Good Afternoon,
I've got a problem that I've been chewing on for a while now, and I have
a feeling that it is a conceptual problem that I just can't get over.
The scenario is that I have a FreeBSD router with 9 VLANs terminated and
loop back. To start with I sure don't believe that firewalls are the be
all and end all of security, but I do like to specifically allow types
of connections through.
The way I have taken to deciding the ruleset for this machine is looking
at each subnet and seeing what connections machines in it should be able
to make out, and what connections should be allowed from outside the
subnet back in.
After figuring out that packets when flowing through the router came in
from one interface and out of another, I made the following type of
arrangement (snipped for just two interfaces and tcp only)
# Check rules for traffing coming in from subnets.
pass in quick on $if_mgmt proto tcp from $if_mgmt:network to any port
$mgmt_tcp_in keep state
pass in quick on $if_netdev0 proto tcp from $if_netdev0:network to any
port $netdev0_tcp_in keep state
# Check rules for traffing going out to subnets.
pass out quick on $if_mgmt proto tcp from any to $if_mgmt:network port
$mgmt_tcp_out keep state
pass out quick on $if_netdev0 proto tcp from any to $if_netdev0:network
port $netdev0_tcp_out keep state
Now this works fine, and life is wonderful, free, happy and all that.
The problem then came when I attempted to protect the router it's self,
ie, SSH, webproxy, etc.
I wanted the router to specifically have one IP address that could be
reached from each subnet, so I bound an additional IP to lo0. I found
that packets came in from the source interface, but they never went out
via lo0. So the pf rules where never applied to protect the internal
services.
My problem is figuring out how to protect the routers IP address. The
only ways I see I can do it is to add another copy of it for the local
IP address and filter there.
I'm also not to happy about using quick in the way that I am, but this
is my first large scale pf configuration.
My full config is at:
http://narwar.net/~peter/pf.conf
Note that traffic to lo0 is currently just passed as I couldn't figure
out what to do with it.
Am I thinking about this the wrong way, should I basically have a pass
in set from each subnet to every other subnet? Is that a "better way"
(tm)? I understand if I did that, I would get the control of lo0 back.
I will also be providing transparent web proxy and smtp proxy using pf,
if that effects the end choice at all. Although I'm thinking rdr
shouldn't be affected.
I apologise for the long description, but if it helps to figure out that
I'm doing it the wrong way all the better. :) Suffice to say though, I'm
loving pf over ipfw, being able to use pfflowd is a huge advantage for me.
Any advice would be greatly appreciated, thanks folks,
Pete.
--
Peter Wood :: <[EMAIL PROTECTED]>
