Afternoon,
After a couple of months of ruleset tweaking and general procrastination
I've finally got my pf-based firewall up and running with minimal problems
changing from the old system.
However, one rule isn't working and I can't quite see where I've gone wrong.
Background first: the firewall is sitting between my network (with ~600
machines, mostly students) and the rest of the university network. The
router and WAN are on the external interface, everything else on the
internal. It is configured to be a transparent firewall by using a bridge
rather than using NAT or being set as the default gateway for everything on
the inside (they still use the router as the gateway). That all works fine.
What I would like to do is have banned students redirected to a webpage
telling them they've been disconnected. I already do that via a linux box
for our self registration system allowing students to register for an IP
address, so I know it is theoretically possible, I just haven't done it
with pf before...
The relevant bits of my pf.conf are here:
$INTERNAL, $EXTERNAL are the internal and external interfaces.
$web is the webserver, <blocked> is a table of blocked addresses, read from
a file.
--snip
rdr on $INTERNAL proto tcp from <blocked> to any port 80 -> $web port 80
#Default: block incoming traffic, allow outgoing traffic
block in on $EXTERNAL
pass out on $EXTERNAL proto tcp flags S/SA keep state
pass out on $EXTERNAL proto udp keep state
pass in proto icmp keep state
pass out proto icmp keep state
# Allow DNS
pass out quick proto { tcp, udp } to port 53 keep state
# Block (reset) connections to ident port to prevent timeouts
block return in quick on $EXTERNAL proto tcp to port 113
# Block banned machines and ports
pass in quick on $INTERNAL proto tcp from <blocked> to port 80 flags S/SA
keep state
block in quick on $INTERNAL from <blocked>
block in quick on $EXTERNAL to <blocked>
--snip
All works fine until I add an address to the blocked table, at which point
it gets blocked, but no redirection happens. Since I use quick, it
shouldn't fall through to later rules.
So, is there something I've forgotten or missed? Or does rdr not work in a
non-NAT environment?
I was wondering about (and will shortly test) having a 'pass out on
$INTERNAL to port 80' since the connection isn't coming in on the external
interface.
Thanks in advance for any comments..
Steve.
