PF is almost doing what I want.
The last piece of this puzzle, is configuring the rules to relay mail to my internal mail server.
When I turn on these rules, postfix is unable to send email to my internal host.
When I shut off the rules, postfix is able to relay the mail correctly.
Incoming for port 25 works great.
Now I need to figure out to setup the rules to allow postfix to relay to the private network, on port 25...
If anyone has any thoughts, im all ears.
Thanks.
Jason
At 04:00 PM 9/30/2003 -0700, you wrote:
Figured it out! Woot! Feels good when you put your nose to the grind and hammer it out.
Did some mixing around, but this is the end result:
# Define useful variables ext_if="fxp0" # External Interface int_if="fxp1" int_net="192.168.1.0/24" tcp_services = "{ 25 }" tcp_int_services = "{ 22 }"
#Tables
table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, !192.168.0.0/24 }
table <trusted> persist file "/etc/tables/trusted"
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block in log on $ext_if all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from <trusted> to $int_if port 22 keep state
# and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state
pfctl -s rules output:
scrub in all fragment reassemble
block drop in log on fxp0 all
pass in quick on lo0 all
block drop in log quick on fxp0 from <NoRouteIPs> to any
block drop out log quick on fxp0 from any to <NoRouteIPs>
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state
pass in log quick on fxp1 inet proto tcp from <trusted> to 10.0.1.100 port = ssh keep state
pass out on fxp1 inet from any to 10.0.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state
I can telnet to port 25 on it and it works. denied on all other ports so far. I can SSH from my intranet...
Im happy. :)
Anyone care to make any comments or suggestions?
Thanks.
Jason
At 03:22 PM 9/30/2003 -0700, you wrote:I keep locking myself out the box. heheheh
Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet.
My subnets:
DMZ = 10.0.1.1/24 Private = 192.168.1.0/24
RULES:
# Define useful variables ext_if="fxp0" # External Interface int_if="fxp1" tcp_services = "{ 25 }" tcp_int_services = "{ 22 }"
table <NoRouteIPs> { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }
# Clean up fragmented and abnormal packets scrub in all
#default Deny all block log all
#loopback rules pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from <NoRouteIPs> to any block out log quick on $ext_if from any to <NoRouteIPs>
# block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state
#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state
# and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.
I'm wondering if I need to add something like this:
pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.
Any recommendations?
Thanks.
jason
