Outgoing rules ?

pfsense_user_123

HI all,
Quick question.
I want to create rule:

block out on EXT_IF from any to <iana_reserved>block out on EXT_IF from any to <private_networks>I don't wan to send garbage in public network.

But pfsense i construct to work on IN rules!
There is NAT from LAN to public network on that machine. (so creating rules inbound on LAN interface is no solution!)
And what now ?</private_networks></iana_reserved>

GruensFroeschli

Why can't you create a rule on the LAN interface saying:

Block
Source: LAN
Destination: iana_reserved

Block
Source: LAN
Destination: private_networks

?

pfsense_user_123

LAN INT:
192.168.1.1

Block on LAN int traffic from any to 192.168.0.0/16 ? - I'll block myself.
If i leave it, i will send garbage to this networks via public int.

GruensFroeschli

Local traffic never goes over the router/pfSense.
The only "problem" i see is that you might block yourself from accessing services on the pfSense.

What i'd do in your case:
Create 2 aliases:
One alias called: "allowed_local_traffic"
Put into this the IP of your pfSense interface, and all local subnets you use.
One alias called: "blocked_local_stuff"
Put into this one all RFC 1918 subnets and whatever you think shouldn't go to the internet.

Now add the following firewall rules to your LAN interface:
1 allow-rule: source: LAN, destination: "allowed_local_traffic"
2 allow-rule: source: LAN, destination: "NOT "blocked_local_stuff""

This way you allow traffic to your selected local destinations, and you also allow traffic to all destinations except blocked_local_stuff.
Everything else is blocked.

pfsense_user_123

So ok, I can do rules like that.

block in quick on int_if from any to <bogons>So I'll not push garbage throught WAN int, because this traffic will be  block on INT_IF before it achieve WAN.

But what in situation like this:
One machine (eg alix) 3 lan int.

LAN1–------------LAN2----------LAN3-----------WAN
10.0.0.0/8         172.16.0.0/12       192.168.0.0/16        x.x.x.x

And what with traffic generated directly from firewall (eg log in to console, ssh, to WAN_if and ping 10.0.0.1 ? )
Without rule block out, i will push packet throught wan int to the public network.</bogons>

pfsense_user_123

Local traffic never goes over the router/pfSense.

Are You sure ?
Couse my tcpdump says something different.
On WAN int i see icmp packet with source IP of my public WAN and dst eg 10.0.0.1 and it goes to operator network!

pfsense_user_123

llow-rule: source: LAN, destination: "allowed_local_traffic"

This will pass traffic QUICK state!, so other rules won't be checked.

So packet will go pass throught WAN int. (if I use eg allowed_local_traffic = 10.0.0.0/8)

GruensFroeschli

@pfsense_user_123:

So ok, I can do rules like that.

block in quick on int_if from any to <bogons>So I'll not push garbage throught WAN int, because this traffic will be  block on INT_IF before it achieve WAN.

But what in situation like this:
One machine (eg alix) 3 lan int.

LAN1–------------LAN2----------LAN3-----------WAN
10.0.0.0/8        172.16.0.0/12      192.168.0.0/16        x.x.x.x

And what with traffic generated directly from firewall (eg log in to console, ssh, to WAN_if and ping 10.0.0.1 ? )
Without rule block out, i will push packet throught wan int to the public network.</bogons>

With a setup like this you'd simply update your alias containing your local nets.

No traffic generated by the pfSense won't be blocked.
But then, the pfSense shouldn't be generating traffic in the first place, should it?
I've read that it is possible to block traffic from the pfSense itself with floating rules, but i never used this nor do i know how.

@pfsense_user_123:

Local traffic never goes over the router/pfSense.

Are You sure ?
Couse my tcpdump says something different.
On WAN int i see icmp packet with source IP of my public WAN and dst eg 10.0.0.1 and it goes to operator network!

Did you generate this ping on the pfSense itself?
If yes, see above.
Did you generate this on a computer behind the pfSense? If yes, then this packet was sent to the upstream gateway because it wasn't destined for a local net.
Otherwise the routing table would have sent it to the correct local net and not the the next hop.

@pfsense_user_123:

llow-rule: source: LAN, destination: "allowed_local_traffic"

This will pass traffic QUICK state!, so other rules won't be checked.

So packet will go pass throught WAN int. (if I use eg allowed_local_traffic = 10.0.0.0/8)

See above:
The frame will only be passed to the next hop if the net doesn't exist locally.
Of course if you say you have the whole 10/8 net locally in the firewall-rule but you don't, this will go to the WAN.
Your aliases and actual existing local nets have to match.

pfsense_user_123

I've found solution.
Rule syntax with "out" is available in "floating" bookmark.
So I create rule.
block quick out on EXT_IF from any to <bogons>:-)
WORKS FINE.

I've also try concept of blocking packet on "inbound" on local interface. (witch could be better solution to block unwanted garbage very fast before it reaches inside router)
And it work's in half way.

It looks like only TCP traffic with flags S/SA is checked by this rule. (witch is obviously)
pass in log quick on vr0 inet from 192.168.1.0/24 to ! <private_networks_out>flags S/SA keep state label "USER_RULE"
pass in log quick on vr0 inet from 192.168.1.0/24 to ! <bogons_out>flags S/SA keep state label "USER_RULE"
Packet with SYN flags match to rule and it's blocked.
But the rest of traffic (ICMP) is not going to the default block rule! - and it escapes from WAN int

00:00:00.000000 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 8458, length 40
00:00:05.499144 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 8970, length 40
00:00:05.499085 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 9482, length 40
00:00:05.499103 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 9994, length 40
00:00:05.499114 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 62842, seq 10506, length 40

hmnnn any idea ?</bogons_out></private_networks_out></bogons>

cmb

the flags only apply to TCP traffic, that rule will match ICMP also. Any traffic initiated from the firewall itself will not hit the default deny rule.

pfsense_user_123

I know that.

But the ping was initiated from machine in NAT'ed network.

Tcpdump runs on WAN int (and the output you see is NATed packet on WAN int)

cmb

The ICMP is matching some other rule that's passing it then. If it's passed before it hits that 'block out', that won't apply.

pfsense_user_123

That was first I checked.

There are no ICMP rules.

#pfctl -s rules
scrub in on pppoe0 all no-df random-id fragment reassemble
scrub in on vr0 all no-df random-id fragment reassemble
anchor "relayd/" all
block drop in log all label "Default deny rule"
block drop out log all label "Default deny rule"
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop quick from <snort2c>to any label "Block snort2c hosts"
block drop quick from any to <snort2c>label "Block snort2c hosts"
block drop quick from <pfsnortsamout>to any label "Block pfSnortSamOut hosts"
block drop quick from any to <pfsnortsamin>label "Block pfSnortSamIn hosts"
block drop in log quick proto tcp from <sshlockout>to any port = ssh label "sshlockout"
block drop in log quick proto tcp from <webconfiguratorlockout>to any port = https label "webConfiguratorlockout"
block drop in quick from <virusprot>to any label "virusprot overload table"
block drop in log quick on pppoe0 from <bogons>to any label "block bogon networks from WAN"
block drop in on ! pppoe0 inet from my.public.ip to any
block drop in inet from my.public.ip to any
block drop in on pppoe0 inet6 from fe80::20d:b9ff:fe21:a5cc to any
block drop in log quick on pppoe0 inet from 10.0.0.0/8 to any label "block private networks from wan block 10/8"
block drop in log quick on pppoe0 inet from 127.0.0.0/8 to any label "block private networks from wan block 127/8"
block drop in log quick on pppoe0 inet from 172.16.0.0/12 to any label "block private networks from wan block 172.16/12"
block drop in log quick on pppoe0 inet from 192.168.0.0/16 to any label "block private networks from wan block 192.168/16"
block drop in on ! vr0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.1 to any
block drop in on vr0 inet6 from fe80::20d:b9ff:fe21:a5cc to any
pass in on vr0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in on vr0 inet proto udp from any port = bootpc to 192.168.1.1 port = bootps keep state label "allow access to DHCP server"
pass out on vr0 inet proto udp from 192.168.1.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server"
pass in on lo0 all flags S/SA keep state label "pass loopback"
pass out on lo0 all flags S/SA keep state label "pass loopback"
pass out all flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (pppoe0 my.public.gateway) inet from my.public.ip to ! my.public.ip flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out on enc0 all flags S/SA keep state label "IPsec internal host to host"
pass in quick on vr0 proto tcp from any to (vr0) port = http flags S/SA keep state label "anti-lockout rule"
pass in quick on vr0 proto tcp from any to (vr0) port = https flags S/SA keep state label "anti-lockout rule"
pass in quick on vr0 proto tcp from any to (vr0) port = ssh flags S/SA keep state label "anti-lockout rule"
anchor "userrules/" all
pass in quick on pppoe0 inet from 83.238.181.5 to my.public.ip flags S/SA keep state label "USER_RULE: PASS ZRE" queue(qGames, qACK)
pass in quick on pppoe0 inet proto tcp from any to my.public.ip port = https flags S/SA keep state label "USER_RULE"
pass in quick on vr0 inet from 192.168.1.0/24 to 192.168.1.1 flags S/SA keep state label "USER_RULE"
pass in log quick on vr0 inet from 192.168.1.0/24 to ! <bogons_out>flags S/SA keep state label "USER_RULE"
pass in log quick on vr0 inet from 192.168.1.0/24 to ! <private_networks_out>flags S/SA keep state label "USER_RULE"
pass in quick on enc0 all flags S/SA keep state label "USER_RULE"
pass in quick on openvpn all flags S/SA keep state label "USER_RULE"
pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto udp from any to any port = isakmp keep state label "IPsec: any - outbound isakmp"
pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto udp from any to any port = isakmp keep state label "IPsec: any - inbound isakmp"
pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto udp from any to any port = sae-urn keep state label "IPsec: any - outbound nat-t"
pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto udp from any to any port = sae-urn keep state label "IPsec: any - inbound nat-t"
pass out on pppoe0 route-to (pppoe0 my.public.gateway) inet proto esp all keep state label "IPsec: any - outbound esp proto"
pass in on pppoe0 reply-to (pppoe0 my.public.gateway) inet proto esp all keep state label "IPsec: any - inbound esp proto"
anchor "tftp-proxy/*" all

#pfctl -s nat
nat-anchor "natearly/" all
nat-anchor "natrules/" all
nat on pppoe0 inet from 192.168.1.0/24 port = isakmp to any port = isakmp -> my.public.ip port 500
nat on pppoe0 inet from 192.168.33.0/24 port = isakmp to any port = isakmp ->my.public.ip port 500
nat on pppoe0 inet from 192.168.254.0/24 port = isakmp to any port = isakmp -> my.public.ip port 500
nat on pppoe0 inet from 127.0.0.0/8 port = isakmp to any port = isakmp -> my.public.ip port 500
nat on pppoe0 inet from 192.168.1.0/24 to any -> my.public.ip port 1024:65535
nat on pppoe0 inet from 192.168.33.0/24 to any -> my.public.ip port 1024:65535
nat on pppoe0 inet from 192.168.254.0/24 to any -> my.public.ip port 1024:65535
nat on pppoe0 inet from 127.0.0.0/8 to any -> my.public.ip port 1024:65535
nat on pppoe0 inet from 127.0.0.1 to any -> my.public.ip port 1024:65535
rdr-anchor "relayd/" all
rdr-anchor "tftp-proxy/" all
rdr pass on pppoe0 inet proto udp from any to my.public.ip port = tftp -> 127.0.0.1 port 69
rdr-anchor "miniupnpd" all

#ftp 10.1.1.1
#tcpdump -n -e -ttt -i pflog0 host 10.1.1.1
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
00:00:00.000000 rule 42/0(match): pass in on vr0: 192.168.1.2.3663 > 10.1.1.1.21:  tcp 28 [bad hdr length 0 - too short, < 20]

#ping 10.1.1.1
#tcpdump -n -e -ttt -i pppoe0 host 10.1.1.1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pppoe0, link-type NULL (BSD loopback), capture size 96 bytes
00:00:00.000000 AF IPv4 (2), length 64: my.public.ip > 10.1.1.1: ICMP echo request, id 22837, seq 49676, length 40</private_networks_out></bogons_out></bogons></virusprot></webconfiguratorlockout></sshlockout></pfsnortsamin></pfsnortsamout></snort2c></snort2c>

pfsense_user_123

OK,
where can I found this rule in web-gui-configurator

pass out route-to (pppoe0 my.public.gateway) inet from my.public.ip to ! my.public.ip flags S/SA keep state allow-opts label "let out anything from firewall host itself"
???