Abraham Al-Saleh wrote:
>On 1/10/06, Jonas Lindskog <[EMAIL PROTECTED]> wrote:
>
>>Hello,
>>
>>We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server. And
thus we have three network interfaces installed in the router: one for
the NAT, one for the DMZ and one for the external net.
>>
>>Our ISP has given us a range of IP adresses (the ones below are
>>obfuscated ;)), which we cant change:
>>
>>Segment: 38.87.5.112 /28
>>net address: 38.87.5.112
>>gateway adress: 38.87.5.113
>>firewall: 38.87.5.114
>>fria fasta ip: 38.87.5.115-126
>>broadcast address: 38.87.5.127
>>netmask: 255.255.255.240
>>
>>I have set up the DMZ with
>>net adress 38.87.5.120
>>Gateway: 38.87.5.121
>>Server: 38.87.5.122
>>
>>netmask: 255.255.255.252
>>
>>To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.
>>
>>I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
>>I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway
>>
>>(38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached
the server. I haven't got a
>>clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
>>redirect)? Thanks in advance.
>>
>>/Jonas
>>
>
>It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)
>
ok, finally :) this is how my pf.conf and interfaces look like.
# 1. macros
if_ext="fxp0"
if_int="bce0"
if_dmz="re0"
if_lo="lo0"
icmp_types = "echoreq"
dmz_servers = "{38.87.5.122}"
services = "{22, 8080, 8081}"
internal_services ="{2401}"
reserved= "{ 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
\ 224.0.0.0/3, 255.255.255.255}"
# 2. Tables
# No tables are defined
# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext
# 4. Packet normalization
scrub in all
# 5. Queueing is not done
# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any -> ($if_ext)
# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 -> 38.87.5.122 port
8080 rdr on $if_ext proto tcp from any to any port 8081 -> 38.87.5.122
port 8081 #rdr on $if_ext proto tcp from any to any port 22 -> 38.87.5.122
port 22
# 7. Filtering
#allow loopback
# Block everything
block all
pass quick on if_lo all
# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }
# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state
# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state
# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any
#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state
#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
user proxy flags S/SA keep state
# Users on the internal network is allowd to initate external contact pass
out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state
# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state
#pf.conf ends here
### interfaces ####
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE
# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE
# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE
