Re: Help with v3.9 pf?
tell the PFY to fix it On Dec 26, 2006, at 8:45 PM, B.O.F.H. wrote: Scenario: DSL -> DSL "modem" -> OpenBSD Firewall -> LAN Firewall has three legs: bge0 - External Interface, 206.124.14.98 bge1 - Internal Interface, 192.168.0.1 sk0 - Management Interface, 192.168.0.36 Desired goal: Perform multiple static NAT translations along with a fairly standard rule set, using bge1 as the default gateway for the LAN and bge0 as the public interface. Current functionality: Overload NAT to a single IP through the DSL modem, using the OpenBSD firewall in bridge mode. Problem: When I reconfigure the OpenBSD firewall to take it out of bridge mode and run in full NAT mode, it mucks with the IP's assigned to the two inside interfaces, which causes packets to go nowhere. Relevant (hopefully) data: Current bridge mode pf.conf: ext_if = "bge0" int_if = "bge1" set skip on lo0 0_ns = "192.168.0.17" 1_ns = "192.168.0.19" megarea = "192.168.0.32" clotho = "192.168.0.33" pheme = "192.168.0.35" heimdall = "192.168.0.36" 0_mx = "192.168.0.34" dns = "{" $0_ns $1_ns "}" external = "{ 192.168.0.1, 192.168.0.5 }" internal = "{ 192.168.0.32, 192.168.0.34 }" table { 64.37.156.7, 64.37.129.41, 199.108.194.76, 199.108.194.75, 64.37.129.42 } table { 64.37.148.142, 64.37.148.144, 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } table { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } scrub in on $int_if all no-df random-id scrub in on $ext_if all no-df fragment reassemble scrub on $ext_if reassemble tcp rdr on $ext_if proto tcp from any to $0_mx port 109 -> $0_mx port 25 pass in quick on $int_if all pass out quick on $int_if all block in log (all) on $ext_if all pass out quick \ on $ext_if \ proto tcp \ from $clotho \ to \ modulate state pass out quick \ on $ext_if \ proto udp \ from $clotho \ to pass out quick \ on $ext_if \ inet proto icmp \ from $clotho \ to pass out \ on $ext_if \ inet proto icmp \ all \ keep state pass out \ on $ext_if \ proto tcp \ all \ modulate state pass out \ on $ext_if \ proto udp \ all \ keep state pass in quick \ on $ext_if \ proto tcp \ from \ to $clotho \ modulate state pass in quick \ on $ext_if \ proto udp \ from \ to $clotho pass in quick \ on $ext_if \ inet proto icmp \ from \ to $clotho pass in \ on $ext_if \ proto tcp \ from any \ to $pheme \ port { https } \ modulate state pass in \ on $ext_if \ proto tcp \ from any \ to $0_mx \ port { smtp, imap, imaps } \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to $dns \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from any \ to $dns \ port { 53 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ keep state pass in \ on $ext_if \ proto 24 \ from $external \ to $internal pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ keep state pass in log (all) \ on $ext_if \ proto tcp \ from { 205.156.51.200 } \ port { ftp-data } \ to any \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to any \ port { ftp-data, ftp, ssh } \ modulate state Current hostname /bridgename files: # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.sk0 dhcp NONE NONE NONE description "Internal Firewall" # cat /etc/bridgename.bridge0 add bge0 add bge1 up # ifconfig -a lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 bge0: fl
Re: Help with v3.9 pf?
> bge1 - Internal Interface, 192.168.0.1 > sk0 - Management Interface, 192.168.0.36 These are on the same network. From your ifconfig: bge1inet 192.168.0.1 netmask 0x broadcast 192.168.255.255 sk0 inet 192.168.0.36 netmask 0xffc0 broadcast 192.168.0.63 I suspect that will cause all kinds of problems. 192.168.0.0/26 link#3 UC 00 - sk0 192.168/16 link#2 UC 00 - bge1 So which interface will packets destined for you gateway of 192.168.0.1 be sent? I *think* the narrow netmask wins so it goes to sk0. What will your pf ruleset do to those packets if seen on sk0? put sk0 on net 10 or narrow it's netmask to /32 (host route) and try again. // marc (just guessing)
Help with v3.9 pf?
Scenario: DSL -> DSL "modem" -> OpenBSD Firewall -> LAN Firewall has three legs: bge0 - External Interface, 206.124.14.98 bge1 - Internal Interface, 192.168.0.1 sk0 - Management Interface, 192.168.0.36 Desired goal: Perform multiple static NAT translations along with a fairly standard rule set, using bge1 as the default gateway for the LAN and bge0 as the public interface. Current functionality: Overload NAT to a single IP through the DSL modem, using the OpenBSD firewall in bridge mode. Problem: When I reconfigure the OpenBSD firewall to take it out of bridge mode and run in full NAT mode, it mucks with the IP's assigned to the two inside interfaces, which causes packets to go nowhere. Relevant (hopefully) data: Current bridge mode pf.conf: ext_if = "bge0" int_if = "bge1" set skip on lo0 0_ns = "192.168.0.17" 1_ns = "192.168.0.19" megarea = "192.168.0.32" clotho = "192.168.0.33" pheme = "192.168.0.35" heimdall = "192.168.0.36" 0_mx = "192.168.0.34" dns = "{" $0_ns $1_ns "}" external = "{ 192.168.0.1, 192.168.0.5 }" internal = "{ 192.168.0.32, 192.168.0.34 }" table { 64.37.156.7, 64.37.129.41, 199.108.194.76, 199.108.194.75, 64.37.129.42 } table { 64.37.148.142, 64.37.148.144, 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } table { 64.37.158.0/24, 199.108.2.0/24, 199.108.12.0/24, 199.108.202.0/24, 199.108.203.0/24, 195.33.135.0/24 } scrub in on $int_if all no-df random-id scrub in on $ext_if all no-df fragment reassemble scrub on $ext_if reassemble tcp rdr on $ext_if proto tcp from any to $0_mx port 109 -> $0_mx port 25 pass in quick on $int_if all pass out quick on $int_if all block in log (all) on $ext_if all pass out quick \ on $ext_if \ proto tcp \ from $clotho \ to \ modulate state pass out quick \ on $ext_if \ proto udp \ from $clotho \ to pass out quick \ on $ext_if \ inet proto icmp \ from $clotho \ to pass out \ on $ext_if \ inet proto icmp \ all \ keep state pass out \ on $ext_if \ proto tcp \ all \ modulate state pass out \ on $ext_if \ proto udp \ all \ keep state pass in quick \ on $ext_if \ proto tcp \ from \ to $clotho \ modulate state pass in quick \ on $ext_if \ proto udp \ from \ to $clotho pass in quick \ on $ext_if \ inet proto icmp \ from \ to $clotho pass in \ on $ext_if \ proto tcp \ from any \ to $pheme \ port { https } \ modulate state pass in \ on $ext_if \ proto tcp \ from any \ to $0_mx \ port { smtp, imap, imaps } \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to $dns \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from any \ to $dns \ port { 53 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to $internal \ port { 68, 69, 123, 514 } \ keep state pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.16, 192.168.0.18 } \ port { 53 } \ keep state pass in \ on $ext_if \ proto 24 \ from $external \ to $internal pass in \ on $ext_if \ proto tcp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ modulate state pass in \ on $ext_if \ proto udp \ from $external \ to { 192.168.0.36 } \ port { 123 } \ keep state pass in log (all) \ on $ext_if \ proto tcp \ from { 205.156.51.200 } \ port { ftp-data } \ to any \ modulate state pass in log (all) \ on $ext_if \ proto tcp \ from any \ to any \ port { ftp-data, ftp, ssh } \ modulate state Current hostname /bridgename files: # cat /etc/hostname.bge0 up # cat /etc/hostname.bge1 up # cat /etc/hostname.sk0 dhcp NONE NONE NONE description "Internal Firewall" # cat /etc/bridgename.bridge0 add bge0 add bge1 up # ifconfig -a lo0: flags=8049 mtu 33224 groups: lo inet 127.0.0.1 netmask 0xff00 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x7 bge0: flags=8943 mtu 1500 lladdr 00:e0:ed:07:eb:ec media: Ethern