Hi list,
I have a issue with a openbsd machine running 3.1 -stable. I have
this unit running NAT for our help-desk center.
---------
2600 - pix -----> $if_ext | My Box | $if_int1 <----- help desk network
----------
I have a machine that is inside the $if_int network that I want to have
access to the openbsd box for testing when I am working on stuff inside
their network. I want no other machine to have access to the obsd box
from the tech network
I have this rule to allow the workstation [192.168.1.42]
$ rl1 = if_int
@24 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to
192.168.1.182/32 port = ssh flags S/FSRA
In order to stop the rest of the tech network from accessing 22 I have
@9 block in log on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = ssh
----------------------------------------------------------------------------
*My understanding*
For each packet processed by the packet filter, the filter rules are
evaluated in sequential order, from first to last. Each rule either
matches the packet or doesn't. The last matching rule decides what action
is taken. Unless a *quick* is used then If a packet matches a rule which
has the `quick' option set, this rule is considered the last matching
rule, and evaluation of subsequent rules is skipped.
I have applied a *quick* statement to the rule to pass in session on
protocol 22 to allow ssh from 192.168.1.42/32 and just a block with no
quick on the other statement denying the 192.168.1.0/24 network. With
this understanding all packets comming from 192.168.1.42/32 should be
allowed to the int_if of 192.168.1.182 (obsd ip address on help-desk
network) and block all other machines.
Its not working like that and from the logs i don't know why. looking at
my logs I show that the rule without the quick is being read first and it
is not reading the *quick* rule.
Aug 27 10:22:51.793061 rule 9/0(match): block in on rl1:
192.168.1.42.58327 > 192.168.1.182.22: . ack 2336820352 win 33304
<nop,nop,timestamp 23931 1154134843> (DF)
Aug 27 10:22:53.291169 rule 9/0(match): block in on rl1:
192.168.1.42.58327 > 192.168.1.182.22: . ack 1 win 33304
<nop,nop,timestamp 23934 1154134846> (DF)
Aug 27 10:22:55.291100 rule 9/0(match): block in on rl1:
192.168.1.42.58327 > 192.168.1.182.22: . ack 1 win 33304
<nop,nop,timestamp 23938 1154134850> (DF)
Aug 27 10:22:56.553263 rule 9/0(match): block in on rl1:
192.168.1.42.58327 > 192.168.1.182.22: F 0:0(0) ack 1 win 33304
<nop,nop,timestamp 23940 1154134850> (DF)
Aug 27 10:22:57.683212 rule 9/0(match): block in on rl1:
192.168.1.42.58327 > 192.168.1.182.22: F 0:0(0) ack 1 win 33304
<nop,nop,timestamp 23942 1154134850> (DF)
I have pasted my whole pf.conf below any help with what i am missing
would be appriceated.
Thanks in advance!!
tech# pfctl -s rules
@0 scrub in on rl0 all
@1 block out on rl0 all
@2 block in on rl0 all
@3 block return-rst out on rl0 proto tcp all
@4 block return-rst in on rl0 proto tcp all
@5 block return-icmp out on rl0 proto udp all
@6 block return-icmp in on rl0 proto udp all
@7 block in from no-route to any
@8 block in log on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.30/32 port = ssh
@9 block in log on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = ssh
@10 block in quick on rl1 inet proto udp from 192.168.1.0/24 to
192.168.1.182/32 port = daytime
@11 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = daytime
@12 block in quick on rl1 inet proto udp from 192.168.1.0/24 to
192.168.1.182/32 port = time
@13 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = time
@14 block in quick on rl1 inet proto udp from 192.168.1.0/24 to
192.168.1.182/32 port = sunrpc
@15 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = sunrpc
@16 block in quick on rl1 inet proto udp from 192.168.1.0/24 to
192.168.1.182/32 port = 113
@17 block in quick on rl1 inet proto tcp from 192.168.1.0/24 to
192.168.1.182/32 port = auth
@18 block in log quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.24/32 port = 21
@19 block in log quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.24/32 port = ftp
@20 block in log-all quick on rl1 inet proto udp from any to any port =
kazza
@21 block in log-all quick on rl1 inet proto tcp from any to any port =
kazza
@22 block in quick on rl1 inet proto udp from 192.168.1.41/32 to
10.0.1.1/32
@23 block in quick on rl1 inet proto tcp from 192.168.1.41/32 to
10.0.1.1/32
@24 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to
192.168.1.182/32 port = ssh flags S/FSRA
@25 pass in log quick on rl1 inet proto tcp from 192.168.1.42/32 to
216.255.50.30/32 port = ssh flags S/FSRA
@26 pass in log quick on rl0 inet proto udp from any to any port = www
flags S/SA
@27 pass in log quick on rl0 inet proto tcp from any to any port = www
flags S/SA
@28 pass in log quick on rl0 inet proto udp from any to any port = 3306
flags S/SA
@29 pass in log quick on rl0 inet proto tcp from any to any port = mysql
flags S/SA
@30 pass in log quick on rl0 inet proto udp from any to any port = 2022
flags S/SA
@31 pass in log quick on rl0 inet proto tcp from any to any port = 2022
flags S/SA
@32 pass in log quick on rl0 inet proto udp from any to any port = 21
flags S/SA
@33 pass in log quick on rl0 inet proto tcp from any to any port = ftp
flags S/SA
@34 pass in log quick on rl0 inet proto udp from 216.255.50.16/32 to any
port = www flags S/SA
@35 pass in log quick on rl0 inet proto tcp from 216.255.50.16/32 to any
port = www flags S/SA
@36 pass in log quick on rl0 inet proto udp from 216.255.50.16/32 to any
port = ssh flags S/SA
@37 pass in log quick on rl0 inet proto tcp from 216.255.50.16/32 to any
port = ssh flags S/SA
@38 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.255.50.23/32 port = www
@39 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.23/32 port = www
@40 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.255.50.23/32 port = pop3
@41 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.23/32 port = pop3
@42 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.15/32 port = www
@43 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.15/32 port = www
@44 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.18/32 port = www
@45 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.18/32 port = www
@46 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.5/32 port = pop3
@47 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.5/32 port = pop3
@48 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.201.8.130/32 port = pop3
@49 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.201.8.130/32 port = pop3
@50 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.255.50.6/32 port = www
@51 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.6/32 port = www
@52 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.10/32 port = domain
@53 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.10/32 port = domain
@54 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.255.50.23/32 port = domain
@55 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.23/32 port = domain
@56 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
216.255.50.6/32 port = www
@57 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
216.255.50.6/32 port = www
@58 pass in quick on rl1 inet proto udp from 192.168.1.0/24 to
209.143.0.20/32 port = 443
@59 pass in quick on rl1 inet proto tcp from 192.168.1.0/24 to
209.143.0.20/32 port = https
@60 pass in log on rl0 inet proto tcp from 216.255.50.23/32 to
216.255.50.30/32 port = ssh
@61 pass in log on rl0 inet proto tcp from 216.255.50.20/32 to
216.255.50.30/32 port = ssh
@62 pass in log on rl0 inet proto tcp from 216.255.50.35/32 to
216.255.50.30/32 port = ssh
@63 pass in log on rl0 inet proto tcp from 24.210.153.224/32 to
216.255.50.30/32 port = ssh
@64 block out quick on rl0 inet from ! 216.255.50.30/32 to any
@65 block in quick on rl0 inet from any to 255.255.255.255/32
@66 pass in log-all quick on rl1 inet proto udp from any port = bootpc to
255.255.255.255/32 port = bootps
@67 pass in log-all quick on rl1 inet proto tcp from any port = bootpc to
255.255.255.255/32 port = bootps
@68 block in quick on rl1 inet proto udp from any port 1 >< 66 to
255.255.255.255/32 port 1 >< 66
@69 block in quick on rl1 inet proto tcp from any port 1 >< 66 to
255.255.255.255/32 port 1 >< 66
@70 block in quick on rl1 inet proto udp from any port 69 >< 65000 to
255.255.255.255/32 port 69 >< 65000
@71 block in quick on rl1 inet proto tcp from any port 69 >< 65000 to
255.255.255.255/32 port 69 >< 65000
@72 block in quick on rl0 inet from 255.255.255.255/32 to any
@73 block in quick on rl0 inet from 192.168.0.0/16 to any
@74 block in quick on rl0 inet from 172.16.0.0/12 to any
@75 block in quick on rl0 inet from 10.0.0.0/8 to any
@76 pass out on rl0 inet proto icmp all icmp-type echoreq code 0 keep
state
@77 block in log on rl0 inet proto icmp all icmp-type echoreq code 0 keep
state
@78 pass out on rl0 proto udp all flags S/A keep state
@79 pass out on rl0 proto tcp all modulate state
@80 block in quick on rl1 inet proto udp from any port = netbios-dgm to
any port = netbios-dgm
@81 block in quick on rl1 inet proto tcp from any port = netbios-dgm to
any port = netbios-dgm
@82 block in quick on rl1 inet proto udp from any port = netbios-ns to any
port = netbios-ns
@83 block in quick on rl1 inet proto tcp from any port = netbios-ns to any
port = netbios-ns
@84 pass in log on rl1 inet proto tcp from 192.168.1.0/24 to any flags
S/SA keep state
@85 pass in log on rl1 inet proto udp from 192.168.1.0/24 to any
tech#
