I am building and OpenBSD 5.7 +pf +pfsync +stp bridging firewall. It's 90% working great, but I have a mistake in my pf.conf, and I've been
staring at it for days, and have not spotted my error.
Would anyone be willing to review my rules and point out my mistake?
----------- ix0 ------------- ix1 ----------
| world |---------| pf bridge |------| switch |
----------- ------------- ----------
\ /
\ ____ /
$man_if
ix0 connects from the WAN and is filtered and bridged to ix1, which is
connected to the LAN switch
bond0 = $man_if (bnx0 + bnx1) is connected from the management interface on the
bridge to the switch
My problem: ssh connections from the world to the management interface of the bridge are being blocked. ssh connections from the world to the
switch are not, implying that my mistake is in my management interface rule block.
cat /etc/pf.conf
##JN general rules that apply to all interfaces and this specific server
set skip on lo #ignore local interface
man_if="bond0" #our Management vNIC is bond0 (bond: bnx0, bnx1)
br="ix0" # This is a bridge, so only filter on one bridge
interface
int_if="ix1" #internal interface of bridge
#set block-policy drop #drop packets rather then send rejections.
set block-policy return #means we refuse packets, sending back a
response
match in all scrub (no-df) #means we reassemble all incoming packets to
fix any overflows, etc.
block in log on $br all #Default deny all in, exceptions must be listed
below
pass out on $br all #We trust ourselves, don't block outgoing
pass in quick on $int_if all #don't filter on internal interface, only
external
pass out quick on $int_if all #don't filter on internal interface, only
external
pass quick on pfsync0 proto pfsync keep state #Allow pfsync to sync firewall
states
#ICMP: allow ping from any network -JN
pass in on $br inet proto icmp from any icmp-type echoreq
#SSH: ssh ports protected from brute force by fail2ban, allow ssh into DMZ by
default
pass in on any proto tcp from any to any port 22 keep state
pass out on any proto tcp from any to any port 22 keep state
##JN Rules for Firewalls
table <fw> { 140.142.217.141, 140.142.217.140 } #JN Lister and Rimmer
pass out quick on $man_if all keep state #We trust ourselves
##SSH: allow in from world, should be redundant, but SSH is being blocked -JN
pass in on $man_if proto tcp from any to <fw> port 22 keep state
##Block brute force attacks
table <bruteforce> persist
block quick log from <bruteforce>
pass log on $man_if inet proto tcp from any to any port ssh flags S/SA keep
state (max-src-conn 100, \
max-src-conn-rate 15/5, overload <bruteforce> flush global)
##JN Rules for Switch 140.142.217.135, the DMZ switch
table <sw135> { 140.142.217.135 }
#pass out on $br proto { tcp, udp, icmp } from <sw135> to any keep state
##SSH: allow in from world, already allowed by default -JN
#pass in on $br proto tcp from any to <sw135> port 22 keep state
##Hacker IP Addresses [LEAVE THIS RULE LAST]
table <bad> { 202.131.227.252, 220.231.54.232, 200.118.119.48 } #addresses of
known hackers
block drop in log quick on $br from <bad> to any
If anyone could point out why I can ssh into the LAN, but get blocked by sshing
to the management interface of the firewall, you have my gratitude.
--
Thanks,
John Nyhuis
IT Manager, Stam Lab
2211 Elliott Avenue
6th Floor, 6S139
Seattle, WA 98121
O: (206)-267-1097 ext 220
F: (206)-441-3033
