FreeBSD Bugzilla – Attachment 229523 Details for
Bug 259864
PF periodically drops packets that belong to established session, thus stalling the session
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
PF config from the 91.206.242.1
pf.gw0 (text/plain), 18.00 KB, created by
emz
on 2021-11-15 19:21:08 UTC
(
hide
)
Description:
PF config from the 91.206.242.1
Filename:
MIME Type:
Creator:
emz
Created:
2021-11-15 19:21:08 UTC
Size:
18.00 KB
patch
obsolete
>myasip = "91.206.242.1" >asif = "vlan2" >asif2 = "vlan5" >qw1ip = "91.206.242.9" > >myertkip = "188.234.141.201" >ertkgw = "188.234.141.202" >ertkif = "vlan11" > >mypicip = "89.250.215.118" >picgw = "89.250.215.117" >picif = "vlan4" > >myppicip = "77.43.142.201" >ppicgw = "77.43.142.202" >ppicif = "vlan434" > >mysynip = "86.109.196.74" >syngw = "86.109.196.73" >synif = "vlan8" > >myvpnip = "172.20.142.250" >myvpnif = "vlan6" > >voiceif="vlan12" >voicenet="192.168.50.0/24" > >jailip = "91.206.242.8" > >mycctvif = "vlan13" >mycctvip = "192.168.99.10" >mycctvnet = "192.168.99.0/24" > >asterisk = "91.206.242.10" > >mssql = "192.168.0.240" >mssql2 = "192.168.250.224" > >table <vpnnet> { 192.168.1.0/25, 192.168.11.0/25 } > >exposedip = "91.206.242.11" > >monitoring = "62.109.28.82" >nsdi = "77.95.132.140" > >table <myoips> { 91.206.242.1, 91.206.242.5, 91.206.242.8, 91.206.242.9, 10.64.0.250, 10.64.0.252, 89.250.210.6, 195.222.153.176, 172.20.142.250, 172.16.240.2, 86.109.196.74, 46.146.246.246, 188.234.141.201, 77.43.142.201, 91.206.242.12, 91.206.243.1, 91.206.243.2, 91.206.243.3 } >table <neighborertkips> { 188.234.153.254 } >table <internalips> { 192.168.0.0/16, 91.206.242.5, 91.206.242.3 } >table <bannedips> { 193.232.158.145 } >table <emz> { 128.127.144.0/27, 83.222.71.216/29, 188.43.17.170/32, 91.237.76.0/24, 188.17.155.29, 40.115.34.131 } >table <ilo> { 91.206.242.7 } >table <myasnet> { 91.206.242.0/23, !91.206.242.1, !91.206.243.1, !91.206.243.2, !91.206.243.3 } >table <bgppeers> { 195.222.153.161, 89.250.210.5, 188.234.141.200, 185.224.228.193 } >table <allowedservers> { 192.168.0.99, 192.168.0.250, 192.168.0.220, 192.168.0.227, 192.168.0.240, 192.168.0.247, 192.168.0.229 } >table <alloweddestinations> { 144.76.14.230, 194.85.126.117 } >table <rfc1918> { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } >table <pbxes> { 95.167.163.148, 62.148.237.145, 62.148.237.138, 178.47.132.212, 62.148.237.194, 62.148.237.195 } >table <sberthankyou> { 194.85.126.117, 194.186.207.162 } >table <sberhasp> { 194.54.14.136, 194.186.207.124, 195.8.62.176 } >table <sber> { 194.54.14.162, 194.54.14.89, 194.54.14.24 } >table <trustedmssql> {} >table <disguisedmachines> { 192.168.0.251, 192.168.0.252, 192.168.0.253 } >table <vlan101allowed> { 192.168.101.250, 192.168.101.251, 192.168.101.252, 192.168.101.253, 192.168.101.1, 192.168.101.2, 192.168.101.3 } >table <iips> { 192.168.0.248, 192.168.0.247, 192.168.0.246 } >table <imap-mail-ru> { 94.100.180.90, 217.69.139.90 } >table <smtp-mail-ru> { 94.100.180.160, 217.69.139.160 } >table <mdlp> { 82.202.178.12, 78.142.221.73 } >table <ofd> { 92.53.73.60, 94.143.161.41, 46.148.200.215, 94.143.161.41, 31.44.83.184 } > >pubwifinet = "192.168.3.0/24" >iifs = "{" igb1 vlan1 vlan9 vlan250 "}" >ispifs = "{" vlan251 vlan252 "}" > >set limit states 150000 >set limit frags 50000 >set block-policy return >set skip on enc0 >set skip on lo0 >set skip on $ispifs >set skip on $asif >set skip on $asif2 > >scrub out on $ppicif from $myasip to 212.33.247.106 max-mss 1452 > ># this fixes the VoIP calls / SIP packets larger than 1500 bytes >scrub on $picif from any to any fragment reassemble > ># commented out - to test whether this will improve the SIP session reachability >#scrub on vlan11 from any to any fragment reassemble > >no rdr on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from <bannedips> to port 112 >no rdr on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from any to $exposedip port 3389 > >rdr on $picif proto tcp to port 112 -> $mssql port 112 >rdr on $ppicif proto tcp to port 112 -> $mssql port 112 >rdr pass on { $myvpnif, $synif, $ertkif } proto tcp to port 112 -> $mssql port 112 > >rdr on $picif proto tcp to port 113 -> $mssql2 port 112 >rdr on $ppicif proto tcp to port 113 -> $mssql2 port 112 >rdr pass on { $myvpnif, $synif, $ertkif } proto tcp to port 113 -> $mssql2 port 112 > >rdr on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp to port 1433 -> 192.168.0.240 port 1433 >rdr pass on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from 46.146.70.22 to port 3389 -> 192.168.0.213 port 3389 >rdr pass on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp to port 1537 -> 192.168.0.240 port 1537 >rdr pass on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp to port 65345 -> 192.168.101.45 port 3389 >rdr pass on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp to port 2222 -> 192.168.0.60 port 22 > ># ISP-bound interfaces >nat on $ertkif proto { icmp, tcp, udp, gre } from 192.168.251.0/24 to any -> $myertkip >nat on $ppicif proto { icmp, tcp, udp, gre } from 192.168.252.0/24 to any -> $myppicip >#nat on $picif proto { icmp, tcp, udp, gre } from 192.168.101.0/24 to any -> $mypicip >nat on $picif inet from 192.168.101.0/24 to any -> $mypicip > >nat on $picif from <rfc1918> to !$mypicip -> $mypicip >nat on $mycctvif from <rfc1918> to $mycctvnet -> $mycctvip > >nat on $asif proto { icmp, tcp, udp, esp } from <rfc1918> to any -> $myasip >nat on vlan9 proto { icmp, tcp, udp, esp } from <rfc1918> to !<rfc1918> -> $myasip > >nat on $picif proto tcp from <rfc1918> to 195.222.153.142 port 1723 -> $mypicip >nat on $picif proto gre from <rfc1918> to 195.222.153.142 -> $mypicip >nat on $picif proto tcp from <rfc1918> to 62.16.55.13 port 1723 -> $mypicip >nat on $picif proto gre from <rfc1918> to 62.16.55.13 -> $mypicip > >nat on $ppicif proto { icmp, tcp, udp, gre, esp } from <rfc1918> to !<rfc1918> -> $myasip >nat on $myvpnif proto { icmp, tcp, udp, gre, esp } from <rfc1918> to any -> $myvpnip >nat on $synif proto { icmp, tcp, udp, gre, esp } from <rfc1918> to !<rfc1918> -> $myasip >nat on $ertkif proto { icmp, tcp, udp, gre, esp } from <rfc1918> to !<rfc1918> -> $myasip > ># mail >nat on $picif proto tcp from $mypicip to any port 25 -> $myasip >nat on $ppicif proto tcp from $myppicip to any port 25 -> $myasip >nat on $ertkif proto tcp from $myertkip to any port 25 -> $myasip > >pass quick proto pfsync >pass quick proto carp > >block log all > ># weird passage, counter-state-lookup DoS >pass quick on igb1 proto tcp from 192.168.0.248 to 192.168.0.225 port 8080 no state >pass quick on igb1 proto tcp from 192.168.0.225 port 8080 to 192.168.0.248 no state >pass quick on igb1 proto tcp from 192.168.0.248 to 192.168.0.231 port 8080 no state >pass quick on igb1 proto tcp from 192.168.0.231 port 8080 to 192.168.0.248 no state > ># workaround for infected VPN machines >block in log quick on vpn proto tcp from <rfc1918> to !<rfc1918> port 445 >pass on vpn all no state >pass on $iifs no state >pass on $voiceif no state > ># restrict vlan101 to itself and internet. and vlan12. and who knows what else. >block log on vlan101 proto { icmp, tcp, udp } from 192.168.101.0/24 to <rfc1918> >pass on vlan101 proto { icmp, tcp, udp } from 192.168.101.0/24 to 192.168.101.0/24 >pass on vlan101 proto { icmp, tcp, udp } from 192.168.101.0/24 to 192.168.50.0/24 >pass on vlan101 proto { icmp, tcp, udp } from 192.168.50.0/24 to 192.168.101.0/24 >pass on vlan101 proto tcp from 192.168.101.0/24 to any port { 3389, 3340 } >pass on vlan101 proto { icmp, tcp, udp } from 192.168.101.0/24 to <vpnnet> >pass on vlan101 proto { icmp, tcp, udp } from 192.168.101.0/24 to 192.168.254.0/24 >block log on vlan101 proto tcp from <rfc1918> to !<rfc1918> port { 80, 443, 8080 } >pass on vlan101 proto tcp from <rfc1918> to <sberhasp> port 443 > ># icmp >pass proto icmp from any to any >pass in on $picif reply-to ($picif $picgw) proto icmp from any to $mypicip >pass in on $ppicif reply-to ($ppicif $ppicgw) proto icmp from any to $myppicip >pass in on $ertkif reply-to ($ertkif $ertkgw) proto icmp from any to $myertkip > ># block proxy access to disguised machines >block log on $iifs proto tcp from <disguisedmachines> to <iips> port 3128 > ># cctv interface - allow only outgoing sessions >pass out on $mycctvif proto { tcp, udp, icmp } from any to any keep state > ># blocking internet access for HTTP/HTTPS not going through proxy >block log on $iifs proto tcp from <rfc1918> to !<rfc1918> port { 80, 443, 8080 } >block log on $voiceif proto tcp from <rfc1918> to !<rfc1918> port { 80, 443, 8080 } >pass on $iifs proto tcp from <rfc1918> to <sberhasp> port 443 >pass on $iifs proto tcp from <rfc1918> to <sber> port { 650, 666, 668, 670} >pass in proto { icmp, tcp, udp } from any to <vlan101allowed> >pass on vlan101 proto { icmp, tcp, udp } from any to !<rfc1918> > ># blocking pptp outside >block log on $iifs proto tcp from <rfc1918> to !<rfc1918> port 1723 >block log on $iifs proto gre from <rfc1918> to !<rfc1918> > ># blocking just anything >block log on $iifs proto { tcp, udp } from <rfc1918> to !<rfc1918> >block log on $voiceif proto { tcp, udp } from <rfc1918> to !<rfc1918> > ># allowing mdlp >pass on $iifs proto tcp from <rfc1918> to <mdlp> port { 80, 443 } > ># allowing viber >pass on $iifs proto tcp from <rfc1918> to any port { 5242, 4244 } >pass on $iifs proto udp from <rfc1918> to any port { 5243, 9785 } > ># firstVDS ssh >pass on $iifs proto tcp from <rfc1918> to 62.109.28.82 port 22 > ># some sicko service >pass on $iifs proto tcp from <rfc1918> to 92.53.73.60 port 7777 > ># some data to end-clients >pass on $iifs proto tcp from <rfc1918> to 212.33.247.106 > ># sberbank thank you >pass on $iifs proto tcp from <rfc1918> to <sberthankyou> port { 668, 10443 } > ># sberbank >pass on $iifs proto tcp from <rfc1918> to <sber> port { 650, 666, 668, 670 } > ># ofd >pass on $iifs proto tcp from <rfc1918> to <ofd> port { 4001, 7001, 7788, 26101, 33101 } > ># mail.ru >pass on $iifs proto tcp from <rfc1918> to <imap-mail-ru> port { 143, 993 } >pass on $iifs proto tcp from <rfc1918> to <smtp-mail-ru> port { 25, 465 } > ># svn >pass on $iifs proto tcp from <rfc1918> to 213.138.116.72 port 3690 > ># some RDP >pass on $iifs proto tcp from <rfc1918> to any port 33891 > ># some self-invented shit >pass in on $iifs proto tcp from any to !<rfc1918> port 1539 > ># allowing everything from allowed servers list >pass on $iifs proto { tcp, udp } from <allowedservers> to any > ># allowing PPTP VPN to disguised machines >pass on $voiceif proto tcp from any to any port 1723 >pass on $voiceif proto gre from any to any > >pass on $iifs proto tcp from <disguisedmachines> to any port 1723 >pass on $iifs proto gre from <disguisedmachines> to any >pass on $iifs proto udp from <disguisedmachines> to any port 500 >pass on $iifs proto udp from <disguisedmachines> to any port 1701 >pass on $iifs proto { ah, esp } from <disguisedmachines> to any > ># allowing everything to allowed servers list >pass on $iifs proto tcp from <rfc1918> to <alloweddestinations> > ># allowing everything to ilos >pass in proto tcp from any to <ilo> > ># passing rdp >pass in on $iifs proto tcp from <rfc1918> to any port { 3389, 3340 } > ># passing rdp >pass in on $iifs proto tcp from <rfc1918> to any port 1433 > ># mssql >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mssql port 112 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $mssql port 112 >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mssql2 port 112 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $mssql2 port 112 > ># emz only >pass in proto tcp from 94.50.161.126 to any >pass in proto tcp from 46.146.33.16 to any > ># passing sip >pass in on $iifs proto udp from <rfc1918> to <pbxes> port { 5060, 8766:35000 } >pass in proto udp from <pbxes> to <myoips> port 1025:65535 no state >pass out proto udp from <myoips> to <pbxes> port 1025:65535 no state > ># as/net >#pass on $asif no state >#pass on $asif2 no state >#pass from <myasnet> to any >#pass from any to <myasnet> no state >#pass from any to <myasnet> >pass on $asif no state >pass on $asif2 no state >pass from <myasnet> to any no state >pass from any to <myasnet> no state >#pass from any to <myasnet> > ># an ugly tweak to fix some weird behavior on asymmetric routing >pass out from <myoips> to any flags A/A no state >pass out from <myoips> to any flags R/R no state >pass out from <myoips> to any flags F/F no state > ># pbr block >#pass in reply-to ($ppicif $ppicgw) from any to 91.206.243.0/24 >pass from 91.206.243.0/24 to 91.206.243.0/24 >pass from <rfc1918> to 91.206.243.0/24 > ># passing all out >pass out proto { icmp, tcp, udp, gre } from any to any >pass out route-to ($picif $picgw) proto { icmp, tcp, udp, gre } from $mypicip to any >pass out route-to ($ppicif $ppicgw) proto { icmp, tcp, udp, gre } from $myppicip to any >pass out route-to ($ertkif $ertkgw) proto { icmp, tcp, udp, gre } from $myertkip to any > ># blocking scanners >block in log quick proto tcp from <scanners> to <myoips> port 22 > ># ssh >pass in proto tcp from any to <myoips> port 22 >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port 22 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port 22 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port 22 > ># web ># ># These are known to add HUGE regression on pps performance ># >pass in proto tcp from any to <myoips> port { 80, 443, 8080 } no state >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port { 80, 443, 8080 } >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port { 80, 443, 8080 } >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port { 80, 443, 8080 } > >pass in on $iifs proto tcp from any to <myoips> port { 80, 443, 8080 } > ># pop3/imap4 ># to harsh >pass in proto tcp from any to <myoips> port { 110, 143, 993 } >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port { 110, 143, 993 } >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port { 110, 143, 993 } >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port { 110, 143, 993 } >pass in on $iifs proto tcp from any to <myoips> port { 110, 143, 993 } > ># gre >pass proto gre no state > ># dns >pass in proto { tcp, udp } from any to <myoips> port 53 >pass in on $picif reply-to ($picif $picgw) proto { tcp, udp } from any to $mypicip port 53 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto { tcp, udp } from any to $myppicip port 53 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto { tcp, udp } from any to $myertkip port 53 > ># ftp >## control >pass in proto tcp from any to <myoips> port 21 >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port 21 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port 21 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port 21 > >## data-passive >pass in proto tcp from any to <myoips> port 49152:65535 >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port 49152:65535 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port 49152:65535 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port 49152:65535 > ># smtp >pass proto tcp from <myoips> to any port 25 no state >pass proto tcp from any to <myoips> port 25 no state >pass proto tcp from <myoips> port 25 to any no state >pass proto tcp from any to <neighborertkips> port 25 no state >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port 25 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port 25 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port 25 > ># rspamd web >pass in proto tcp from <emz> to <myoips> port 11334 > ># mpd >pass in proto tcp from any to <myoips> port 1723 >pass in on $picif reply-to ($picif $picgw) proto tcp from any to $mypicip port 1723 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from any to $myppicip port 1723 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from any to $myertkip port 1723 > >pass out route-to ($picif $picgw) proto gre from $mypicip to any >pass out route-to ($ppicif $ppicgw) proto gre from $myppicip to any >pass out route-to ($ertkif $ertkgw) proto gre from $myertkip to any > ># bgp >pass in proto tcp from <bgppeers> to <myoips> port 179 >pass in on $picif reply-to ($picif $picgw) proto tcp from $picgw to $mypicip port 179 >pass in on $ppicif reply-to ($ppicif $ppicgw) proto tcp from $ppicgw to $myppicip port 179 >pass in on $ertkif reply-to ($ertkif $ertkgw) proto tcp from $ertkgw to $myertkip port 179 > >block in log quick from <blocked> to any > ># public wifi ># Serge's dacha router >pass in quick on vlan10 from $pubwifinet to 192.168.1.129 >pass in quick on vlan10 from $pubwifinet to $pubwifinet >block in log quick on vlan10 from $pubwifinet to <rfc1918> >pass in on vlan10 > ># vlan250 - free internet access >pass in on vlan250 from <rfc1918> to !<rfc1918> > >pass on vpn no state > ># emz office >pass in from 94.50.161.126 to any > ># pbr block >pass quick on $asif inet from 91.206.242.0/29 to 91.206.242.0/29 > >block log on vlan1 proto tcp from any to 192.168.0.248 port 21 > ># blocking vlan9 >block in log on vlan9 from 192.168.2.0/24 to 192.168.0.0/24 >block out log on vlan9 from 192.168.0.0/24 to 192.168.2.0/24 > ># blocking stuff >block in log on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from any to any port { 199, 587, 2049, 2121, 2222, 1433, 2601, 2605, 3306, 5900 } > ># banned ips >block in log on { $picif, $ppicif, $myvpnif, $synif } proto tcp from <bannedips> to any port { 20, 21, 112, 1433, 8080 } > ># allowed mssql from known hosts >pass in on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from <trustedmssql> to any port 1433 > ># vbox vnc >block in log proto tcp from any to any port 5900 >pass in proto tcp from 46.146.194.196 to $myasip port 5900 >pass in proto tcp from 46.146.194.196 to 91.206.242.0/23 port 5900 > ># mssql translated via haproxy >pass in on { $picif, $ppicif, $myvpnif, $synif } proto tcp from any to 91.206.242.6 port 112 > ># blocking DNS flood to the old router >block in log on { $picif, $ppicif, $myvpnif, $synif } proto udp from any to 91.206.242.5 port 53 > ># svn to freebsd >pass on $iifs proto tcp from any to 213.138.116.72 port 3690 > ># external monitoring >pass in on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto udp from $monitoring to <myoips> port 161 ># NSDI >pass in on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto udp from $nsdi to <myoips> port 161 > ># 3proxy outside >pass in on { $picif, $ppicif, $myvpnif, $synif, $ertkif } proto tcp from any to <myoips> port 3131 > ># IKE/l2tp >pass in proto udp from any to $myasip port 500 >pass in proto udp from any to $myasip port 4500 ># ESP >pass proto esp from $myasip to any >pass proto esp from any to $myasip > ># asterisk block >pass in proto udp from <pbxes> to $asterisk >pass out proto udp from $asterisk to <pbxes>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=229523">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 259864
: 229523