# One last PF question...



## osx-addict (Oct 22, 2009)

Ok.. I thought I had all of my ports working as I expect but found this evening that my telnet connections are being ignored making me have to jump on the console to temporarily disable PF.. Any ideas on what I missed?


```
# external interfaces
ext_if                  = "bge0"

# internal jailed servers for services
jail_smtp_server        = "10.0.1.4"
jail_mys_webserver  = "10.0.1.7"

local_users             = "10.0.0.0/26"

NoRouteIPs = "{ 192.168.0.0/16, 172.16.0.0/12 }"

# 590x = VNC, 783 = spamd/spamc chatter
localsvcs               = "{ domain telnet 5900 5901 5902 5903 783 }"
webports                = "{ http https }"
smtpports               = "{ smtp imaps sieve }"
sambaports              = "{ netbios-ns netbios-dgm netbios-ssn microsoft-ds loc-srv }"
icmp_types              = "echoreq"
domain_ports            = "domain"

# the tcp_services below should encompass all services above except icmp..
tcp_services            = "{ domain telnet 5900 5901 5902 5903 783 http https smtp imaps sieve netbios-ns netbios-dgm netbios-ssn microsoft-ds loc-srv }"
udp_services            = "{ domain netbios-ns netbios-dgm netbios-ssn microsoft-ds loc-srv }" 

set loginterface $ext_if
set skip on lo0

scrub in all

rdr on $ext_if proto tcp from any to any port     $webports  -> $jail_mys_webserver
rdr on $ext_if proto tcp from 127.0.0.1 to $ext_if port 783  -> $jail_smtp_server
rdr on $ext_if proto tcp from any to $ext_if port $smtpports -> $jail_smtp_server

block all
pass out proto tcp to any port $tcp_services 
pass     proto udp to any port $udp_services 

block in  quick on $ext_if from $NoRouteIPs to any
block out quick on $ext_if from any to $NoRouteIPs

# icmp Requests
pass in inet proto icmp all icmp-type $icmp_types keep state

# pass all traffic to and from the local network
pass in quick log on $ext_if proto tcp from $local_users to $ext_if                  port $localsvcs keep state
pass in quick log on $ext_if proto tcp from any          to $jail_mys_webserver  port $webports keep state
pass in quick log on $ext_if proto tcp from any          to $jail_smtp_server        port $smtpports keep state
```


----------



## graudeejs (Oct 22, 2009)

[red]*Don't use telnet, use OpenSSH!!!*[/red]


----------



## osx-addict (Oct 22, 2009)

It's all behind a firewall..


----------



## DutchDaemon (Oct 22, 2009)

Are you actually _running_ telnet (inetd) and is it bound to $ext_if? Oh, and even though you are behind a firewall, I'd still advise using ssh. Things break, rules may fail. Telnet = OpenAccess.


----------



## dennylin93 (Oct 22, 2009)

It depends on what you're using telnet for (BBS requires telnet).


----------



## vivek (Oct 22, 2009)

BBS only need telnet client and not telnet server. OpenSSH is by default installed and there is no need to configure telnet or use of r* command.


----------



## osx-addict (Oct 22, 2009)

Ok.. Suppose I decide to go w/ SSH.. I'm going to have the same problem regardless.. e.g. no access due to the above rules.. No?  Whether the port is telnet (23) or ssh (22) and I change the rules above from 'telnet' to 'ssh' unless I missed something...?


----------



## DutchDaemon (Oct 22, 2009)

You missed 'are you actually running telnet'  Is something actually listening on port 23? ([cmd=]sockstat -l4p23[/cmd])

Otherwise: add 'log' to all of your block rules and tcpdump pflog0.


----------



## osx-addict (Oct 23, 2009)

Yes.. Telnet works fine when pf is disabled.. Here's the output as you wish :


```
srv1# sockstat -l4p23
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
root     inetd      1152  6  tcp4   10.0.1.1:23           *:*
```


----------



## DutchDaemon (Oct 23, 2009)

Ok, then take the 'log' statements out of your pass rules and put them in all of the block rules. Then run tcpdump on pflog0 and see what happens to connections to port 23.


----------



## osx-addict (Oct 24, 2009)

Ok.. Here's a few things I tried -- not sure what this means though.. 


```
srv1# tcpdump -n -e -ttt -r /var/log/pflog port 23
reading from file /var/log/pflog, link-type PFLOG (OpenBSD pflog file)
tcpdump: unknown data link type 117

srv1# tcpdump -n -e -ttt -i pflog0 port 23
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: unknown data link type 117

srv1# tcpdump --version
tcpdump version 3.9.8
libpcap version 0.9.8
Usage: tcpdump [-aAdDeflLnNOpqRStuUvxX] [-c count] [ -C file_size ]
		[ -E algo:secret ] [ -F file ] [ -i interface ] [ -M secret ]
		[ -r file ] [ -s snaplen ] [ -T type ] [ -w file ]
		[ -W filecount ] [ -y datalinktype ] [ -Z user ]
		[ expression ]
```

The 2nd one with the warning I'm assuming is because I ran it when PF was disabled.. However the unknown data link type seems odd..  I also tried the newer version of tcpdump (4.0) with the same sort of results.. Any ideas?


----------



## DutchDaemon (Oct 24, 2009)

Can you just run [cmd=]tcpdump -e -s 0 -pnli pflog0 port 23[/cmd] when connecting with telnet from the outside?


----------



## osx-addict (Oct 25, 2009)

Here's the output when trying to connect from another machine on the local home network after re-enabling pf :


```
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: unknown data link type 117
```

Here's the output from pfctl -s all if that helps.. This is strange.. I'll do some more reading in the various PF books!  I think the thing thats messing with my logging is the unknown data link message -- I just updated my libpcap which I gather who's having the problem and that didn't change anything..  Ugg!


```
No ALTQ support in kernel
ALTQ related functions disabled
TRANSLATION RULES:
rdr on bge0 inet proto tcp from any to any port = http -> 10.0.1.7
rdr on bge0 inet proto tcp from any to any port = https -> 10.0.1.7
rdr on bge0 inet proto tcp from 127.0.0.1 to 10.0.1.1 port = 783 -> 10.0.1.4
rdr on bge0 inet proto tcp from 127.0.0.1 to 10.0.1.6 port = 783 -> 10.0.1.4
rdr on bge0 inet proto tcp from 127.0.0.1 to 10.0.1.7 port = 783 -> 10.0.1.4
rdr on bge0 inet proto tcp from 127.0.0.1 to 10.0.1.4 port = 783 -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.1 port = smtp -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.1 port = imaps -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.1 port = callbook -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.6 port = smtp -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.6 port = imaps -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.6 port = callbook -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.7 port = smtp -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.7 port = imaps -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.7 port = callbook -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.4 port = smtp -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.4 port = imaps -> 10.0.1.4
rdr on bge0 inet proto tcp from any to 10.0.1.4 port = callbook -> 10.0.1.4

FILTER RULES:
scrub in all fragment reassemble
block drop log all
pass out proto tcp from any to any port = domain flags S/SA keep state
pass out proto tcp from any to any port = telnet flags S/SA keep state
pass out proto tcp from any to any port = 5900 flags S/SA keep state
pass out proto tcp from any to any port = 5901 flags S/SA keep state
pass out proto tcp from any to any port = 5902 flags S/SA keep state
pass out proto tcp from any to any port = 5903 flags S/SA keep state
pass out proto tcp from any to any port = 783 flags S/SA keep state
pass out proto tcp from any to any port = http flags S/SA keep state
pass out proto tcp from any to any port = https flags S/SA keep state
pass out proto tcp from any to any port = smtp flags S/SA keep state
pass out proto tcp from any to any port = imaps flags S/SA keep state
pass out proto tcp from any to any port = callbook flags S/SA keep state
pass out proto tcp from any to any port = netbios-ns flags S/SA keep state
pass out proto tcp from any to any port = netbios-dgm flags S/SA keep state
pass out proto tcp from any to any port = netbios-ssn flags S/SA keep state
pass out proto tcp from any to any port = microsoft-ds flags S/SA keep state
pass out proto tcp from any to any port = loc-srv flags S/SA keep state
pass proto udp from any to any port = domain keep state
pass proto udp from any to any port = netbios-ns keep state
pass proto udp from any to any port = netbios-dgm keep state
pass proto udp from any to any port = netbios-ssn keep state
pass proto udp from any to any port = microsoft-ds keep state
pass proto udp from any to any port = loc-srv keep state
block drop in log quick on bge0 inet from 192.168.0.0/16 to any
block drop in log quick on bge0 inet from 172.16.0.0/12 to any
block drop out log quick on bge0 inet from any to 192.168.0.0/16
block drop out log quick on bge0 inet from any to 172.16.0.0/12
pass in inet proto icmp all icmp-type echoreq keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = domain flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = telnet flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = 5900 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = 5901 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = 5902 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = 5903 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.1 port = 783 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = domain flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = telnet flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = 5900 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = 5901 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = 5902 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = 5903 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.6 port = 783 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = domain flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = telnet flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = 5900 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = 5901 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = 5902 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = 5903 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.7 port = 783 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = domain flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = telnet flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = 5900 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = 5901 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = 5902 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = 5903 flags S/SA keep state
pass in quick on bge0 inet proto tcp from 10.0.0.0/26 to 10.0.1.4 port = 783 flags S/SA keep state
pass in quick on bge0 inet proto tcp from any to 10.0.1.7 port = http flags S/SA keep state
pass in quick on bge0 inet proto tcp from any to 10.0.1.7 port = https flags S/SA keep state
pass in quick on bge0 inet proto tcp from any to 10.0.1.4 port = smtp flags S/SA keep state
pass in quick on bge0 inet proto tcp from any to 10.0.1.4 port = imaps flags S/SA keep state
pass in quick on bge0 inet proto tcp from any to 10.0.1.4 port = callbook flags S/SA keep state

INFO:
Status: Enabled for 0 days 00:01:19           Debug: Urgent

Interface Stats for bge0              IPv4             IPv6
  Bytes In                        94931608                0
  Bytes Out                       31542075                0
  Packets In
    Passed                          206549                0
    Blocked                          24056                0
  Packets Out
    Passed                          151594                0
    Blocked                           2044                0

State Table                          Total             Rate
  current entries                        0               
  searches                          410154         5191.8/s
  inserts                            20768          262.9/s
  removals                           20768          262.9/s
Counters
  match                              58580          741.5/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         9            0.1/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start             6000 states
adaptive.end              12000 states
src.track                     0s

LIMITS:
states        hard limit    10000
src-nodes     hard limit    10000
frags         hard limit     5000
tables        hard limit     1000
table-entries hard limit   200000

TABLES:
spamd
spamd-mywhite
spamd-white

OS FINGERPRINTS:
696 fingerprints loaded
```


----------



## DutchDaemon (Oct 25, 2009)

osx-addict said:
			
		

> ```
> tcpdump: WARNING: pflog0: no IPv4 address assigned
> tcpdump: unknown data link type 117
> ```



"Interesting". This error seems to hail back to a time when FreeBSD *5* had pf in ports and when tcpdump couldn't read pflog directly; one needed a port named pftcpdump for that. Your version of tcpdump/libpcap is normal for FreeBSD 7 though. Not sure what's going on here ....


----------



## osx-addict (Oct 25, 2009)

Ok .. In poking around within libpcap source I see the following data types map to #117 :


```
./pcap/bpf.h:#define DLT_PFLOG	117
```

Now, I just need to find out why this is not supported from the get-go.. Any ideas?  I'm still looking!


----------

