multiple publicIPs

Thu, 04 May 2006 09:32:40 -0700 

Hello everyone,

                                                            INTERNET
                                                                  ^
                                                                  |
                                          x - - - - - [SWITCH] - - - -
- - - - - - - - - x
                            [PF central firewall]  [Several public IPs
for different services]

I am running a network with several public IP addresses that are used
for different services and I used PF with a dedicated box (see
illustrated) to control incoming and outgoing packets onto and from
these public IPs. I have not been able to notice until such time that
they were exposed to a different types of probes such as ping, use of
port scanner, etc from the Internet. Below are the rules I used to
supposedly block incoming packets to my public IPs.

Just for your info, I used the gateway address provided by my ISP not
the IP on my PF box.

----------------------------
# M A C R O S
ext_if="sis0"
int_if="xl0"
serversPUB="{ my.pub.lic.1, my.pub.lic.2, my.pub.lic.3, etc... }"
www_virt="my.pub.lic.1"

# O P T I O N S
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo0

# N O R M A L I Z A T I O N
scrub in all

# N A T  /  R D R
#xlation gateway

# F I L T E R
#protect public and local address [ incoming, outgoing ]
block all
pass quick on lo0 all
antispoof log quick for { $ext_if, $int_if } inet

block drop in on $ext_if inet from any to $serversPUB
pass in on $ext_if proto tcp from any to $www_virt port { www, https }
flags S/SA \
                 synproxy state
--------------------------------------

As you can see only a few rules are put here above just to give you an
idea how I did the blocking. The other rules with my services so far
are continuously going well. I just don't want to permit incoming
packets directly to my publicIPs that is why I have the PF as my
firewall to centrally manage incoming and outgoing.

On the above BLOCK rule, i supposed it blocks all incoming packets on
$ext_if through $serversPUB. Unfortunately it doesn't. I have bought
openbsd books including the Building firewall with OpenBSD pf by Jacek
and read lots of articles about rules in pf but haven't find one that
is similar to my setup, everything uses NAT / RDR to access services
(e.g. webserver, etc). Here, I didn't use rdr because it uses a public
IP as stated in MACROS.

I appreciate your help so much. 

Thanks,
-Sparc

Reply via email to