On Tue, Jun 21, 2005 at 09:16:16PM -0400, Jaime Vargas wrote:
> Hi all,
>
> I have a very simple setup. One soekris that is acting as firewall
> and router between two private networks. The rules are quite simple,
> and are suppose to only let the traffic for a few ports to past form
> the DMZ to the App Zones and vice-versa.
>
> I don't understand what I am doing wrong but it looks like PF is
> either not creating a state, skipping matching the state table and
> using the rules instead, any how I have not been able to get it
> working. Even by setting state- policy to if-bound.
>
> The unit is running OpenBSD 3.6. Attached are the rules and the tcpdump
> traces.
I could've sworn we fixed this last night... Is this email just a bit
late?
Simply setting your state-policy to if-bound won't fix things. The
problem is the second rule in your pf.conf "block out log all". Take
a look at the output of tcpdump. The initial SYN comes in on $dmz_if
fine by way of your first "Application Traffic" rule. It then goes out
on $app_if by way of rule 1/0, which is that pesky "block out log all".
Since it does not create state, the inbound SYN-ACK reply on $app_if is
blocked.
There are two solutions that I can think of.
First would be to combine those first two default rules into one default
block in and out. Next, ensure that the firewall can pass out traffic on all
necessary interfaces while keeping state. This is not my preferred way
of doing things, but it will ensure that the firewall can talk freely to
whomever it wants and that the outbound SYN on $app_if will create
state.
The second solution would be to use state-policy if-bound. IMO this
makes for tighter rulesets as it removes any ambiguity about where
packets are allowed to go. As with my first suggestion, get a "block drop
log all" as your first rule. Next, create a rule that allows all your
application traffic statefully out on $app_if. Something like:
pass out log on $app_if inet proto tcp from $dmz_net
to $app_net port $app_services modulate state flags S/SA
Assuming this all works, remove all those log statements so you don't
fill up pflog too quickly :)
-jon
