Re: Cant seem to get my rules correct...RESOLVED, almost
Ok...Narrowing down the problem here. The problem, obviously, is with my rules. I can SSH to the box from my intranet only. My rules are allowing port 25 in, and it seems, nothing else. The problem is when postfix tries to relay mail to my internal mail server. When the rules are up, mail cannot find a route. When the rules are down, it works perfectly. Here is the snip from the maillog: Oct 1 10:11:26 blowfish postfix/smtp[26912]: connect to 192.168.1.165[192.168.1.165]: No route to host (port 25) Oct 1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: to=[EMAIL PROTECTED], relay=none, delay=0, status=deferred (connect to 192.168.1.165[192.168.1.165]: No route to host) Here are my rules: ext_if=fxp0 # External Interface int_if=fxp1 int_net=192.168.1.0/24 tcp_services = { 25 } tcp_int_services = { 22 } #Tables table NoRouteIPs { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, !192.168.0.0/24 } table trusted persist file /etc/tables/trusted # Clean up fragmented and abnormal packets scrub in all #default Deny all block in log on $ext_if all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state # pass trusted for SSH pass in log quick on $int_if inet proto tcp from trusted to $int_if port 22 keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state And here is a snippet from my pflog: Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 10.0.1.80.30123 192.168.1.165.25: S 3073788046:3073788046(0) win 16384 mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0 (DF) Quick note: 10.0.1.80 is the OpenBSD mail gateway. 192.168.1.165 is the internal mail server. The log clearly states the problem. Now im trying to figure out how to tweak my rules. Is the problem due to my tables for NoRouteIPs? I tried removing 10.0.0.0/8 from the table, but it did not work? Also, as far as tables is concerned, does it matter which order you place the entries in? Thanks everyone. Cheers, Jason
Re: Cant seem to get my rules correct...RESOLVED, almost
Jason Williams wrote: Our company firewall is a Watchguard (but goodnews is, our branch offices are going to be deploying OpenBSD!!) Ok...since this mail gateway is on the DMZ, I had to setup a rule on our Company firewall, to allow traffic from the DMZ to our internal mail server. As it stands right now, the rule allows IP address, 10.0.1.80 to 192.168.1.165... See, this is what I meant by sparsness of information. Why didn't you mention this earlier? Please everyone, be _detailed_ in your problem descriptions. That has to be it. So what I should change is the IP to, 10.0.1.100...that would allow traffic from that interface to the internal mail server, correct? I have no idea what .100 is. I'm not even sure what 10.0.1/24 is anymore. Let me give that a shot and see what happens. Thanks for turning the light bulb on in my head. :) Guy, this is not at all what I had in mind with my previous email :-/ .joel
Cant seem to get my rules correct...
I keep locking myself out the box. heheheh Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet. My subnets: DMZ = 10.0.1.1/24 Private = 192.168.1.0/24 RULES: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 tcp_services = { 25 } tcp_int_services = { 22 } table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 } # Clean up fragmented and abnormal packets scrub in all #default Deny all block log all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs # block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state #Passing in SSH from intranet pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state pass in on $int_if from $int_if:network to any keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state Im reading over the PF FAQ right now, trying to see where i've gone wrong. I'm wondering if I need to add something like this: pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state Like I said, I want to be able to SSH to the box on the DMZ. Any recommendations? Thanks. jason
Re: Cant seem to get my rules correct...RESOLVED
Figured it out! Woot! Feels good when you put your nose to the grind and hammer it out. Did some mixing around, but this is the end result: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 int_net=192.168.1.0/24 tcp_services = { 25 } tcp_int_services = { 22 } #Tables table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 192.168.0.0/16, !192.168.0.0/24 } table trusted persist file /etc/tables/trusted # Clean up fragmented and abnormal packets scrub in all #default Deny all block in log on $ext_if all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state # pass trusted for SSH pass in log quick on $int_if inet proto tcp from trusted to $int_if port 22 keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state pfctl -s rules output: scrub in all fragment reassemble block drop in log on fxp0 all pass in quick on lo0 all block drop in log quick on fxp0 from NoRouteIPs to any block drop out log quick on fxp0 from any to NoRouteIPs pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA keep state pass in log quick on fxp1 inet proto tcp from trusted to 10.0.1.100 port = ssh keep state pass out on fxp1 inet from any to 10.0.1.0/24 keep state pass out on fxp0 proto tcp all flags S/FSRA modulate state pass out on fxp0 proto udp all keep state pass out on fxp0 proto icmp all keep state I can telnet to port 25 on it and it works. denied on all other ports so far. I can SSH from my intranet... Im happy. :) Anyone care to make any comments or suggestions? Thanks. Jason At 03:22 PM 9/30/2003 -0700, you wrote: I keep locking myself out the box. heheheh Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to only allow SMTP connections coming from my firewall, but allow SSH connections coming from my intranet. My subnets: DMZ = 10.0.1.1/24 Private = 192.168.1.0/24 RULES: # Define useful variables ext_if=fxp0 # External Interface int_if=fxp1 tcp_services = { 25 } tcp_int_services = { 22 } table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 } # Clean up fragmented and abnormal packets scrub in all #default Deny all block log all #loopback rules pass in quick on lo0 all # don't allow anyone to spoof non-routeable addresses block in log quick on $ext_if from NoRouteIPs to any block out log quick on $ext_if from any to NoRouteIPs # block NMAP stuff block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA block in log quick on $ext_if inet proto tcp from any to any flags /SFRA block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU block in log on $ext_if all #Passing in email pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SAFR keep state #Passing in SSH from intranet pass in on $int_if inet proto tcp from $int_if:network port $tcp_int_services flags S/SAFR keep state pass in on $int_if from $int_if:network to any keep state # and let out-going traffic out and maintain state on established connections pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SAFR pass out on $ext_if proto { udp, icmp } all keep state Im reading over the PF FAQ right now, trying to see where i've gone wrong. I'm wondering if I need to add something like this: pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state Like I said, I want to be able to SSH to the box on the DMZ. Any recommendations? Thanks. jason