My NATting firewall/router is working fine: the problem is I don't
understand why. Specifically, I can't see how packets are getting out
the rl0 interface when there's no explicit rule to pass them out.
Notes:
1) This is on an old OpenBSD 3.9 system. Sorry, that's what I have to
work with for now. I know it would be easier to answer on a newer OS
version, but I'd appreciate help with this for the moment.
2) Only the relevant pf.conf rules are below - there are lots more
"pass in" and "block in" rules in the working pf.conf that shouldn't
matter to my question, I think.
3) The basic setup is an external interface (xl0 = $ext_if), a trusted
good internal/wired network (xl1 = $good_if) and an untrusted wireless
network (rl0 = $wls_if ). Only specific static IPs can connect on the
wireless interface.
4) Note the lines which do allow "pass out on $wls_if" below, but
they're restricted to packets from the good/trusted network, no where
else.
So my question is, again how regular packets from the Net pass out to
the wireless network over rl0. Is this somehow a function of the NAT
rules that I don't understand? Or something to do with established TCP
connections being already green-lit? I would think without an explicit
rule they'd be blocked (default block at the very end).
So obviously, again, I don't understand something here...and I'm a
little worried my non-understanding covers up a huge security hold in
my ruleset.
Thanks for any help and advice.
BP
# /etc/pf.conf
ext_if = "xl0"
good_if = "xl1"
wls_if = "rl0"
good_net = "192.168.0.128/26"
wls_net = "192.168.1.128/26"
ext_ip = "123.45.67.89"
good_gw = "192.168.0.4"
wls_gw = "192.168.1.4"
table <firewall_ips> const { $good_gw, $wls_gw, $ext_ip }
table <unroutable_ips> const { 10.0.0.0/8, 172.16.0.0/12,
192.168.0.0/16, !$good_net, !$wls_net, 169.254.0.0/16, 127.0.0.0/8,
0.0.0.0/32, 25
5.255.255.255/32 }
# policies / runtime options
set loginterface $ext_if
set state-policy if-bound
# NAT outgoing connections
nat pass on $ext_if proto {tcp udp icmp} from $good_net to !
<unroutable_ips> -> ($ext_if)
nat pass on $ext_if proto {tcp udp icmp} from $wls_net to !
<unroutable_ips> -> ($ext_if)
# get in trusted / loopback packets
pass quick on $good_if all
pass quick on lo0 all
# get in "untrusted" wireless packets
pass in quick on $wls_if inet from 192.168.1.140 to any flags S/SA
keep state
pass in quick on $wls_if inet from 192.168.1.136 to any flags S/SA
keep state
# Provide for outgoing traffic from the firewall itself to the Net at
large
pass out quick on $ext_if proto tcp all keep state flags S/SA
pass out quick on $ext_if proto { udp icmp } all keep state
# Provide for outgoing traffic from the trusted network to the
wireless network
pass out quick on $wls_if proto tcp from $good_net to $wls_net keep
state flags S/SA
pass out quick on $wls_if proto { udp icmp } from $good_net to
$wls_net keep state
# Block out everything else!
block out log quick inet all label "block out (default)"
