Before more description, here's the layout:
[Cisco Router]
|
[iPrism] (configured as a transparent bridge)
64.xxx.xxx.58/28
|
64.xxx.xxx.63 (carp4)
64.xxx.xxx.61 (fxp4)
[OpenBSD router]
192.168.0.1 (fxp0)
|
192.168.0.2
[NT domain controller]
Note that, for the connections in question, I'm not intending to do
NAT at the OpenBSD box, so that the iPrism talks directly to private
ip addresses.
Now here's the problem. When I try to connect from the iPrism to our
NT domain controller (which we use for authentication), I can see
using tcpdump that the packets reach fxp4 on the OpenBSD firewall.
However, doing a simultaneous dump on fxp0 shows nothing.
To see which pf rule is blocking the packets, I do a dump on pflog0.
That shows nothing. So, I examined pf.conf for any block rules that
are not logged, and there are none. I got rid of scrub and anti-spoof,
and still the results were the same.
It seems like the packets are not being blocked by pf, but that
they're just not being routed. Perhaps this is not even a pf issue,
but not knowing, I thought I would start with this list.
Is there some other way to trace what is happening to these
connections? I'm at a loss as to what could cause this.
Thanks for taking time to read this far. Here's the pf.conf in case
it's of interest:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
- - - - - - - - - -
set state-policy if-bound
ext_if="fxp4"
offices_if="fxp0"
dmz_if="fxp1"
guest2_if="fxp2"
guest_if="fxp3"
sync_if="fxp5"
all_ifs="{" $ext_if $offices_if $dmz_if $guest2_if $guest_if "}"
outside_ip1="64.xxx.xxx.50"
outlaw_pub="64.xxx.xxx.51"
outside_ip2="64.xxx.xxx.52"
outside_ip3="64.xxx.xxx.53"
cfbserver_pub="64.xxx.xxx.54"
kingrich_pub="64.xxx.xxx.55"
mail_cf_com="64.xxx.xxx.56"
incoming_ctim_com=$mail_cf_com
outgoing_pub="64.xxx.xxx.57"
ssh_pub=$outside_ip2
outlaw="192.168.1.2"
kingrich="192.168.0.3"
postman="192.168.0.8"
outgoing="192.168.0.4"
cfbserver="192.168.0.2"
iprism="64.xxx.xxx.58"
jonathans_box="192.168.0.12"
tonis_box="192.168.0.16"
netstream_tech1=$outside_ip2
netstream_tech2=$outside_ip3
ftp_ports="{20,21,1028:1031}"
ftp_servers="{" $outlaw $kingrich "}"
web_ports="www https"
wins_ports="{135 137}"
allowed_ports="{domain pop3 pop3s ntp 569}"
smtp_servers=$outgoing $postman
not_smtp_servers="!"$outgoing "!"$postman
table <blacklist> { }
table <smtp_destinations> { $smtp_servers }
table <smtp_servers> { $smtp_servers }
table <standard_nat> {192.168.0.0/16, !192.168.0.2/32, $not_smtp_servers, \
!$kingrich/32}
table <privileged_boxes> {192.168.0.2/32, $kingrich/32,
192.168.0.4/32, 192.168.0.8/32 \
192.168.0.11/32, 192.168.0.13/32, 192.168.0.14/32, 192.168.0.15/32,
192.168.0.250 \
192.168.1.0/24, 192.168.3.0/24}
table <smtp_sources> {$offices_if:0 $smtp_servers \
$jonathans_box $guest_if:network $iprism}
iblp="198.92.206.0/24"
clink="207.27.152.0/24"
apple_updates="208.51.120.0/24"
apple_updates2="17.250.248.0/24"
ups="153.2.0.0/16"
table <outgoing_whitelist> {ftp.whcc.com ftp.maclamedia.com, \
ftp.camenisch.net, ftp.cf.com, ftp2.freebsd.org, \
charactercities.org, cf.networkstreaming.com, \
paycomonline.net, public.iblp.net, tk.alaythia.com \
$iblp $clink $apple_updates $apple_updates2 $ups }
scrub in all
#####################################
# NAT Settings #
#####################################
nat on $ext_if from 192.168.2/24 -> $outside_ip2
nat on $ext_if from 192.168.3/24 -> $outside_ip3
nat on $ext_if from 192.168.6/24 -> $outside_ip1
nat on $ext_if from <smtp_servers> -> $outgoing_pub
#nat on $ext_if from $cfbserver -> $cfbserver_pub
nat on $ext_if from $kingrich -> $kingrich_pub
###### TEMPORARY - T1 migration, 3/06 ######
nat on $dmz_if from 192.168.0/24 -> 192.168.1.253
###### TEMPORARY - T1 migration, 3/06 ######
# ssh servers
rdr on $ext_if proto tcp to $ssh_pub port ssh \
-> 127.0.0.1 port ssh
rdr on $ext_if proto tcp to $ssh_pub port 22012 \
-> $jonathans_box port ssh
# Web servers
rdr on $all_ifs proto tcp to $outlaw_pub port {$web_ports} \
-> $outlaw
rdr on $ext_if proto tcp to $kingrich_pub \
port {631 $web_ports 2200 8008 8009} \
-> $kingrich
rdr on $ext_if proto tcp to $cfbserver_pub port 8080 \
-> $cfbserver
rdr on $ext_if proto tcp to $ext_if:0 port 90 \
-> 127.0.0.1 port 80
# Mail
rdr on {$ext_if $dmz_if} proto tcp to $incoming_ctim_com port smtp \
-> $postman
rdr on {$ext_if $dmz_if $guest2_if $guest_if} proto tcp to \
$outgoing_pub port smtp -> $outgoing
rdr on {$ext_if $dmz_if $guest2_if $guest_if} proto tcp to \
{ $mail_cf_com $outgoing_pub } port 2525 -> \
$postman port smtp
rdr on {$ext_if $dmz_if $guest2_if $guest_if} proto tcp to \
$mail_cf_com port {pop3 imap $web_ports} -> $postman
# Network streaming stations
rdr on $ext_if proto tcp to $netstream_tech1 port 443 \
-> $jonathans_box
rdr on $ext_if proto tcp to $netstream_tech2 port 443 \
-> $tonis_box
#####################################
# Filter Rules #
#####################################
antispoof quick log for $all_ifs
block in log
block quick log from <blacklist>
block quick log to <blacklist>
pass out keep state
pass quick proto carp
pass quick on $sync_if proto pfsync
# smtp - keep before certain other rules that would override this
pass in quick proto tcp from <smtp_sources> to any port smtp keep state \
pass in quick proto tcp to <smtp_destinations> port smtp keep state \
pass in quick proto tcp to 127.0.0.1 port smtp keep state
block in quick proto tcp to any port smtp
########### In on $offices_if #############
pass in quick on $offices_if proto tcp to <outgoing_whitelist> keep state
pass in quick on $offices_if from <privileged_boxes> keep state
pass in quick on $offices_if proto tcp to !192.168.0.0/16 port
{$web_ports} keep state
pass in quick on $offices_if proto tcp to 192.168.1.0/24 port
{$web_ports} keep state
pass in quick on $offices_if proto tcp to \
{proxy.characterlink.net} port 8080 keep state
block in log quick on $offices_if proto tcp to port 8080
pass in quick on $offices_if proto tcp to $offices_if:0 \
port www keep state
pass in quick on $offices_if proto { tcp udp } to any \
port $allowed_ports keep state
pass in quick on $offices_if proto {tcp udp} to any port > 1024 keep state
########### In on $dmz_if #############
pass in quick on $dmz_if proto {tcp udp} to port domain
pass in quick on $dmz_if proto {tcp udp} from port 20
pass in quick on $dmz_if proto tcp to !10.0/16 port {$web_ports}
pass in quick on $dmz_if proto tcp to 10.0/16 port {smtp 2953}
########### In on $guest2_if #############
pass in quick on $guest2_if proto tcp to \
proxy.characterlink.net port 8080
block in log quick on $guest2_if proto tcp to port 8080
pass in quick on $guest2_if proto tcp to !192.168.0.0/16 port \
{$web_ports} keep state
pass in quick on $guest2_if proto tcp to 192.168.1.0/24 port \
{$web_ports} keep state
pass in quick on $guest2_if proto { tcp udp } to any \
port $allowed_ports keep state
pass in quick on $guest2_if proto {tcp udp} to $cfbserver \
port $wins_ports keep state
pass in quick on $guest2_if proto {tcp udp} to any port > 1024 keep state
pass in quick on $guest2_if proto tcp to <outgoing_whitelist> keep state
pass in quick on $guest2_if from <privileged_boxes> to !192.168.0.0/16
keep state
########## In on $guest_if ############
pass in quick on $guest_if proto {tcp udp} to !10.0/16 keep state
pass in quick on $guest_if proto {tcp udp} to 192.168.1.2 port domain keep state
pass in quick on $guest_if proto {tcp udp} to 192.168.0.18 port 3389 keep state
########### In on $ext_if #############
pass in quick proto tcp to $kingrich_pub keep state
pass in quick proto tcp to $outlaw_pub keep state
pass in quick on $ext_if from $iprism keep state
pass in quick on $ext_if proto tcp to $outlaw port {$web_ports} \
keep state
pass in quick on $ext_if proto tcp to { $jonathans_box $tonis_box } \
keep state
pass in quick on $ext_if proto tcp to $cfbserver port 8080 \
keep state
pass in quick on $ext_if proto tcp to any port ssh keep state
########### Miscellanious (all ifs) ############
pass in quick proto tcp to $cfbserver port 8080 keep state
pass in log quick proto tcp to $outlaw port {$web_ports} keep state
pass in quick proto tcp to any port 59000 keep state
pass in quick proto tcp to any port ssh keep state
pass in quick proto tcp to $postman port {smtp pop3 imap $web_ports} keep state
pass in quick to 127.0.0.1 keep state
pass in quick proto tcp to $kingrich port {631 $web_ports ntp 2200
8008 8009} keep state
pass in quick proto udp to $kingrich port ntp keep state
pass in quick proto tcp to $jonathans_box port {59000 443} keep state
pass in quick proto tcp to $ftp_servers port $ftp_ports keep state
# Allow basic icmp (rely on NAT to restrict poking around from outside)
pass in quick inet proto icmp icmp-type {echoreq echorep trace}
block return in log on $offices_if
