block private networks from VERIZON3G block 127/8"
    block in log quick on $VERIZON3G from 172.16.0.0/12 to any label "Block private networks from VERIZON3G block 172.16/12"
    block in log quick on $VERIZON3G from 192.168.0.0/16 to any label "Block private networks from VERIZON3G block 192.168/16"
    block in log quick on $VERIZON3G from fc00::/7 to any label "Block ULA networks from VERIZON3G block fc00::/7"
    antispoof for em0_vlan5
    
    # allow access to DHCP server on WLAN_GUEST
    pass in on $WLAN_GUEST proto udp from any port = 68 to 255.255.255.255 port = 67 label "allow access to DHCP server"
    pass in on $WLAN_GUEST proto udp from any port = 68 to 192.168.5.1 port = 67 label "allow access to DHCP server"
    pass out on $WLAN_GUEST proto udp from 192.168.5.1 port = 67 to any port = 68 label "allow access to DHCP server"
    
    # loopback
    pass in on $loopback inet all label "pass IPv4 loopback"
    pass out on $loopback inet all label "pass IPv4 loopback"
    pass in on $loopback inet6 all label "pass IPv6 loopback"
    pass out on $loopback inet6 all label "pass IPv6 loopback"
    # let out anything from the firewall host itself and decrypted IPsec traffic
    pass out inet all keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to ( em3 67.250.120.1 ) from x.x.x.x to !67.250.120.0/21 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( ovpns1 192.168.200.1 ) from 192.168.200.1 to !192.168.200.1/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( ovpns2 192.168.201.1 ) from 192.168.201.1 to !192.168.201.1/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to ( ppp0 66.174.121.1 ) from 75.213.12.0 to !75.213.12.0/32 keep state allow-opts label "let out anything from firewall host itself"
    pass out on $IPsec all keep state label "IPsec internal host to host"
    # NAT Reflection rules
    pass in inet tagged PFREFLECT keep state label "NAT REFLECT: Allow traffic to localhost"
    
    # User-defined rules follow
    match inet proto udp from $VoIP_Devices to any queue (qVoIP) label "USER_RULE: m_VoIP Devices"
    match proto tcp from any to any port 3389 queue (qOthersHigh,qACK) label "USER_RULE: m_Other MSRDP outbound"
    match proto tcp from any to any port 5899 >< 5931 queue (qOthersHigh,qACK) label "USER_RULE: m_Other VNC outbound"
    match inet proto tcp from any to any port $SMB_TCP queue (qOthersHigh,qACK) label "USER_RULE: m_Other SMB DEST_TCP"
    match inet proto udp from any to any port $SMB_UDP queue (qOthersHigh) label "USER_RULE: m_Other SMB DEST_UDP"
    match inet proto tcp from any port $SMB_TCP to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other SMB SRC_TCP"
    match inet proto udp from any port $SMB_UDP to any queue (qOthersHigh) label "USER_RULE: m_Other SMB SRC_UDP"
    match inet proto udp from any to any port 500 queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
    match inet proto udp from any port 500 to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
    match inet proto ah from any to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
    match inet proto esp from any to any queue (qVPN) label "USER_RULE: m_Other IPSEC outbound"
    match proto tcp from any to any port 7999 >< 8101 queue (qOthersHigh,qACK) label "USER_RULE: m_Other STREAMINGMP3 outbound"
    match proto tcp from any to any port 554 queue (qOthersHigh,qACK) label "USER_RULE: m_Other RTSP1 outbound"
    match inet proto tcp from any to any port 80 queue (qDefault,qACK) label "USER_RULE: m_Other HTTP outbound"
    match inet proto tcp from any to any port 443 queue (qDefault,qACK) label "USER_RULE: m_Other HTTPS outbound"
    match inet proto tcp from $Video_Devices to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other Video Playback Devices SRC_TCP"
    match inet proto udp from $Video_Devices to any queue (qOthersHigh) label "USER_RULE: m_Other Video Playback Devices SRC_UDP"
    match inet proto tcp from $Game_Consoles to any queue (qOthersHigh,qACK) label "USER_RULE: m_Other Game Consoles TCP"
    match inet proto udp from $Game_Consoles to any queue (qOthersHigh) label "USER_RULE: m_Other Game Consoles UDP"
    match proto udp from any to any port 88 queue (qGames) label "USER_RULE: m_Game xbox360-1 outbound"
    match proto udp from any to any port 3074 queue (qGames) label "USER_RULE: m_Game xbox360-2 outbound"
    match proto tcp from any to any port 3074 queue (qGames,qACK) label "USER_RULE: m_Game xbox360-3 outbound"
    match inet proto tcp from $P2P_Devices to any queue (qP2P,qACK) label "USER_RULE: m_P2P Devices SRC_TCP"
    match inet proto udp from $P2P_Devices to any queue (qP2P) label "USER_RULE: m_P2P Devices SRC_UDP"
    match inet proto tcp from any to $P2P_Devices queue (qP2P,qACK) label "USER_RULE: m_P2P Devices DEST_TCP"
    match inet proto udp from any to $P2P_Devices queue (qP2P) label "USER_RULE: m_P2P Devices DEST_UDP"
    match proto tcp from any to any port 25 queue (qOthersLow,qACK) label "USER_RULE: m_Other SMTP outbound"
    match proto tcp from any to any port 110 queue (qOthersLow,qACK) label "USER_RULE: m_Other POP3 outbound"
    match proto tcp from any to any port 143 queue (qOthersLow,qACK) label "USER_RULE: m_Other IMAP outbound"
    match proto tcp from any to any port 53 queue (qOthersHigh,qACK) label "USER_RULE: m_Other DNS1 outbound"
    match proto udp from any to any port 53 queue (qOthersHigh) label "USER_RULE: m_Other DNS2 outbound"
    match inet proto icmp from any to any queue (qOthersLow) label "USER_RULE: m_Other ICMP outbound"
    match inet proto tcp from $PenaltyBox to any queue (qOthersLow,qACK) label "USER_RULE: m_Others Penalty Box TCP"
    match inet proto udp from $PenaltyBox to any queue (qOthersLow) label "USER_RULE: m_Others Penalty Box UDP"
    pass inet proto tcp from any to any divert 41786 flags S/SA keep state ( max-packets 5 ) label "USER_RULE"
    block in quick on $WAN reply-to ( em3 67.250.120.1 ) inet from $EasyRuleBlockHostsWAN to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
    pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to x.x.x.x port 1194 keep state queue (qVPN) label "USER_RULE: OpenVPN Road Warrior"
    pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to x.x.x.x port 1195 keep state queue (qVPN) label "USER_RULE: OpenVPN Moms Site-to-Site VPN"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 127.0.0.1 port 9080 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT HTTP pound redirect"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 127.0.0.1 port 9443 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT HTTPS pound redirect"
    pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.10 port 3389 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - rdp"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) proto tcp from any to 192.168.0.10 port 21 label "USER_RULE: NAT shitbox - ftp"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.10 port 5197 >< 5200 keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - EchoLink Proxy UDP"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.10 port 5198 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT shitbox - EchoLink Proxy TCP"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.20 port 15000 flags S/SA keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey Network"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.20 port 15004 keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey Network"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto { tcp udp } from any to 192.168.0.20 port 8525 keep state queue (qP2P) label "USER_RULE: NAT nasbox - eDonkey KAD Network"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto tcp from any to 192.168.0.30 port 554 flags S/SA keep state queue (qOthersHigh) label "USER_RULE: NAT cambox - RTSP Port"
    pass in quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto udp from any to 192.168.0.30 port 4999 >< 5011 keep state queue (qOthersHigh) label "USER_RULE: NAT cambox - RTP Data Port"
    pass in log quick on $WAN reply-to ( em3 67.250.120.1 ) inet proto icmp from $Allow_ICMP to x.x.x.x keep state label "USER_RULE: Allow Ping from Allow_ICMP Alias"
    block in quick on $WAN reply-to ( em3 67.250.120.1 ) from $PrivateNetworks to any label "USER_RULE: Block Private Networks"
    pass in quick on $LAN inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
    block return in log quick on $LAN inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
    pass in quick on $LAN inet from any to $OpenVPN_Subnets keep state label "USER_RULE: Route OpenVPN Traffic to Default Routing Table"
    pass in quick on $LAN inet from any to $IPSec_Subnets keep state label "USER_RULE: Route IPSec Traffic to Default Routing Table"
    pass in quick on $LAN from 192.168.0.0/24 to <vpns>keep state label "NEGATE_ROUTE: Negate policy route for vpn(s)"
    pass in quick on $LAN $GWWanFailoverTo3G from 192.168.0.0/24 to any keep state label "USER_RULE: WanFailoverTo3G"
    pass in quick on $LAN inet6 from fe80::/10 to ff02::/16 keep state label "USER_RULE: IPv6 - Allow Local-Link Addresses"
    pass in quick on $LAN inet6 from 2001:470:1f07:e7f:0:0:0:0/64 to any keep state label "USER_RULE: Default allow IPv6 LAN to any rule"
    pass in quick on $LAN inet from 192.168.0.0/24 to any keep state label "USER_RULE: Default allow IPv4 LAN to any rule"
    pass in log quick on $IPsec inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
    block return in log quick on $IPsec inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
    pass in quick on $IPsec inet from $IPSec_Subnets to any keep state label "USER_RULE: Default allow IPSec to any rule "
    pass in quick on $OVPN_REMOTE inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports "
    block return in log quick on $OVPN_REMOTE inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
    pass in quick on $OVPN_REMOTE inet from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv4 OpenVPN to any rule"
    pass in quick on $OVPN_REMOTE inet6 from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv6 OpenVPN to any rule"
    pass in quick on $OVPN_MATT inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
    block return in log quick on $OVPN_MATT inet proto tcp from any to 192.168.0.1 port $ManagementPorts flags S/SA label "USER_RULE: Reject other host to management ports"
    pass in quick on $OVPN_MATT inet from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv4 OpenVPN to any rule"
    pass in quick on $OVPN_MATT inet6 from $OpenVPN_Subnets to any keep state label "USER_RULE: Default allow IPv6 OpenVPN to any rule"
    pass in log quick on $WAN_IPV6 inet6 proto ipv6-icmp from any to 2001:470:1f06:e7f::2 keep state label "USER_RULE: Allow ICMP traffic to WANIPv6 Address"
    pass in log quick on $WAN_IPV6 inet6 proto ipv6-icmp from any to 2001:470:1f07:e7f::1 keep state label "USER_RULE: Allow ICMP traffic to LAN Address"
    block in quick on $VERIZON3G reply-to ( ppp0 66.174.121.1 ) from $EasyRuleBlockHostsOPT4 to any label "USER_RULE: Easy Rule: Blocked from Firewall Log View"
    pass in log quick on $WLAN_GUEST inet proto tcp from $ManagementSubnets to 192.168.0.1 port $ManagementPorts flags S/SA keep state label "USER_RULE: Allow management subnets to management ports"
    block in log quick on $WLAN_GUEST inet proto tcp from any to 192.168.0.1 port $ManagementPorts label "USER_RULE: Reject other host to management ports"
    pass in quick on $WLAN_GUEST $GWWAN inet from 192.168.5.1/24 to ! $SafeSubnets keep state dnpipe ( 1, 2) label "USER_RULE: Allow traffic only to the Internet and limit to 1MBs"
    block in log quick on $WLAN_GUEST inet from any to any label "USER_RULE: Block Everything Else"
    block in quick on $WLAN_GUEST inet6 from any to any label "USER_RULE: Block IPv6 Traffic"
    
    # VPN Rules
    pass out on $WAN route-to ( em3 67.250.120.1 ) proto udp from any to any port = 500 keep state label "IPsec: IPSec RoadWarrior - outbound isakmp"
    pass in on $WAN reply-to ( em3 67.250.120.1 ) proto udp from any to any port = 500 keep state label "IPsec: IPSec RoadWarrior - inbound isakmp"
    pass out on $WAN route-to ( em3 67.250.120.1 ) proto udp from any to any port = 4500 keep state label "IPsec: IPSec RoadWarrior - outbound nat-t"
    pass in on $WAN reply-to ( em3 67.250.120.1 ) proto udp from any to any port = 4500 keep state label "IPsec: IPSec RoadWarrior - inbound nat-t"
    pass out on $WAN route-to ( em3 67.250.120.1 ) proto esp from any to any keep state label "IPsec: IPSec RoadWarrior - outbound esp proto"
    pass in on $WAN reply-to ( em3 67.250.120.1 ) proto esp from any to any keep state label "IPsec: IPSec RoadWarrior - inbound esp proto"
    anchor "tftp-proxy/*"
    # uPnPd
    anchor "miniupnpd"</vpns></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogonsv6></bogons></bogonsv6></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c></countryblock></countryblockw></countryblockw></countryblockw></countryblock></direct_networks></vpns></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></tonatsubnets></work_ips></work_ips></voip_devices></voip_devices></video_devices></video_devices></safesubnets></safesubnets></privatenetworks></privatenetworks></penaltybox></penaltybox></p2p_devices></p2p_devices></openvpn_subnets></openvpn_subnets></managementsubnets></managementsubnets></ipsec_subnets></ipsec_subnets></game_consoles></game_consoles></easyruleblockhostswan></easyruleblockhostswan></easyruleblockhostsopt4></easyruleblockhostsopt4></allow_icmp></allow_icmp></virusprot></pfsnortsamin></pfsnortsamout></snort2c></webconfiguratorlockout></sshlockout> 
    


  • Nah the rules does not match like that.
    You have to make it match so divert can continue.



  • What would be the best way to get it to match? I changed the rule to use LAN has the interface and dest port 110. I was still able to access it.

    
    pass  on {  em2  } inet proto tcp  from any to any port 110  divert 41786 flags S/SA keep state ( max-packets 5  )  label "USER_RULE"
    
    		 <rule><id><type>pass</type>
    			<interface>lan</interface>
    			<ipprotocol>inet</ipprotocol>
    			 <tag><tagged><direction>any</direction>
    			<floating>yes</floating>
    			 <max><max-src-nodes><max-src-conn><max-src-states><statetimeout><statetype>keep state</statetype>
    			 <os><protocol>tcp</protocol>
    			<source>
    				 <any><destination><any><port>110</port></any></destination> 
    			 <descr><l7container>testblocking</l7container></descr></any></os></statetimeout></max-src-states></max-src-conn></max-src-nodes></max></tagged></tag></id></rule> 
    
    


  • so, whats the conclusion ?

    does it work or not ? i've only tried like 10 mins to get it working but haven't thus far



  • I do have good news about Layer 7 blocking, I was able to block all pop3 traffic from leaving my box. I still have to do more testing but progress is being made :-) Thanks Ermal!!!!



  • How did you fix it?



  • I didn't fix it. Ermal did… Update to the lastest snapshot and give it try


Locked