Greetings list;
I am a newbie at PF but have used IPFilter for many years. I am in the
process of installing a new OpenBSD box with PF. I have read and re-read
the Man page (PF.CONF 5), and also read and re-read the PF manual on the
OpenBSD website. However, I am at a loss as to why my traffic is always
blocked. I understand the default policy is pass all unless I specify block
all. I have continually restructured the rules below using various words
but for whatever reason the rdr ports are always "filtered" and don't allow
any traffic through. The only way I could get the various ports (plus other
unwanted ports) to show up to my nmap scans was to remove all general
"block" type statements (such as block all) from the pf.conf file.
Here are my rules (somewhat sanitized to keep IP's out of the equation).
The EM0 interface is the external internet facing one. The EM1 interface is
the one facing into my DMZ. I filter traffic in both directions on my
existing firewall and want to do the same with this one. Also, with
IPFilter, the "keep state" term would allow me to not have to open up things
on other interfaces for the same traffic and I'm not sure if that is the
same here with PF. Maybe someone can look at my rules and tell me why it is
always "filtered". I keep running an nmap (version 3.75) scan against the
outside interface to see what shows up and it usually only shows port 113 as
available since it has returned a reset. The rest of the "open" ports
should be shown as "open" as the rdr command should just push the data
through to the inside servers. Anyway, maybe someone can help explain why
these rules always block everything except port 113.
Thanks in advance!
# Macros
#
tcp_ports = "{ 22, 80, 443, 995, 1022 }"
out_staff = "{ 21, 22, 53, 80, 110, 123, 443 }"
out_servers = "{ 25, 53, 80, 123, 443 }"
out_proxies = "{ 2048, 5050, 8001, 8080, 8765, 9090, 32888 }"
postoffice = "10.10.10.20"
insidebsd = "10.10.10.12"
#
# Tables
table <private> const { 10/8, 172.16/12, 192.168/16, 127/8 }
#
# Options (for running pf)
set loginterface em0
set state-policy if-bound
#
# Traffic Normalization (cleaning up questionable traffic)
scrub on em0 fragment reassemble
#
# Queueing (bandwidth management)
# none defined
#
# Translation (nat/rdr)
nat on em0 from em1:network to any -> (em0)
rdr on em0 inet proto tcp from any to any port 22 -> 10.10.10.14 port 22
rdr on em0 inet proto tcp from any to any port 25 -> 10.10.10.20 port 25
rdr on em0 inet proto tcp from any to any port 80 -> 10.10.10.30 port 80
rdr on em0 inet proto tcp from any to any port 443 -> 10.10.10.20 port 443
rdr on em0 inet proto tcp from any to any port 995 -> 10.10.10.20 port 995
rdr on em0 inet proto tcp from any to any port 1022 -> 10.10.10.20 port 1022
#
# Packet Filter
#
# Default Block Policy
block all
#
# Pass in and out localhost traffic so this doesn't break
pass quick on lo0 all
#
# Block the crap to and from private networks, etc.
block drop in quick on em0 inet proto { udp, icmp } all
block drop in quick on em0 inet from <private> to any
block drop out quick on em0 inet from any to <private>
block return in quick on em0 inet proto tcp to port 113
#
# Rules for internet interface (em0) defining inbound from internet traffic
#
# Only allow internet email in from Postini server network
pass in quick on em0 inet proto tcp from XXXXXXXXX/20 to any port 25 flags
S/SA keep state
pass out quick on em1 inet proto tcp from any to any port 25 flags S/SA keep
state
#
# The public services offered by AXYS to internet
pass in quick on em0 inet proto tcp from any to any port $tcp_ports flags
S/SA keep state
pass out quick on em1 inet proto tcp from any to any port $tcp_ports flags
S/SA keep state
#
# Rules for dmz interface (em1) defining outbound to internet traffic
#
# Allowed traffic from inside firewall/dmz out to the internet
pass in quick on em1 inet proto icmp icmp-type 8 code 0 keep state
pass out quick on em0 inet proto icmp icmp-type 8 code 0 keep state
pass in quick on em1 inet proto udp from any to any port 53 keep state
pass out quick on em0 inet proto udp from any to any port 53 keep state
pass in quick on em1 inet proto tcp from $postoffice to any port
$out_servers flags S/SA keep state
pass out quick on em0 inet proto tcp from any to any port $out_servers flags
S/SA keep state
pass in quick on em1 inet proto tcp from $insidebsd to any port $out_staff
flags S/SA keep state
pass out quick on em0 inet proto tcp from any to any port $out_staff flags
S/SA keep state
pass in quick on em1 inet proto tcp from $insidebsd to any port $out_proxies
flags S/SA keep state
pass out quick on em0 inet proto tcp from any to any port $out_proxies flags
S/SA keep state
#
# END OF FILE
***********************************************************************
Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message plus any attachments.
***********************************************************************
