# pf https



## jemate18 (Feb 3, 2010)

I have been successful now in making a transparent proxy server.

All my clients can now browse.

I have also configured and enabled ftp-proxy

The problem is clients cant browse the https sites

How can I enable or let 443 / https out directly?

Here is my pf.conf

```
i="em1" #LAN
x="em0" #PUBLIC
lan="192.168.2.0/24"

tcp_services="{ssh,smtp, domain, www, https, ntp, imap, 3128}"

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

set skip on lo0

rdr on $i inet proto tcp from $lan to any port www -> $gw port 3128

rdr on $i inet proto tcp from $lan to any port ftp -> $gw port 8021

pass in log on $i inet proto tcp from $lan to $gw port $tcp_services keep state

pass out log on $x inet proto tcp from any to any port $tcp_services keep state
```

Regards


----------



## dennylin93 (Feb 3, 2010)

Did you define $gw?

HTTPS should be the same as other protocols.

```
pass from any to any port https
```


----------



## jemate18 (Feb 3, 2010)

dennylin93 said:
			
		

> Did you define $gw?
> 
> HTTPS should be the same as other protocols.
> 
> ...




I have gw="127.0.0.1"

Then I append pass from any to any port https to pf.conf

I got error on pfctl -f /etc/pf.conf 


```
skipping rule due to errors
rule expands to no valid combination
```


----------



## dennylin93 (Feb 3, 2010)

Sorry, I accidentally left out the "proto" part.

This should fix it:

```
pass proto tcp from any to any port https
```


----------



## jemate18 (Feb 3, 2010)

dennylin93 said:
			
		

> Sorry, I accidentally left out the "proto" part.
> 
> This should fix it:
> 
> ...




Added that one at the end of my pf.conf

Still the same, not working..


----------



## jemate18 (Feb 4, 2010)

still no luck on the https thing

I have appended this to pf.conf
	
	



```
pass in log on $i inet proto tcp from any to any port 443 keep state

pass out log on $x inet proto tcp from any to any port 443 keep state
```

What else could have been missing?


----------



## graudeejs (Feb 4, 2010)

AFAIK you need to pass bough tcp and udp
Am I wrong?


----------



## jemate18 (Feb 4, 2010)

killasmurf86 said:
			
		

> AFAIK you need to pass bough tcp and udp
> Am I wrong?



Thanks for your reply I added your suggestion

```
pass in log on $i inet proto tcp from any to any port 443 keep state
pass in log on $i inet proto udp from any to any port 443 keep state
pass out log on $x inet proto tcp from any to any port 443 keep state
pass out log on $x inet proto udp from any to any port 443 keep state
```

Still not working though...


Here is tcpdump -i em1

Entries repeating until it stops

```
IP 192.168.2.10.45105 > sin01s01-in-f104.1e100.net.https: Flags[S]. seq 774092576, win 5840, options [mss 1460,sackOK, TS, val 125871 ecr 0, nop, wscale 6]. length 0
```

I think https was allowed outside, but can't get reply or can't get inside... Or I'm all getting its interpretation wrong.

REgards


----------



## jemate18 (Feb 4, 2010)

Here is my complete PF

```
# Declaration of variables
   i="em1"
   x="em0"

   lan="192.168.2.0/24"
   gw="127.0.0.1"
   tcp_services = "{ ssh, smtp, domain, www, ntp, imap, 3128, \
   		   ftp-proxy, 3128}"
   udp_services = "{ domain, ntp}"
   icmp_types = "{ echoreq, unreach }"
   www="{ 80:83, 1080, 8080:8081, 8088, 11523}"


   set block-policy return
   set loginterface $x
   set skip on lo

   scrub in all

# required for ftp-proxy
   nat-anchor "ftp-proxy/*"
   rdr-anchor "ftp-proxy/*"


#-----Network Address Translation------#

# Perform NAT for the entire LAN   
   nat on $x from $i to any -> ($x)


#-----Redirection------#

# Redirect requests from LAN:80 to 127.0.0.1:3128 (squid)
# This allows clients to access the web using the proxy
   rdr on $i inet proto tcp from $lan to any port $www -> $gw port 3128

# Redirect ftp traffic from LAN:22 to 127.0.0.1:8021 (ftp-proxy)
# This allows clients to access FTP sites
   rdr on $i inet proto tcp from $lan to any port ftp -> $gw port ftp-proxy

# Redirect ssh trafic from INTERNET:22 to 127.0.0.1 (ssh)
# This allows ssh access from the INTERNET
   rdr on $x inet proto tcp from any to any port ssh -> $x

# Redirect attempts from the INTERNET to connect to TCP:80 on the 
# firewall. Legitimate attempts to access this port will be from users
# trying to access the network's web server. These connection attempts
# need to be redirected to WEBPC. Change the ip address that corresponds
# to your web server
# rdr on $x inet proto tcp from any to any port $www -> 192.168.2.23

#-----Filter Rules------#

# Default deny all
  block in

  anchor "ftp-proxy/*"

# Protection from spoofed address
  antispoof quick for {lo $i}

# Allow incoming requests from the INTERNET destined to the firewall 
# itself. Uncomment this to open ports from $tcp_services and 
# $udp_services to be available for the INTERNET
# pass in on $x inet proto tcp from any to ($x) port $tcp_services flags S/SA keep state
# pass in on $x inet proto udp from any to ($x) port $udp_services flags S/SA keep state


# Having a an rdr rule which passes the web server traffic to
# 192.168.2.23, we MUST also pass this traffic through the firewall
# Uncomment this when you have enabled the web server to be available
# on the INTERNET
# pass in on $x inet proto tcp from any to 192.168.2.23 port 80 flags S/SA synproxy state

# For added bit of security, we'll make use of TCP SYN Proxy to protect
# The Web server. ICMP traffic needs to be passed:
# This rule applies to all interfaces. Change it if you want to
# apply the rule to a particular interface
  pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow incoming tcp_services from LAN to ANY
  pass in log on $i inet proto tcp from $lan to any port $tcp_services keep state

# Allow incoming udp_services from LAN to ANY
  pass in log on $i inet proto udp from $lan to any port $udp_services keep state

# Allow outgoing tcp_services from LAN to INTERNET
  pass out log on $x inet proto tcp from any to any port $tcp_services keep state

# Allow outgoing udp_services from LAN to INTERNET
  pass out log on $x inet proto udp from any to any port $udp_services keep state

# TCP, UDP, and ICMP traffic is permitted to exit the firewall towards
# the INTERNET. State information is kept so that the returning
# packets will be passed back in through the firewall. This passes ALL
#  pass out keep state
```

What else do I need to do?

Regards,


----------



## jemate18 (Feb 4, 2010)

i'm running out of resources..


help...


----------



## SirDice (Feb 4, 2010)

You cannot transparently proxy https.

It would basically mean you'll be performing a man-in-the-middle attack.


----------



## jemate18 (Feb 4, 2010)

SirDice said:
			
		

> You cannot transparently proxy https.
> 
> It would basically mean you'll be performing a man-in-the-middle attack.



Thanks,

So what do I need to do to make it through / work.? So that clients may be able to access https sites.


----------



## SirDice (Feb 4, 2010)

Either allow them direct access to the https sites or set up squid non-transparent.


----------



## jemate18 (Feb 4, 2010)

So how do I give them access directly in the kind of my setup? Non transparent is not an option 4 me. It's been 5 days I'm working in to make this. It's the https thing that is left. 
Do I nid to modify the pf conf to allow access directly? Or do I have to do something else? 
Regards once again


----------



## dennylin93 (Feb 4, 2010)

You can't proxy HTTPS traffic, so just allow it through. As far as I know, HTTPS only uses TCP port 443, so allowing it in /etc/pf.conf should be enough.

If you're still unable to allow HTTPS through, there might be problems with your PF settings or network or browsers.


----------



## DutchDaemon (Feb 4, 2010)

jemate18, do you actually have IP forwarding turned on? 

From your first post I gather you're only redirecting 'port www' (80), and 'port ftp' (21), so you're probably not transparently proxying https (which is only possible with local termination of SSL, let's not go there..), which is OK. 

But allowing traffic straight through means you will have to allow the incoming packets out without local interception/redirection.  If http and ftp work, but https does not, the cause is most likely that you're intercepting and redirecting http and ftp (making the firewall itself the origin of the requests), but not https (making the original requester's IP the origin of the request). 

That means turning IP forwarding on.


----------



## jemate18 (Feb 5, 2010)

Hi Dutch,

I have edited /etc/sysctl.conf
net.inet.ip.forwarding=1
net.inet.ip.fw.default_to_accept="1"

then /etc/rc.d/sysctl restart

still the same, not working ....

I also added that to /boot/loader.conf


----------



## DutchDaemon (Feb 5, 2010)

Ok, remove all of that and just put GATEWAY_ENABLE="yes" in /etc/rc.conf. It certainly does not belong in /boot/loader.conf.

pf.conf:


```
pass in quick on $i inet proto tcp from $lan to any port 443 keep state
pass out quick on $x inet proto tcp from $lan to any port 443 keep state
```

or add https to your existing tcp_services macro, I guess. No need for udp here.


----------



## jemate18 (Feb 5, 2010)

Ok... this is my complete rc.conf

```
# -- sysinstall generated deltas -- # Wed Feb  3 19:01:31 2010
# Created: Wed Feb  3 19:01:31 2010
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

gateway_enable="YES"
hostname="farahcat.upou.edu.ph"
ifconfig_em0="inet xxx.xxx.xxx.xxx  netmask 255.255.255.240"
defaultrouter="xxx.xxx.xxx.xxx"
ifconfig_em1="inet 192.168.2.2 netmask 255.255.255.0"
keymap="us.iso"

#Services
sshd_enable="YES"
squid_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
ftpproxy_enable="YES"
dnsmasq_enable="YES"
dhcpd_enable="YES"
dhcpd_ifaces="em1"
```

And this is my complete pf.conf

```
# Declaration of variables
   i="em1"
   x="em0"

   lan="192.168.2.0/24"
   gw="127.0.0.1"
   tcp_services = "{ https, ssh, smtp, domain, www, ntp, imap, 3128, ftp-proxy, 3128}"
   udp_services = "{ domain, ntp}"
   icmp_types = "{ echoreq, unreach }"
   www="{ 80:83, 1080, 8080:8081, 8088, 11523}"

   set block-policy return
   set loginterface $x
   set skip on lo
   scrub in all

# required for ftp-proxy
   nat-anchor "ftp-proxy/*"
   rdr-anchor "ftp-proxy/*"


#-----Network Address Translation------#

# Perform NAT for the entire LAN   
   nat on $x from $i to any -> ($x)


#-----Redirection----------------------#

# Redirect requests from LAN:80 to 127.0.0.1:3128 (squid)
# This allows clients to access the web using the proxy
   rdr on $i inet proto tcp from $lan to any port $www -> $gw port 3128

# Redirect ftp traffic from LAN:22 to 127.0.0.1:8021 (ftp-proxy)
# This allows clients to access FTP sites
   rdr on $i inet proto tcp from $lan to any port ftp -> $gw port ftp-proxy

# Redirect attempts from the INTERNET to connect to TCP:80 on the 
# firewall. Legitimate attempts to access this port will be from users
# trying to access the network's web server. These connection attempts
# need to be redirected to WEBPC. Change the ip address that corresponds
# to your web server
# rdr on $x inet proto tcp from any to any port $www -> 192.168.2.23

#-----Filter Rules------#

# Default deny all
  block in

  anchor "ftp-proxy/*"

# Protection from spoofed address
  antispoof quick for {lo $i}

# Allow incoming requests from the INTERNET destined to the firewall 
# itself. Uncomment this to open ports from $tcp_services and 
# $udp_services to be available for the INTERNET
# pass in on $x inet proto tcp from any to ($x) port $tcp_services flags S/SA keep state
# pass in on $x inet proto udp from any to ($x) port $udp_services flags S/SA keep state


# Having a an rdr rule which passes the web server traffic to
# 192.168.2.23, we MUST also pass this traffic through the firewall
# Uncomment this when you have enabled the web server to be available
# on the INTERNET
# pass in log  on $x inet proto tcp from any to 192.168.2.23 port 80 flags S/SA synproxy state

# For added bit of security, we'll make use of TCP SYN Proxy to protect
# The Web server. ICMP traffic needs to be passed:
# This rule applies to all interfaces. Change it if you want to
# apply the rule to a particular interface
  pass in inet proto icmp all icmp-type $icmp_types keep state

# Allow incoming ssh request from INTERNET:22 to Firewall
   pass in log on $x inet proto tcp from any to $x port ssh keep state


# Allow incoming tcp_services from LAN to ANY
  pass in log on $i inet proto tcp from $lan to any port $tcp_services keep state

# Allow incoming udp_services from LAN to ANY
  pass in log on $i inet proto udp from $lan to any port $udp_services keep state

# Allow outgoing tcp_services from Firewall to INTERNET
# For some reason if i change from any to from $x the connection works
# but is very slow
  pass out log on $x inet proto tcp from $x to any port $tcp_services keep state

# Allow outgoing udp_services from Firewall to INTERNET
  pass out log on $x inet proto udp from $x to any port $udp_services keep state

# TCP, UDP, and ICMP traffic is permitted to exit the firewall towards
# the INTERNET. State information is kept so that the returning
# packets will be passed back in through the firewall. This passes ALL
#  pass out keep state


pass in quick on $i inet proto tcp from $lan to any port 443 keep state
pass out quick on $x inet proto tcp from $lan to any port 443 keep state
```

I have also this in my sysctl.conf

```
net.inet.tcp.blackhole=2
net.inet.tcp.udp.blackhole=1
net.inet.ip.fw.default_to_accept="1"
net.inet.ip.forwarding=1
```


What could be missing


----------



## DutchDaemon (Feb 5, 2010)

Remove 'log' form all of the 'pass' rules and add it to the 'block' rule. Then run a tcpdump on pflog0 and see what still gets blocked. Try moving those two rules at the end to the top as well. And add 'quick' to the 'pass' rules if you want those rules to take immediate effect (instead of sending each packet through the entire ruleset). You should ony omit 'quick' when you want to make an exception later in the ruleset. The same goes for 'block' rules, except for the generic one at the top, of course ...

You can always run [cmd=]pfctl -sr[/cmd] to see all of your rules in full detail and in order.


----------



## jemate18 (Feb 5, 2010)

Ok, so I have moved the last 2 lines in the beginning of the filter rules

```
block in

anchor "ftp-proxy/*"

antispoof quick for {lo $i}

pass in quick on $i inet proto tcp from $lan to any port 443 keep state
pass out quick on $x inet proto tcp from $lan to any port 443 keep state
```

Here is the result of pfctl -sr

```
scrub in all fragment reassemble
block return in all
anchor "ftp-proxy/*" all
block drop in quick on ! lo inet6 from ::1 to any
block drop in quick on ! lo inet from 127.0.0.0/8 to any
block drop in quick on lo0 inet6 from fe80::1 to any
block drop in quick inet6 from ::1 to any
block drop in quick inet from 127.0.0.1 to any
block drop in quick on ! em1 inet from 192.168.2.0/24 to any
block drop in quick inet from 192.168.2.2 to any
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = https flags S/SA keep state
pass out quick on em0 inet proto tcp from 192.168.2.0/24 to any port = https flags S/SA keep state
pass in inet proto icmp all icmp-type echoreq keep state
pass in inet proto icmp all icmp-type unreach keep state
pass in on em0 inet proto tcp from any to xxx.xxx.xxx.xxx port = ssh flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = ssh flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = smtp flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = domain flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = http flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = ntp flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = imap flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = 3128 flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = ftp-proxy flags S/SA keep state
pass in quick on em1 inet proto tcp from 192.168.2.0/24 to any port = 3128 flags S/SA keep state
pass in quick on em1 inet proto udp from 192.168.2.0/24 to any port = domain keep state
pass in quick on em1 inet proto udp from 192.168.2.0/24 to any port = ntp keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = ssh flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = smtp flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = domain flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = http flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = ntp flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = imap flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = 3128 flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = ftp-proxy flags S/SA keep state
pass out quick on em0 inet proto tcp from xxx.xxx.xxx.xxx to any port = 3128 flags S/SA keep state
pass out quick on em0 inet proto udp from xxx.xxx.xxx.xxx to any port = domain keep state
pass out quick on em0 inet proto udp from xxx.xxx.xxx.xxx to any port = ntp keep state
```

Then I restarted services
squid -k reconfigure
pfctl -f /etc/pf.conf

Still the same....


----------



## DutchDaemon (Feb 5, 2010)

Have you looked at pflog yet? Add log to that first block rule!


----------



## DutchDaemon (Feb 5, 2010)

If all else fails, start with a small pf.conf and build it one step at a time, so you can see which rule fails. This ruleset will allow everything from the LAN and from the firewall to the Internet. It allows nothing in from the Internet (for now).


```
# Declaration of variables
i="em1"
x="em0"
lan="192.168.2.0/24"

set block-policy return
set skip on lo0

scrub in all fragment reassemble

nat on $x from $i to any -> $x

antispoof log quick for $x
antispoof log quick for $i

## deny/log everything
block log all

## no matching 'pass out' needed here
pass in quick on $i inet proto tcp from $lan to any keep state flags S/SA
pass in quick on $i inet proto { udp icmp } from $lan to any keep state

## outbound traffic from the host itself
pass out quick on $x inet proto tcp from $x to any modulate state flags S/SA
pass out quick on $x inet proto { udp icmp } from $x to any keep state
```

Start with that and slowly add or adjust pieces (like more macros, redirects, inbound traffic from the Internet in case you need to run services), and _test every addition_ before you move on to the next.


----------



## jemate18 (Feb 5, 2010)

I issued the command

```
tcpdump -n -e -ttt -i pflog0
```

Then on the client browser tried to access https site

Nothing was displayed in the tcpdump


----------



## DutchDaemon (Feb 5, 2010)

See my post before yours. Work with that and try not to add more complications as you go  Start with a simple ruleset, and make sure *everything* works before you add new rules, esp. the IP forwarding should work with the simple ruleset I posted. Good luck.

edit: removed the pfctl -d suggestion because NAT is needed.


----------



## jemate18 (Feb 5, 2010)

Oh my.... I used the pf.conf you suggested..

```
i="em1"
x="em0"
lan="192.168.2.0/24"
set block-policy return
set skip on lo0

scrub in all fragment reassemble

nat on $x from $i to any -> $x

rdr on $i inet proto tcp from $lan to any port www -> 127.0.0.1 port 3128


antispoof log quick for $x
antispoof log quick for $i



block log all

pass in quick on $i inet proto tcp from $lan to any keep state flags S/SA
pass in quick on $i inet proto { udp icmp } from $lan to any keep state

pass out quick on $x inet proto tcp from $x to any modulate state flags S/SA
pass out quick on $x inet proto {udp icmp } from $x to any keep state
```


I know.... a lot of efforts... and still not working...


----------



## jemate18 (Feb 5, 2010)

This still not works.. Maybe there's something wrong, not the pf.conf in my settings


----------



## jemate18 (Feb 5, 2010)

Here is another one.. trying to access google mail in the client machine

the result of tcpdump -i em1

```
19:11:37.769179 IP 192.168.2.13.56782 > sin01s01-in-f104.1e100.net.https: Flags [S], seq 3429709285, win 5860, options [mss 1460,sackOK,TS val 3373311 ecr 0,nop,wscale 6], length 0
*** the above message appears 5 consecutive times, then this is next
19:12:03.764227 ARP, Request who-has 192.168.2.2 tell 192.168.2.13, length 46
19:13:03.764235 ARP, REply 192,168.2.2 is-at 00:xxxxxxxxx(oui Unknown), length 28
*** then this again***
19:11:37.769179 IP 192.168.2.13.56782 > sin01s01-in-f104.1e100.net.https: Flags [S], seq 3429709285, win 5860, options [mss 1460,sackOK,TS val 3373311 ecr 0,nop,wscale 6], length 0
**** displays for 3 times ****
```

After about 1 to 2 minutes, Network Timeout is displayed in the Browser of the client PC

Any ideas?


----------



## jemate18 (Feb 5, 2010)

Are we having the same problem? 


```
http://forums.freebsd.org/showthread.php?t=10874
```


----------



## DutchDaemon (Feb 5, 2010)

Perhaps. Anyway, you have all the troubleshooting tools explained to you, so start experimenting. Don't work on proxies and redirections until you have your basic networking and routing in place. With a single NAT rule and 'set skip' on all interfaces you must be able to access the Internet from your LAN. That's the basis of everything else. Start from there and build up.


----------



## dennylin93 (Feb 5, 2010)

I'd suggest actually reading some documentation first. Then you should be able to do all the debugging and experimentation.

For starters:

PF FAQ
pf.conf()
pfctl()

The links listed above provide a complete description of PF and should be more than enough to get you going. It should only take 3 or 4 days at the most to read.


----------



## jemate18 (Feb 5, 2010)

Thanks guys, I ll read more bout pf. It's weekend today and I can experiment next week, I'll have more time to read. 

Thanks once again


----------

