pf to read protocol information from /etc/services ?

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

pf to read protocol information from /etc/services ?

Harald Dunkel-3
Hi folks,

/etc/services provides protocol information as well, so I wonder
if a pf line like

        pass in from any to (self) port telnet

could be read as

        pass in proto tcp from any to (self) port 23

?

Currently (5.6 stable) there is an error message, e.g.

        /etc/pf_gate5.conf:351: port only applies to tcp/udp
        /etc/pf_gate5.conf:351: skipping rule due to errors
        /etc/pf_gate5.conf:351: rule expands to no valid combination

I cannot follow the "no valid combination".


Just a suggestion, of course. Keep on your good work

Harri

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Loïc Blot-2
Hello,
in the first example you don't specify proto tcp.


Regards,

Loïc Blot,
UNIX Systems, Network and Security Engineer
http://www.unix-experience.fr

27 février 2015 09:50 "Harald Dunkel" <[hidden email]> a écrit:

> Hi folks,
>
> /etc/services provides protocol information as well, so I wonder
> if a pf line like
>
> pass in from any to (self) port telnet
>
> could be read as
>
> pass in proto tcp from any to (self) port 23
>
> ?
>
> Currently (5.6 stable) there is an error message, e.g.
>
> /etc/pf_gate5.conf:351: port only applies to tcp/udp
> /etc/pf_gate5.conf:351: skipping rule due to errors
> /etc/pf_gate5.conf:351: rule expands to no valid combination
>
> I cannot follow the "no valid combination".
>
> Just a suggestion, of course. Keep on your good work
>
> Harri

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Harald Dunkel-3
On Fri, 27 Feb 2015 09:22:21 +0000
"Loïc Blot" <[hidden email]> wrote:

> Hello,
> in the first example you don't specify proto tcp.
>

Thats the point. /etc/services says

        telnet 23/tcp

so pf could figure this out on its own.


Regards
Harri

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Hugo Osvaldo Barrera-2
On 2015-02-27 10:30, Harald Dunkel wrote:

> On Fri, 27 Feb 2015 09:22:21 +0000
> "Loïc Blot" <[hidden email]> wrote:
>
> > Hello,
> > in the first example you don't specify proto tcp.
> >
>
> Thats the point. /etc/services says
>
> telnet 23/tcp
>
> so pf could figure this out on its own.
>

The syntax for this sort of thing (if it ever does any interst and
implemented)
would probably make more sense as "service telnet" instead of "port telnet",
since you're talking about proto+port and not just port.

--
Hugo Osvaldo Barrera
A: Because we read from top to bottom, left to right.
Q: Why should I start my reply below the quoted text?

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Craig Skinner-3
In reply to this post by Harald Dunkel-3
On 2015-02-27 Fri 10:30 AM |, Harald Dunkel wrote:

> On Fri, 27 Feb 2015 09:22:21 +0000
> "Lo??c Blot" <[hidden email]> wrote:
>
> > in the first example you don't specify proto tcp.
> >
>
> Thats the point. /etc/services says
>
> telnet 23/tcp
>
> so pf could figure this out on its own.
>

$ awk '/^domain/ { print $2 }' /etc/services
53/tcp
53/udp

Now what? Both? Either? First? Last? Random?

--
Nothing is better than Sex.
Masturbation is better than nothing.
Therefore, Masturbation is better than Sex.

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Harald Dunkel-3
On Fri, 27 Feb 2015 12:46:19 +0000
[hidden email] (Craig Skinner) wrote:

>
> $ awk '/^domain/ { print $2 }' /etc/services
> 53/tcp
> 53/udp
>
> Now what? Both? Either? First? Last? Random?
>

Both.

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Research
On Feb 27, 2015, at 8:05 AM, Harald Dunkel <[hidden email]> wrote:

> On Fri, 27 Feb 2015 12:46:19 +0000
> [hidden email] (Craig Skinner) wrote:
>
>>
>> $ awk '/^domain/ { print $2 }' /etc/services
>> 53/tcp
>> 53/udp
>>
>> Now what? Both? Either? First? Last? Random?
>>
>
> Both.
>
> [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
>

Both for DNS per-RFC.  But service naming means that both TCP and UDP are implied, so HTTP in a pf rule would apply to TCP and UDP and UDP is meaningless in the context of HTTP.

Would it not be better to use service names instead of protocol (i.e.: a rule with “http” instead of “80”), but not infer protocol, as pf does now ?

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Maxim Khitrov
On Fri, Feb 27, 2015 at 3:40 PM, Research <[hidden email]> wrote:
> UDP is meaningless in the context of HTTP.

Well, actually... https://en.wikipedia.org/wiki/QUIC

Not really standard, but still. I now allow UDP on ports 80 and 443 to
make Google Chrome happy.

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Research
On Feb 27, 2015, at 7:08 PM, Maxim Khitrov <[hidden email]> wrote:

> On Fri, Feb 27, 2015 at 3:40 PM, Research <[hidden email]> wrote:
>> UDP is meaningless in the context of HTTP.
>
> Well, actually... https://en.wikipedia.org/wiki/QUIC
>
> Not really standard, but still. I now allow UDP on ports 80 and 443 to
> make Google Chrome happy.
>

Thank you for posting that!  I see in the Wikipedia article that this was implemented in 2013, so I am a little behind the curve.  Good to learn new things.

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Stuart Henderson
In reply to this post by Harald Dunkel-3
On 2015-02-27, Harald Dunkel <[hidden email]> wrote:

> Hi folks,
>
> /etc/services provides protocol information as well, so I wonder
> if a pf line like
>
> pass in from any to (self) port telnet
>
> could be read as
>
> pass in proto tcp from any to (self) port 23
>
> ?

It would be *possible* to modify pfctl's parser to handle this. The
question is whether it's worth the time to implement it and extra
complexity. Note that it would need to handle splitting the rule (cases
like "pass to service {http domain}" shouldn't allow udp to port
80). I don't think it should use the word "port" because that gives
expectations of it *only* looking at the port number.

Reply | Threaded
Open this post in threaded view
|

Re: pf to read protocol information from /etc/services ?

Harald Dunkel-5
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 03/01/15 10:48, Stuart Henderson wrote:
>
> It would be *possible* to modify pfctl's parser to handle this. The question is whether it's worth the time to implement it and extra complexity. Note that it would need to handle splitting the rule (cases like "pass to service {http domain}" shouldn't allow udp to port 80). I don't think it
> should use the word "port" because that gives expectations of it *only* looking at the port number.
>

Point is that the port number is meaningless without protocol
specification. So

        pass in from any to (self) port {http telnet}

should actually be read as

        pass in from any to (self) port { 80/tcp 80/udp 23/tcp }

(I broke pf.conf syntax here just to show.)


Regards
Harri
iQEbBAEBCAAGBQJU83IUAAoJEAqeKp5m04HL7CAH9jbOYJXa8+9wthTCj763KCCc
AYUpuszbT80gQftKRZW/kfRkAhI5yykLFlB9GbhrAaiCexoF6oksdRvxjiteSYcb
Ry5SChd5a1DxL40knUMx8GZjSKf+UXchCZqwYD0t/EtWkf+P1IlOf6KTtcrj3GGb
q3tLzyDAXiRYjmjsKbBj+3++yk/Vgx1QdFDLLseZd79GPFVNxDNg7+/3C4TKCGwt
CtSYiZIXh7QEwxdfHKTUS/D5F1BPkVwhR96HjoMf7Gi85SiA7e3DUW5og5Brd7Qp
vgj6LnHgwtpob/qR5SbWWsMm7Ag/o2NAg5hbdrUJ7p0YSnxFBntlircFq1HFTQ==
=pZ5b
-----END PGP SIGNATURE-----