Port 22 blocked in out

Murus
Post Reply
redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Port 22 blocked in out

Post by redskate » Sat Apr 09, 2016 2:03 pm

Hello

Sorry for this my dumb question.

I configured PF with
- inbound-per-service-block-rule (in prefs)
- outbound-per-service-block-rule (in prefs)
- skip loopback interface (in prefs)

Then I configured in in-bound-services for instance SSH to be open for the 10-net.

I am having some problems running SVN (uses 22) while PF is running.

I guess the out-bound-per-service-block-rule blocks everything, so I added a rule to open up "port 22 inet"

Still not working ... I was thinking that with a restrictive outbound policy with a custom rule like
pass out log on en0 init proto {tcp, udp} from {any} to {any} port 22
would be possible to reach over.

Furthermore the same custom rule is not visible in PF even after Murus test+play using
pfctl -sr
and not visible in the rule browser.

What is my mistake?
How can I use in both directions port 22 ?

Thanks

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Port 22 blocked in out

Post by redskate » Sat Apr 09, 2016 2:23 pm

I even unchecked both inbound- and outbound preserve blocks - still SVN service on port 22 seems to be blocked.

Turning off Murus permits the SVN connection

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Port 22 blocked in out

Post by redskate » Sat Apr 09, 2016 3:01 pm

I had a look to the rule content of /etc/murus/murus.inbound and of course I discovered that its content differs much from the actual loaded pf rules.
For instance this is my current test configuration (only the file murus.inbound):
table <bruteforce> { } persist
block in quick from <bruteforce> to any
block in log proto {tcp, udp} from any to any port {1:65535}
pass in log proto {tcp, udp} from <10-net> to any port {1:65535} flags S/SA keep state
block in proto tcp from any to any port {22}
pass in log proto tcp from <10-net> to any port {22} flags S/SA keep state
block in proto tcp from any to any port {80 443}
pass in log proto tcp from <10-net> to any port {80 443} flags S/SA keep state
block in log proto {tcp, udp} from any to any port {1:1023}
pass in log proto {tcp, udp} from <10-net> to any port {1:1023} flags S/SA keep state
block in proto {tcp, udp} from any to any port {49152:65535}
pass in proto {tcp, udp} from <10-net> to any port {49152:65535} flags S/SA keep state
block in log proto tcp from any to any port {548 88 10548}
pass in log proto tcp from <192.168-net> to any port {548 88 10548} flags S/SA keep state
pass in log proto tcp from <10-net> to any port {548 88 10548} flags S/SA keep state
pass in log proto tcp from <172.16-net> to any port {548 88 10548} flags S/SA keep state
pass in log proto tcp from <IPv6-net> to any port {548 88 10548} flags S/SA keep state
block in log proto {tcp, udp} from any to any port {137 138 139 445}
pass in log proto {tcp, udp} from <192.168-net> to any port {137 138 139 445} flags S/SA keep state
pass in log proto {tcp, udp} from <10-net> to any port {137 138 139 445} flags S/SA keep state
pass in log proto {tcp, udp} from <172.16-net> to any port {137 138 139 445} flags S/SA keep state
pass in log proto {tcp, udp} from <IPv6-net> to any port {137 138 139 445} flags S/SA keep state
block in log proto {tcp, udp} from any to any port {631 515 9100}
pass in log proto {tcp, udp} from <192.168-net> to any port {631 515 9100} flags S/SA keep state
pass in log proto {tcp, udp} from <10-net> to any port {631 515 9100} flags S/SA keep state
pass in log proto {tcp, udp} from <172.16-net> to any port {631 515 9100} flags S/SA keep state
pass in log proto {tcp, udp} from <IPv6-net> to any port {631 515 9100} flags S/SA keep state
block in log proto {tcp, udp} from any to any port {3283 5988 5900}
pass in log proto {tcp, udp} from <192.168-net> to any port {3283 5988 5900} flags S/SA keep state
pass in log proto {tcp, udp} from <10-net> to any port {3283 5988 5900} flags S/SA keep state
pass in log proto {tcp, udp} from <172.16-net> to any port {3283 5988 5900} flags S/SA keep state
pass in log proto {tcp, udp} from <IPv6-net> to any port {3283 5988 5900} flags S/SA keep state
pass in log proto tcp from any to any port {5900 88} flags S/SA keep state
block in log proto {tcp, udp} from any to any port {3128 8080}
pass in log proto {tcp, udp} from <192.168-net> to any port {3128 8080} flags S/SA keep state
pass in log proto {tcp, udp} from <10-net> to any port {3128 8080} flags S/SA keep state
pass in log proto {tcp, udp} from <172.16-net> to any port {3128 8080} flags S/SA keep state
pass in log proto {tcp, udp} from <IPv6-net> to any port {3128 8080} flags S/SA keep state
block in proto {tcp, udp} from any to any port {1110}
block in proto {tcp, udp} from any to any port {3307}
block in proto {tcp, udp} from any to any port {4000}
block in proto {tcp, udp} from any to any port {4070}
block in proto {tcp, udp} from any to any port {53 67 68 123 389 636 5353 5354}
pass in proto {tcp, udp} from <10-net> to any port {53 67 68 123 389 636 5353 5354} flags S/SA keep state
block in proto {tcp, udp} from any to any port {8010}
block in proto {tcp, udp} from any to any port {8087}
block in proto {tcp, udp} from any to any port {8444}
block in proto {tcp, udp} from any to any port {8524}
block in proto {tcp, udp} from any to any port {9292}
block in proto {tcp, udp} from any to any port {10000}
block in proto {tcp, udp} from any to any port {8888}
pass in proto {tcp, udp} from <192.168-net> to any port {8888} flags S/SA keep state
pass in proto {tcp, udp} from <10-net> to any port {8888} flags S/SA keep state
pass in proto {tcp, udp} from <172.16-net> to any port {8888} flags S/SA keep state
pass in proto {tcp, udp} from <IPv6-net> to any port {8888} flags S/SA keep state
pass in proto {tcp, udp} from any to any port {16403:16472 16393:16402 16384:16403 3261 5190 5222 5269 5297 5298 5678 7777} flags S/SA keep state
The config containing this murus.inbound passes and after I inserted the Murus rules into PF, the command
pfctl -sr
gives me:
pass quick on awdl0 all no state
pass quick on p2p0 all no state
pass on utun0 all no state
pass on utun1 all no state
block drop in quick from <_blacklist> to any label "BlackList_IN"
block drop out quick from any to <_blacklist> label "BlackList_OUT"
block return in log quick from <_adservers> to any label "adservers_IN"
block return out log quick from any to <_adservers> label "adservers_OUT"
block drop in quick from <sshguard> to any label "SSHGuard"
block drop in log quick from <_threats> to any label "Threats_IN"
block drop out log quick from any to <_threats> label "Threats_OUT"
block drop in quick from no-route to any
block drop in quick from urpf-failed to any
block drop log inet all label "Block_V4"
block drop log inet6 all label "Block_V6"
pass proto icmp all keep state
pass in quick proto udp from any port = 5353 to any port = 5353 keep state allow-opts
pass out quick proto udp from any port = 5353 to any port = 5353 keep state allow-opts
pass out quick proto tcp from any port = 68 to any port = 67 flags S/SA keep state
pass out quick proto udp from any port = 68 to any port = 67 keep state
pass in quick proto tcp from any port = 67 to any port = 68 flags S/SA keep state
pass in quick proto udp from any port = 67 to any port = 68 keep state
pass quick inet6 proto udp from any to any port = 546 keep state
pass inet6 proto ipv6-icmp all icmp6-type echoreq keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type groupqry keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type grouprep keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type groupterm keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type routersol keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type routeradv keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type neighbrsol keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type neighbradv keep state allow-opts
pass inet6 proto ipv6-icmp all icmp6-type 143 keep state allow-opts
pass proto igmp all keep state allow-opts
pass quick inet from any to 224.0.0.0/4 flags S/SA keep state allow-opts
pass quick inet6 from any to ff00::/8 flags S/SA keep state allow-opts
anchor "murus.inbound" all label "Inbound"
anchor "murus.outbound" all label "Outbound"
anchor "murus.inspector" all label "Inspector"
anchor "murus.custom" all label "Custom_Rules"
I noted that no SVN (port 22) and no browsing (ports 80 and 443) are permitted by this configuration ...

Why?

hany
Posts: 482
Joined: Wed Dec 10, 2014 5:20 pm

Re: Port 22 blocked in out

Post by hany » Sat Apr 09, 2016 5:28 pm

I really advise you to read the Murus manual and see documentation and tutorials because you are missing some very basic Murus and PF concepts :)
I had a look to the rule content of /etc/murus/murus.inbound and of course I discovered that its content differs much from the actual loaded pf rules.
PF runtime rules stay in a tree-like structure, like file and folders do. What you see with "pfctl -sr" command is only the root of PF configuration. Much of PF configuration stays in anchors. Everything is explained in Murus manual and PF manual.
Another thing you must consider is that PF expands rule. So runtime rules are always different from rules stored in files. Please see documentation for more information :)

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Port 22 blocked in out

Post by redskate » Sat Apr 09, 2016 7:49 pm

Hi, thank you for your suggestion, I did read the manual, but of course my knowledge is not as firm as yours. Indeed I am hoping to continuing developing in java my things, but I still stuck in PF ...

Yes, I read the manual - but I think I will not pass the exam yet. I am aware of the fact that there is a logical rule tree structure where Murus interprets rules and that the pf is just the (final) operating engine. So all that tree is kind-of "hidden" to me ... it is on one way the intelligence of Murus, but it forces me to reverse engineer it????

I was hoping getting more help anyway ...

I did not (yet) reverse engineered the nice anchor system, I thought I could avoid it to write the truth :( but it seems I have no other chance than reverse engineer it and lookup every detail ... Will I be finished by june?

AND: After a machine reboot the problem in this thread disappeared by itself ... anyway I do not think it is a good think to reboot a machine to get things running ... isn't it ...

Thanks
Regards

hany
Posts: 482
Joined: Wed Dec 10, 2014 5:20 pm

Re: Port 22 blocked in out

Post by hany » Sat Apr 09, 2016 9:27 pm

Probably I misunderstood your needs.
I really did not understand what you are trying to do, it's really hard to help you. I'm trying.
However please believe me, you don't have to reverse engineer anything. There is absolutely nothing hidden.
Look, it's really easy...
PF rules are structured in anchors (=folders) and rules. Murus creates a complex ruleset made of rules and anchors. This ruleset is made of a bunch of files in /etc/murus and is read by the 'pfctl' command. This command reads the files and loads rules in runtime. That's it.
Using Murus you have the runtime pf browser. Please use it instead of the terminal. You don't need the terminal, Murus displays all the information you need. By default pf browser shows you rules in pf root. In the default view it tells you current pf path in toolbar. You change path double clicking an anchor or clicking arrows, to display its content. PF browser allows also you to choose the tree-view, so you see all rules in the same view, just click the corresponding button in the toolbar. You don't need any specific knowledge to use this thing :)
From the shell, you just have to look at pfctl syntax. Again, there are examples in Murus manual and PF manual.
For example to display rules in /murus.inbound anchor you type

Code: Select all

sudo pfctl -a /murus.inbound -sr
.
AND: After a machine reboot the problem in this thread disappeared by itself ... anyway I do not think it is a good think to reboot a machine to get things running ... isn't it ...
You *never* need to reboot your machine when using Murus and changing pf rules. You just have to read documentation about stateful firewall, pf states, their persistence, the effect of their persistence, and how to kill them.
I did not (yet) reverse engineered the nice anchor system, I thought I could avoid it
Please understand that Murus is a front end, there is absolutely *nothing* hidden, and nothing to be reverse engineered :) The purpose of Murus is to create plain text configuration files for OS X built-in pfctl shell command. You find them in /etc/murus and you can see all runtime rules using the pfctl command (and its many options).

redskate
Posts: 30
Joined: Tue Apr 05, 2016 8:08 pm

Re: Port 22 blocked in out

Post by redskate » Sun Apr 10, 2016 8:56 am

Excellent hany

thank you for the hint on Murus PF browser navigation feature. VERY NICE!
Thank you for the hints on the documentation, I will go straight to them.

Regards

Post Reply