Hi all,
I have a very simple setup. One soekris that is acting as firewall
and router
between two private networks. The rules are quite simple, and are
suppose
to only let the traffic for a few ports to past form the DMZ to the
App Zones and
vice-versa.
I don't understand what I am doing wrong but it looks like PF is
either not
creating a state, skipping matching the state table and using the
rules instead,
any how I have not been able to get it working. Even by setting state-
policy to
if-bound.
The unit is running OpenBSD 3.6. Attached are the rules and the tcpdump
traces.
# Description: "RACFW-A1 Firewall Configuration"
# Created: 2005-Jun-21/17:15:00
# Author: [EMAIL PROTECTED]
dmz_if = sis0
app_if = sis1
adm_if = sis2
dmz_net = "192.168.0.0/24"
app_net = "192.168.100.0/24"
app_services = "{ 2920, 51011 }"
dmz_tcp_services = "{ 137, 138, 139, 445 }"
dmz_udp_services = "{ 137, 138, 139 }"
set block-policy return
set limit { states 8192, frags 4096 }
set optimization conservative
scrub in log all
scrub out log all
scrub log reassemble tcp
block in log all
pass out log all
# Management traffic
pass in quick on $adm_if inet proto tcp from any \
to ($adm_if) port ssh keep state
pass in quick on $adm_if inet6 proto tcp from any \
to ($adm_if) port ssh keep state
pass in quick on $adm_if inet proto icmp from any to any keep state
pass in quick on $adm_if inet6 proto icmp6 from any to any keep state
# Application traffic
pass in log on $dmz_if inet proto tcp from $dmz_net \
to $app_net port $app_services modulate state flags S/SA
pass in log on $app_if inet proto tcp from $app_net \
to $dmz_net port $dmz_tcp_services modulate state flags S/SA
pass in log on $app_if inet proto udp from $app_net \
to $dmz_net port $dmz_udp_services keep state
[EMAIL PROTECTED] root]# tcpdump -eni pflog0 port 51011
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: listening on pflog0
02:08:14.250229 rule 7/0(match): pass in on sis0: 192.168.0.2.56848 >
192.168.100.52.51011: S 1252659490:1252659490(0) win 65535 <mss
1460,nop,wscale 0,[|tcp]> (DF)
02:08:14.250477 rule 1/0(match): pass out on sis1: 192.168.0.2.56848
> 192.168.100.52.51011: S 2049456173:2049456173(0) win 65535 <mss
1460,nop,wscale 0,[|tcp]> (DF)
02:08:14.260021 rule 0/0(match): block in on sis1:
192.168.100.52.51011 > 192.168.0.2.56848: S 3766929988:3766929988(0)
ack 2049456174 win 17520 <mss 1460,nop,wscale 0,[|tcp]> (DF)
02:08:16.910348 rule 1/0(match): pass out on sis1: 192.168.0.2.56848
> 192.168.100.52.51011: S 2049456173:2049456173(0) win 65535 <mss
1460,nop,wscale 0,[|tcp]> (DF)
02:08:16.910646 rule 0/0(match): block in on sis1:
192.168.100.52.51011 > 192.168.0.2.56848: S 3768285184:3768285184(0)
ack 2049456174 win 17520 <mss 1460,nop,wscale 0,[|tcp]> (DF)
02:08:19.920346 rule 1/0(match): pass out on sis1: 192.168.0.2.56848
> 192.168.100.52.51011: S 2049456173:2049456173(0) win 65535 <mss
1460,nop,wscale 0,[|tcp]> (DF)
02:08:19.920647 rule 0/0(match): block in on sis1:
192.168.100.52.51011 > 192.168.0.2.56848: S 3769846984:3769846984(0)
ack 2049456174 win 17520 <mss 1460,nop,wscale 0,[|tcp]> (DF)
02:08:22.930352 rule 1/0(match): pass out on sis1: 192.168.0.2.56848
> 192.168.100.52.51011: S 2049456173:2049456173(0) win 65535 <mss
1460> (DF)
02:08:22.930652 rule 0/0(match): block in on sis1:
192.168.100.52.51011 > 192.168.0.2.56848: S 3771413144:3771413144(0)
ack 2049456174 win 17520 <mss 1460> (DF)
