----- Original Message -----
| ----- Original Message -----
| | Hi All,
| |
| | I've been battling this issue for a couple of days now and I'm
| | hoping
| | someone might have a possible fix for it. Any help is greatly
| | appreciated.
| |
| | I have a workstation which is on a network routed through VPN client
| | device
| | The clients are on VLAN 304 with an address range of 192.168.18.0 -
| | 192.168.18.128 (192.168.18.0/25)
| | This VPN client device is connected to a VPN concentrator
| | The VPN concentrator is on VLAN 300 with the IP address
| | 192.168.1.141
| | I have the upper 128 IP addresses are also in VLAN 304 but have a
| | default route of 192.168.18.254
| | I have a OpenBSD bridge / firewall with several VLANs on it. It
| | bridges VLANs provided by Network Services, who have recently took
| | over our routing, and our VLANs
| | The bridge VLANs in question are as follows
| |
| | Network Services Our VLAN
| | 310 300 = bridge300
| | 314 304 = bridge304
| |
| |
| | The problem is that traffic from a host on the 192.168.18.0/25
| | (192.168.18.90) seems to be getting blocked by my rules. For example
| | if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| | (192.168.18.90) the packet is dropped as it is found to match my
| | default block rule for traffic passing to the public side of the
| | bridge.
| |
| | If I add a default route on the 192.168.1.59 host for
| | 192.168.18.0/25
| | to 192.168.1.254 traffic passes. It also passes if I remove the
| | default block rule.
| | It also look like every packet is passing through the firewall
| | twice,
| | in and out, but the second packet is the one being blocked.
| |
| | Block logs: Attempt connect to a web server
| | -------------------------------------------
| | Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| | 192.168.18.90.2263 > 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF)
| | [tos
| | 0x10]
| |
| |
| | Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| | ---------------------------------------------------------------
| | Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| | 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| | Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| | 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| |
| |
| | PF Rules
| | =========
| | NS_LAN1="vlan310"
| | NS_LAN2="vlan314"
| | LAN1="vlan300"
| | LAN2="vlan304"
| |
| | <snip>
| | # don't do any filtering on these devices
| | # only "public" side is filtered since you only
| | # need to filter on one side of the bridge
| | set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
| |
| | # scrub incoming packets
| | match in all scrub (no-df)
| |
| | # block any host deemed for whatever reason to be bad
| | # be meaner and just drop them which will use resources
| | # of the attacker slightly longer
| | block drop from <bad_hosts>
| | block drop from <blacklist_hosts>
| |
| | # By default, do not permit remote connections to X11
| | # all X11 traffic should be tunnelled through SSH
| | block in quick on ! lo0 proto tcp to port 6000:6010
| |
| | # Allow ping and traceroute through
| | pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| | echoreq keep state
| |
| | # traffic from these hosts should never be blocked
| | pass quick from <whitelist_hosts>
| | pass to <whitelist_hosts>
| |
| | ### LAN1 RULES ###
| | ###
| | # Block access to FASNET
| | block in log on $NS_LAN1 all
| |
| | # use modulate state to generate stronger ISNs on outgoing packets
| | # for OSs that don't already generate them
| | pass out quick log (to pflog1) on $NS_LAN1
|
| I should also mention that I tried adding a pass quick on $NS_LAN1
| from 192.168.18.0/25 rule and this did not solve the problem either.
Problem solved. No worries. Move along, nothing to see here.
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : [email protected]
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
