What am I missing? (4-leg setup)

RZR Sat, 03 Jul 2004 00:36:40 -0700

Following the directions from http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to include access for ipsec laptops on $wi_if (isakmpd on firewall), I came up with this. However, ALL access becomes blocked; namely -access from the firewall out -access to the firewall from the ipsec laptops -access to DMZ boxes from the ipsec laptops.

I know I'm missing something (hopefully small).

Any help would be much appreciated.
-RZR

pf.conf ->
# macros
int_if = "fxp0"
wi_if = "fxp1"
dmz_if = "sk0"
sec_if = "enc0"
ext_if = "tun0"
int_net = "192.168.1.0/24"
wi_net = "192.168.2.0/24"
dmz_net = "172.16.1.0/24"
www_server = "172.16.1.2"
mail_server = "172.16.1.3"

table <spamd> persist file "/etc/spammers"
set loginterface $ext_if

### AltQueue
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)

##################################################################
# classification -- classify packets based on the defined firewall
# policy.
#rdr on $ext_if proto tcp from <spamd> to port smtp \
#       tag SPAMD -> 127.0.0.1 port 8025
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port 22 \
        -> $mail_server port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 \
        -> $mail_server port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 \
        -> $www_server port 80
rdr on $ext_if proto tcp from any to $ext_if port 443 \
        -> $www_server port 443
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

block all
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $wi_if from $wi_net tag WI_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
pass in on $ext_if proto tcp to $www_server port {www, https} \
        tag INET_DMZ keep state
pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
        tag INET_DMZ keep state

######################################################################## # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri) pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri) pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged WI_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri) ############################################################################

What am I missing? (4-leg setup)

Reply via email to