* Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]: > Hi misc@, > > I finaly had some time to rearrange my network, and split it into 3 > parts: LAN, DMZ, WAN. > > Basicly, the LAN (172.20) may not access the DMZ (172.16), but host > 172.20.1.10 can. the DMZ may not access the LAN, and both can go to the > WAN. > > But for some reason, when I create state from 172.20.1.10 to 172.16.x.x; > the packet comming back gets blocked which should not happen because the > state would be checked first and the state really is created?! > > I tried setting 'set state-policy floating' explicit, but no advance. > Someone who knows what the problem is here? I had a ruleset with a bunch > of 'quick' rules before instead of this, but had the same problem. > > tcpdump on pflog: > 18:12:16.483526 rule 12/(match) pass in on sis2: 172.20.1.10.57132 > > 172.16.0.5.ssh: [|tcp] > 18:12:16.483960 rule 21/(match) block in on sis1: 172.16.0.5.ssh > > 172.20.1.10.57132: [|tcp] > > > grep on state: > # pfctl -s state|grep 172.16.0.5 > all tcp 172.16.0.5:22 <- 172.20.1.10:57132 CLOSED:SYN_SENT > > > kernel: > OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005 > [EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC > > rules: > scrub in all no-df fragment reassemble > scrub out all no-df random-id fragment reassemble > block drop in log all > block drop log inet6 all > block drop in log quick on sis0 from any to (sis0:broadcast) > block drop in log quick on sis0 from <intruders> to any > pass log quick on lo0 inet from 127.0.0.0/8 to any > pass log quick on lo0 inet6 from ::1 to any > pass in log on sis2 inet proto tcp from 172.20.0.0/16 to any modulate state > pass in log on sis2 inet proto udp from 172.20.0.0/16 to any keep state > pass in log on sis2 inet proto icmp from 172.20.0.0/16 to any keep state > block drop in log on sis2 inet proto tcp from any to 172.16.0.0/16 > block drop in log on sis2 inet proto udp from any to 172.16.0.0/16 > block drop in log on sis2 inet proto icmp from any to 172.16.0.0/16 > pass in log on sis2 inet proto tcp from 172.20.1.10 to 172.16.0.0/16 keep > state > pass in log on sis2 inet proto udp from 172.20.1.10 to 172.16.0.0/16 keep > state > pass in log on sis2 inet proto icmp from 172.20.1.10 to 172.16.0.0/16 keep > state > pass out log on sis2 inet proto tcp from 172.20.0.1 to 172.20.0.0/16 keep > state > pass out log on sis2 inet proto udp from 172.20.0.1 to 172.20.0.0/16 keep > state > pass out log on sis2 inet proto icmp from 172.20.0.1 to 172.20.0.0/16 keep > state > pass in log on sis1 inet proto tcp from 172.16.0.0/16 to any modulate state > pass in log on sis1 inet proto udp from 172.16.0.0/16 to any keep state > pass in log on sis1 inet proto icmp from 172.16.0.0/16 to any keep state > block drop in log on sis1 inet proto tcp from any to 172.20.0.0/16 > block drop in log on sis1 inet proto udp from any to 172.20.0.0/16 > block drop in log on sis1 inet proto icmp from any to 172.20.0.0/16 > pass out log on sis1 inet proto tcp from 172.16.0.1 to 172.16.0.0/16 keep > state > pass out log on sis1 inet proto udp from 172.16.0.1 to 172.16.0.0/16 keep > state > pass out log on sis1 inet proto icmp from 172.16.0.1 to 172.16.0.0/16 keep > state > [sis0 rules snipped] > > Kind regards, > Jimmy Scott > > -- > The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP > > [demime 1.01d removed an attachment of type application/pgp-signature] >
I think you might have the concept of "in" and "out" rules confused. Visualize yourself sitting in the computer between the three interfaces. >From that perspective, "in" rules mean a packet coming from a remote host to you through one of those interfaces. Conversely "out" rules mean a packet leaving from the local machine to some remote host. Give something like this a whirl for starters. Caution, I have not tested these! You also likely need to allow packets from the Internet into your DMZ. # pf.conf scrub in all no-df fragment reassemble scrub out all no-df random-id fragment reassemble block drop in log all block drop log inet6 all block drop in log quick on sis0 from any to (sis0:broadcast) block drop in log quick on sis0 from <intruders> to any pass log quick on lo0 inet from 127.0.0.0/8 to any pass log quick on lo0 inet6 from ::1 to any # LAN interface pass in on sis2 inet proto tcp \ from 172.20.0.0/16 to !172.16.0.0/16 modulate state pass in on sis2 inet proto udp \ from 172.20.0.0/16 to !172.16.0.0/16 keep state pass in on sis2 inet proto icmp \ from 172.20.0.0/16 to !172.16.0.0/16 keep state pass in on sis2 inet proto tcp \ from 172.20.1.10 to any modulate state pass in on sis2 inet proto udp \ from 172.20.1.10 to any keep state pass in on sis2 inet proto icmp \ from 172.20.1.10 to any keep state block out on sis2 all # nothing gets out unless state or rule allows it # not sure why you want these rules here, what's the firewall doing? pass out on sis2 inet proto tcp \ from 172.20.0.1 to 172.20.0.0/16 keep state pass out on sis2 inet proto udp \ from 172.20.0.1 to 172.20.0.0/16 keep state pass out on sis2 inet proto icmp \ from 172.20.0.1 to 172.20.0.0/16 keep state # DMZ interface pass in on sis1 inet proto tcp \ from 172.16.0.0/16 to !172.20.0.0/16 modulate state pass in on sis1 inet proto udp \ from 172.16.0.0/16 to !172.20.0.0/16 keep state pass in log on sis1 inet proto icmp \ from 172.16.0.0/16 to !172.20.0.0/16 keep state block out on sis1 all # nothing gets out unless state or rule allows it # not sure why you want these rules here, what's the firewall doing? pass out on sis1 inet proto tcp \ from 172.16.0.1 to 172.16.0.0/16 keep state pass out on sis1 inet proto udp \ from 172.16.0.1 to 172.16.0.0/16 keep state pass out on sis1 inet proto icmp \ from 172.16.0.1 to 172.16.0.0/16 keep state # WAN interface [sis0 rules snipped] HTH, Jim
