Abraham Al-Saleh wrote:

>On 1/10/06, Jonas Lindskog <[EMAIL PROTECTED]> wrote:
>
>>Hello,
>>
>>We are using OpenBSD 3.8 as a firewall/router. We have two internal
>>nets; one with workstations (NAT) and one DMZ with a single server.
>>And thus we have three network interfaces installed in the router: one
>>for the NAT, one for the DMZ and one for the external net.
>>
>>Our ISP has given us a range of IP adresses (the ones below are
>>obfuscated ;)), which we cant change:
>>
>>Segment: 38.87.5.112 /28
>>net address:           38.87.5.112
>>gateway adress:   38.87.5.113
>>firewall:              38.87.5.114
>>fria fasta ip:         38.87.5.115-126
>>broadcast address:    38.87.5.127
>>netmask:              255.255.255.240
>>
>>I have set up the DMZ with
>>net adress 38.87.5.120
>>Gateway: 38.87.5.121
>>Server: 38.87.5.122
>>
>>netmask:              255.255.255.252
>>
>>To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.
>>
>>I have no trouble connecting to the server at 38.87.5.122 from the
>>internal net where nat-addresses are used, but for some reason
>>I cant connect to the server from the outside. I thought it was a
>>routing problem but when I entered a port redirect from the gateway
>>
>>(38.87.5.113) to the server at  38.87.5.122  for the ssh port I reached
the server. I haven't got a
>>clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
>>redirect)? Thanks in advance.
>>
>>/Jonas
>>
>
>It would help if you attached your pf.conf, and relevant configuration
>files (hostname.if, for example)
>
ok, finally :) this is how my pf.conf and interfaces look like.

# 1. macros
if_ext="fxp0"
if_int="bce0"
if_dmz="re0"
if_lo="lo0"

icmp_types = "echoreq"
dmz_servers = "{38.87.5.122}"
services = "{22, 8080, 8081}"
internal_services ="{2401}"
reserved= "{ 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
             169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, \
             224.0.0.0/3, 255.255.255.255}"

# 2. Tables
# No tables are defined

# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext

# 4. Packet normalization
scrub in all

# 5. Queueing is not done

# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any -> ($if_ext)

# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 -> 38.87.5.122 port 8080
rdr on $if_ext proto tcp from any to any port 8081 -> 38.87.5.122 port 8081
#rdr on $if_ext proto tcp from any to any port 22 -> 38.87.5.122 port 22

# 7. Filtering
#allow loopback

# Block everything
block all

pass quick on if_lo all

# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }

# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state

# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in  on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state

# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any

#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state

# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state

#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
     user proxy flags S/SA keep state

# Users on the internal network is allowd to initate external contact
pass out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state

# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state

#pf.conf ends here

### interfaces ####
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE


# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE

# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE

Reply via email to