i have an 3-legged openbsd-bridge to protect my servers from outside. 2 nics are bridged, the 3rd has an private ip and is for the admin stuff.
<wan router>----<sis0 bridge ne3>----<switch>----<server1>
ep1
|
|
<internal network>What i found is that every dropped or rejected packet from sis0 comes out to ep1, but reverse. My question is - what do i wrong in this setup?
Here is my pf.conf:
as_uzul = "{ 80 }"
as_shani = "{ 25 }"# allowed icmp-types
icmp = "{ 0, 3, 8 }"# bad ports
blocked = "{ 111, 136><140, 161, 162, 513, 514, 631, 2049, 5999><6064 }"# interfaces ext_if = "sis0" int_if = "ne3" adm_if = "ep1"
# networks off_nw = "xxx.xxx.xx.96/29" adm_nw = "192.168.1.0/24"
# hosts ns = "xxx.xxx.xx.1/32" seraph = "192.168.1.254/32" uzul = "xxx.xxx.xx.98/32" shani = "xxx.xxx.xx.99/32" stilgar = "xxx.xxx.xx.100/32" alia = "xxx.xxx.xx.101/32" thufir = "xxx.xxx.xx.102/32"
# non-routable bogon adresses table <bogons> persist file "/etc/bogons"
# beloved enemies ;-) table <blocked_ip> persist file "/etc/blocked_ip"
# dmz adresses
table <dmz> const { $uzul, $shani, $stilgar, $alia, $thufir }# Options: tune the behavior of pf, default values are given.
set timeout { interval 30, frag 10 }
set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
set timeout { icmp.first 20, icmp.error 10 }
set timeout { other.first 60, other.single 30, other.multiple 60 }
set limit { states 10000, frags 5000 }
set loginterface $ext_if
set optimization normal
set block-policy return###############################################################################
################ Protection ###################################################
###############################################################################
# scrub all scrub all fragment reassemble random-id
# default block block log on $ext_if all block log on $adm_if all
# default pass pass on $int_if all
###############################################################################
################ Localhost ####################################################
###############################################################################
pass in quick on lo0 all pass out quick on lo0 all
###############################################################################
################ Admin Interface ##############################################
###############################################################################
pass in quick on $adm_if proto tcp from $adm_nw to $seraph port ssh keep state
pass in quick on $adm_if proto icmp from $adm_nw to $seraph icmp-type $icmp keep state
###############################################################################
################ Incoming connections #########################################
###############################################################################
# UZUL
pass in quick on $ext_if proto { tcp, udp } from any to $uzul port $as_uzul flags S/SA keep state
pass in quick on $ext_if proto icmp from any to $uzul icmp-type $icmp keep state
# SHANI
pass in quick on $ext_if proto { tcp, udp } from any to $shani port $as_shani flags S/SA keep state
pass in quick on $ext_if proto icmp from any to $shani icmp-type $icmp keep state
###############################################################################
################ Outgoing connections #########################################
###############################################################################
# UZUL pass out quick on $ext_if from $uzul to any keep state
# SHANI pass out quick on $ext_if from $shani to any keep state
# ALIA pass out quick on $ext_if from $alia to any keep state
# THUFIR pass out quick on $ext_if from $thufir to any keep state
Thanks for help Uwe
