# My first pf rules



## locutus (Oct 12, 2009)

Hi!

I have used pf for the first on a server, where i have only ssh login. ... and i have got locked out of the system. Can you tell me where my mistake is in the rules?


```
#Macros
int_if = "em0"
trusted_ssh_hosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
trusted_dns_hosts = "{ xxx.xxx.xxx.xxx, xxx.xxx.xxx.xxx }"
trusted_smtp_hosts = "xxx.xxx.xxx.xxx"
trusted_ftp_hosts = "xxx.xxx.xxx.xxx"
trusted_https_hosts = "xxx.xxx.xxx.xxx"
trusted_hosts = "{ xxx.xxx.xxx.xxx/24, xxx.xxx.xxx.xxx/24 }"
icmp_types="echoreq"


#ein paar settings
set loginterface $int_if
set state-policy if-bound
set block-policy return
set optimization aggressive
pass out keep state

#Normalisierung
#scrub in all

# alles unerwÃ¼nschte wird sofort geblockt
block all

set skip on l0

#Antispoofing
antispoof quick for { lo0, $int_if }

#********** Eingehender Traffic ******************#

#Loopback
pass in quick on lo0

# icmp Requests
pass in inet proto icmp all icmp-type $icmp_types keep state 

# SSH Verbindungen zum xxx
pass in quick log on $int_if proto tcp from $trusted_ssh_hosts port ssh flags S/SA keep state

# HTTPS auf die Website
pass in quick log on $int_if proto tcp from $trusted_https_hosts port https flags S/SA keep state

#********* Ausgehender Traffic *******************#

#Loopback
pass out quick on lo0
#ausgehender SMTP fuer die Alerts
pass out quick on $int_if proto tcp to $trusted_smtp_hosts port smtp flags S/SA keep state

#ausgehender FTP
pass out quick on $int_if proto tcp to $trusted_ftp_hosts port ftp flags S/SA keep state

#Traffic auf xxx Systeme
pass out quick on $int_if proto tcp to $trusted_hosts port { ssh, http, https } flags S/SA keep state

#DNS auf interne Systeme
pass out quick on $int_if proto { tcp, udp } to $trusted_dns_hosts port domain
```

Thx

Alex


----------



## DutchDaemon (Oct 12, 2009)

```
pass in quick log on $int_if proto tcp from $trusted_ssh_hosts port ssh flags S/SA keep state
```

You're accepting connections *from* port 22, not *to* port 22.

Try something like


```
pass in quick log on $int_if proto tcp from $trusted_ssh_hosts [B]to $int_if port ssh[/B] flags S/SA keep state
```

There are similar problems in your other rules (no clear distinction between from/to).

Furthermore, I would advise you to either use set skip on lo0, or to put pass quick on lo0 (which covers in and out) near the top of the ruleset. A *lot* of things break horribly when lo0 is not 'open in time'.


----------



## locutus (Oct 12, 2009)

Oh, i thought the term:

pass in ... on <interface> from ...

was enough. Isn't that double "on <interface>" and "to <interface> ?

For me it seems to be more logical if saying something like that:

pass in on $int_if proto tcp port ssh from $trusted_ssh_hosts flags S/SA keep state

But ok, thx for that.


----------



## DutchDaemon (Oct 12, 2009)

A connection starts somewhere ($trusted_ssh_hosts), goes to/through something ($int_if), and terminates somewhere ($int_if:22). It may look a bit contrived, but you'll be thankful for this syntax when your system is a bridge or a router with multiple NICs and IPs.


----------



## locutus (Oct 13, 2009)

One last question (for the moment  ). It's a FreeBSD 6.4 where i use pf. I can't get the normalization working. Even a simple "scrub in all" is not working. the syntax check tells me that the order of options etc is not ok, but it's the same as in the manpage. What's wrong there?


----------



## SirDice (Oct 13, 2009)

Remove the pass out above scrub. IIRC scrub and similar commands need to go before any rules.


----------



## locutus (Oct 13, 2009)

OK, thx.


----------

