icmp block/pass rules in PF

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

icmp block/pass rules in PF

Joseph A Borg
am I being daft on this one?

pfctl passes a syntax check on a rule such as
this:

pass  out on $DMZ_if \
                inet proto icmp     \
                from
192.168.99.68

 but not this:
pass  out on $DMZ_if \
                inet proto
icmp icmp-type unreach   \
                from 192.168.99.68

this is ok:
pass  out on
$DMZ_if \
                inet proto icmp icmp-type $icmp-type_list

I'm resorting
to having separate pass rules for localnet_if in and dmz_if out

is this ok?
am I missing something?

regards

Reply | Threaded
Open this post in threaded view
|

Re: icmp block/pass rules in PF

Joseph Borg
tried that and myriad other configurations, including one liners as I want to understand the parser from a user perspective.

this doesn’t work:
        pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
these work:
        pass out on $DMZ_if inet proto icmp from 192.168.2.1
        pass out on $DMZ_if inet proto icmp icmp-type echoreq

The system is amd64, 5.7 release on an Intel Bay Trail Celeron*. Maybe this is somehow breaking the parser?

I'm following The Book of PF and there is a similar example:

        pass inet proto icmp icmp-type $icmp_types from $localnet
        pass inet6 proto icmp6 icmp6-type $icmp6_types from $localnet
        pass inet proto icmp icmp-type $icmp_types to $ext_if
        pass inet6 proto icmp6 icmp6-type $icmp6_types to $ext_if

Excerpt From: Peter N.M. Hansteen. “The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall.”

Curiously the PF guide on openbsd.org doesn’t include src/dst ip addresses. I’m assuming that I’m the only one having this problem and there’s something stupid I’m not seeing…

Note: I break on action, interface, source, destination, options as I’m a bit careless and easily miss something otherwise… My rulesets aren’t that big anyways. When that happens I’ll resort to includes.

The general, *highly simplified* syntax for filter rules is:

        action [direction] [log] [quick] \
                [on interface] [af] [proto protocol] \
                [from src_addr [port src_port]] \
                [to dst_addr [port dst_port]] \
                [flags tcp_flags] [state]

        action [direction] [log] [quick] \
                [on interface] [af] [proto protocol] \
                [from src_addr [port src_port]] \
                [to dst_addr [port dst_port]] \
                [flags tcp_flags] [state]

Suggestion: can we have a wiki where we can post user examples of configuration snippets of the various system services and discuss them? or maybe an official list of recommended sources online? I get to understand languages better through idiomatic use than through rules unfortunately.

* head of dmesg:

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8463536128 (8071MB)
avail mem = 8234319872 (7852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebde0 (51 entries)
bios0: vendor American Megatrends Inc. version "F1" date 08/01/2014
bios0: Gigabyte Technology Co., Ltd. J1900M-D2P
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S3) PS2M(S3) XHC1(S4) EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC
cpu0: 1MB 64b/line 16-way L2 cache


> On 03 Sep 2015, at 23:05, ropers <[hidden email]> wrote:
>
> Amateurish guess here:
> Could it be that this hinges upon whether proto icmp is divided over two lines or not?
>
> On 3 September 2015 at 11:58, Joseph A Borg <[hidden email]> wrote:
> am I being daft on this one?
>
> pfctl passes a syntax check on a rule such as
> this:
>
> pass    out on $DMZ_if                                                                  \
>         inet proto icmp                                                                 \
>         from
> 192.168.99.68
>
> but not this:
> pass    out on $DMZ_if                                                                  \
>         inet proto
> icmp icmp-type unreach                                  \
>         from 192.168.99.68
>
> this is ok:
> pass    out on
> $DMZ_if                                                                 \
>         inet proto icmp icmp-type $icmp-type_list
>
> I'm resorting
> to having separate pass rules for localnet_if in and dmz_if out
>
> is this ok?
> am I missing something?
>
> regards

Reply | Threaded
Open this post in threaded view
|

Re: icmp block/pass rules in PF

Joseph Borg
In reply to this post by Joseph A Borg
tried that and myriad other configurations, including one liners as I want to understand the parser from a user perspective.

this doesn’t work:
        pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
these work:
        pass out on $DMZ_if inet proto icmp from 192.168.2.1
        pass out on $DMZ_if inet proto icmp icmp-type echoreq

The system is amd64, 5.7 release on an Intel Bay Trail Celeron*. Maybe this is somehow breaking the parser?

I'm following The Book of PF and there is a similar example:

        pass inet proto icmp icmp-type $icmp_types from $localnet
        pass inet6 proto icmp6 icmp6-type $icmp6_types from $localnet
        pass inet proto icmp icmp-type $icmp_types to $ext_if
        pass inet6 proto icmp6 icmp6-type $icmp6_types to $ext_if

Excerpt From: Peter N.M. Hansteen. “The Book of PF: A No-Nonsense Guide to the OpenBSD Firewall.”

Curiously the PF guide on openbsd.org doesn’t include src/dst ip addresses. I’m assuming that I’m the only one having this problem and there’s something stupid I’m not seeing…

Note: I break on action, interface, source, destination, options as I’m a bit careless and easily miss something otherwise… My rulesets aren’t that big anyways. When that happens I’ll resort to includes.

The general, *highly simplified* syntax for filter rules is:

        action [direction] [log] [quick] \
                [on interface] [af] [proto protocol] \
                [from src_addr [port src_port]] \
                [to dst_addr [port dst_port]] \
                [flags tcp_flags] [state]

        action [direction] [log] [quick] \
                [on interface] [af] [proto protocol] \
                [from src_addr [port src_port]] \
                [to dst_addr [port dst_port]] \
                [flags tcp_flags] [state]

Suggestion: can we have a wiki where we can post user examples of configuration snippets of the various system services and discuss them? or maybe an official list of recommended sources online? I get to understand languages better through idiomatic use than through rules unfortunately.

* head of dmesg:

OpenBSD 5.7 (GENERIC.MP) #881: Sun Mar  8 11:04:17 MDT 2015
 [hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8463536128 (8071MB)
avail mem = 8234319872 (7852MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xebde0 (51 entries)
bios0: vendor American Megatrends Inc. version "F1" date 08/01/2014
bios0: Gigabyte Technology Co., Ltd. J1900M-D2P
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT MCFG LPIT HPET SSDT SSDT SSDT UEFI
acpi0: wakeup devices UAR5(S4) UAR8(S4) PS2K(S3) PS2M(S3) XHC1(S4) EHC1(S4) PXSX(S4) PXSX(S4) PXSX(S4) PXSX(S4) PWRB(S0) BRCM(S0) BRC3(S0)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Celeron(R) CPU J1900 @ 1.99GHz, 2000.47 MHz
cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,SSE4.1,SSE4.2,MOVBE,POPCNT,DEADLINE,RDRAND,NXE,LONG,LAHF,3DNOWP,PERF,ITSC
cpu0: 1MB 64b/line 16-way L2 cache


> On 03 Sep 2015, at 23:05, ropers <[hidden email]> wrote:
>
> Amateurish guess here:
> Could it be that this hinges upon whether proto icmp is divided over two lines or not?
>
> On 3 September 2015 at 11:58, Joseph A Borg <[hidden email]> wrote:
> am I being daft on this one?
>
> pfctl passes a syntax check on a rule such as
> this:
>
> pass    out on $DMZ_if                                                                  \
>              inet proto icmp                                                                 \
>              from
> 192.168.99.68
>
> but not this:
> pass    out on $DMZ_if                                                                  \
>              inet proto
> icmp icmp-type unreach                                  \
>              from 192.168.99.68
>
> this is ok:
> pass    out on
> $DMZ_if                                                                 \
>              inet proto icmp icmp-type $icmp-type_list
>
> I'm resorting
> to having separate pass rules for localnet_if in and dmz_if out
>
> is this ok?
> am I missing something?
>
> regards

Reply | Threaded
Open this post in threaded view
|

Re: icmp block/pass rules in PF

Christian Weisgerber
In reply to this post by Joseph Borg
On 2015-09-04, Joseph Borg <[hidden email]> wrote:

> this doesn’t work:
> pass out on $DMZ_if inet proto icmp icmp-type echoreq from 192.168.2.1
> these work:
> pass out on $DMZ_if inet proto icmp from 192.168.2.1
> pass out on $DMZ_if inet proto icmp icmp-type echoreq

Simply searching for "icmp-type" in the pf.conf(5) man page turns up
these example lines

    pass out inet proto icmp all icmp-type echoreq

    pass on $ext_if inet proto icmp all icmp-type 8 code 0

In the grammar section, we find

     pf-rule        = action [ ( "in" | "out" ) ]
                      [ "log" [ "(" logopts ")"] ] [ "quick" ]
                      [ "on" ( ifspec | "rdomain" number ) ] [ af ]
                      [ protospec ] hosts [ filteropts ]

     filteropt      = user | group | flags | icmp-type | icmp6-type |
                      "tos" tos |
     [...]

which makes it clear that host addresses like "from 192.168.2.1"
must precede "icmp-type".

> Suggestion: can we have a wiki where we can post user examples
> of configuration snippets of the various system services and discuss
> them?

If you are already overwhelmed by the existing documentation, how
will adding even more text help?

--
Christian "naddy" Weisgerber                          [hidden email]