I am having an issue with some form of loop when packets are being
routed outbound through a soekris net4511. A traceroute below shows
that the wireless gateway (10.90.1.1) is showing up twice. I recently
purchased a book on pf and tried to model my ruleset as shown, which
left me a bit confused as to why this is happening. I would like to
solve this for performance related issues that may come up in the
future - for now it seems to be working fine.
Thanks in advance
William
My network setup is as follows:
2 "trusted" areas - 10.80.1.1-128 (ethernet), and 10.90.1.1-128 (wireless)
2 "untrusted" areas - 10.80.1.130-254 (ethernet), and 10.90.1.130-254 (wireless)
I know this isn't very secure, but vlan's are out of the question.
[EMAIL PROTECTED]:~$ tracepath google.com
1: swilly-laptop.local (10.90.1.50) 0.263ms pmtu 1500
1: skrs (10.90.1.1) 7.043ms
2: skrs (10.90.1.1) 16.487ms
3: 172.22.33.45 (172.22.33.45) 48.011ms
4: atl-edge-18.inet.qwest.net (216.206.221.149) 18.744ms
pf.conf - I will be more than happy to explain any part in a follow up.
# pf.conf - skrs.swilly.tk - rev. 0.9a
###############################################################################
# Macros
###############################################################################
ext_if="sis0"
int_if="sis1"
wi_if="wi0"
lb_if="lo0"
table <authpf_users> persist
set skip on $lb_if
###############################################################################
# Normalize all packets (in/out bound)
###############################################################################
scrub in all
###############################################################################
# Packet Prioritization
###############################################################################
altq on $int_if cbq bandwidth 100Mb queue \
{ std_int ssh_int dns_int }
queue std_int bandwidth 80% cbq ( default )
queue ssh_int bandwidth 10% priority 4
queue dns_int bandwidth 10% priority 5
altq on $wi_if cbq bandwidth 11Mb queue \
{ std_wi ssh_wi dns_wi }
queue std_wi bandwidth 80% cbq ( default )
queue ssh_wi bandwidth 10% priority 4
queue dns_wi bandwidth 10% priority 5
altq on $ext_if priq bandwidth 100Mb queue \
{ std_ext ssh_ext dns_ext tcp_ack_ext }
queue std_ext priq ( default )
queue ssh_ext priority 4 priq ( red )
queue dns_ext priority 5
queue tcp_ack_ext priority 6
###############################################################################
# NAT
###############################################################################
nat on $ext_if inet from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
###############################################################################
# Redirect
###############################################################################
rdr on $int_if inet proto tcp from $int_if:network to \
{ !($wi_if) !($int_if) } port 21 -> 127.0.0.1 port 8021
rdr on $wi_if inet proto tcp from <authpf_users> to \
{ !($wi_if) !($int_if) } port 21 -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to ($ext_if) port 414 tag ALLOWED_SSH \
-> ($ext_if) port ssh
anchor "ftp-proxy/*"
antispoof quick for { ($lb_if) ($wi_if) ($int_if) }
###############################################################################
# Restrictions
###############################################################################
block all
block quick on $int_if from 10.80.1.128/25 to 10.80.1.0/25
block quick on $int_if from 10.80.1.128/25 to 10.90.1.0/25
block quick on $int_if from 10.80.1.128/25 to 10.90.1.128/25
block quick on $int_if from 10.80.1.0/25 to 10.80.1.128/25
block quick on $int_if from 10.80.1.0/25 to 10.90.1.128/25
block quick on $wi_if from 10.90.1.128/25 to 10.90.1.0/25
block quick on $wi_if from 10.90.1.128/25 to 10.80.1.0/25
block quick on $wi_if from 10.90.1.128/25 to 10.80.1.128/25
block quick on $wi_if from 10.90.1.0/25 to 10.90.1.128/25
block quick on $wi_if from 10.90.1.0/25 to 10.80.1.128/25
block in quick on $int_if inet from $int_if:network to ($ext_if)
block in quick on $wi_if inet from $wi_if:network to ($ext_if)
################################################################################
# Outgoing Traffic
################################################################################
pass out on $ext_if inet proto tcp from ($ext_if) to any flags S/SA \
modulate state queue ( std_ext tcp_ack_ext )
pass out on $ext_if inet proto { udp icmp } from ($ext_if) to any keep state
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port domain \
keep state queue ( dns_ext )
pass out on $ext_if inet proto tcp from ($ext_if) to any port ssh flags S/SA \
keep state queue ( std_ext ssh_ext )
###############################################################################
# Allow public services on tcp
###############################################################################
pass in on $int_if inet from $int_if:network to { !($wi_if) !($int_if) }
pass out on $int_if inet from any to $int_if:network
pass in on $int_if inet proto tcp from $int_if:network to \
($int_if) port ssh flags S/SA synproxy state \
( max-src-conn-rate 1 / 1 ) queue ( std_int ssh_int )
pass in on $int_if inet proto { tcp udp } from $int_if:network to \
($int_if) port ntp keep state
pass in on $int_if inet proto tcp from $int_if:network to 127.0.0.1 port 8021 \
keep state
pass in on $int_if inet proto { tcp udp } from $int_if:network to \
{ !($wi_if) !($int_if) } port domain keep state queue ( dns_int )
pass in on $wi_if inet from <authpf_users> to { !($wi_if) !($int_if) }
pass out on $wi_if inet from any to <authpf_users>
pass in on $wi_if inet proto tcp from $wi_if:network to \
($wi_if) port ssh flags S/SA synproxy state \
( max-src-conn-rate 1 / 1 ) queue ( std_wi ssh_wi )
pass in on $wi_if inet proto { tcp udp } from <authpf_users> to \
($wi_if) port ntp keep state
pass in on $wi_if inet proto tcp from <authpf_users> to 127.0.0.1 port 8021 \
keep state
pass out on $wi_if inet proto { tcp udp } from any port domain to \
<authpf_users> queue ( dns_wi )
pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh tagged \
ALLOWED_SSH flags S/SA synproxy state ( max-src-conn-rate 1 / 1 ) \
queue ( std_ext ssh_ext )
pass in on $ext_if inet proto tcp from any to ($ext_if) port > 49150 \
user proxy keep state
