Re: Cant seem to get my rules correct...RESOLVED, almost

2003-10-02 Thread Jason Williams 
Ok...Narrowing down the problem here.
The problem, obviously, is with my rules.
I can SSH to the box from my intranet only.
My rules are allowing port 25 in, and it seems, nothing else.
The problem is when postfix tries to relay mail to my internal mail server. 
When the rules are up, mail cannot find a route. When the rules are down, 
it works perfectly.
Here is the snip from the maillog:

Oct  1 10:11:26 blowfish postfix/smtp[26912]: connect to 
192.168.1.165[192.168.1.165]: No route to host (port 25)
Oct  1 10:11:26 blowfish postfix/smtp[26912]: 2AE731B0949: 
to=[EMAIL PROTECTED], relay=none, delay=0, status=deferred 
(connect to 192.168.1.165[192.168.1.165]: No route to host)

Here are my rules:

ext_if=fxp0  # External Interface
int_if=fxp1
int_net=192.168.1.0/24
tcp_services = { 25 }
tcp_int_services = { 22 }
#Tables
table NoRouteIPs { 127.0.0.1/8, 10.0.0.0/8, 172.16.0.0/12, 
192.168.0.0/16, !192.168.0.0/24 }
table trusted persist file /etc/tables/trusted

# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services 
flags S/SAFR keep state

# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from trusted to $int_if port 
22 keep state

# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
And here is a snippet from my pflog:

Oct 01 10:11:26.711858 rule 3/0(match): block out on fxp0: 
10.0.1.80.30123  192.168.1.165.25: S 3073788046:3073788046(0) win 16384 
mss 1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 901711457 0 (DF)

Quick note: 10.0.1.80 is the OpenBSD mail gateway.
192.168.1.165 is the internal mail server.
The log clearly states the problem. Now im trying to figure out how to 
tweak my rules.
Is the problem due to my tables for NoRouteIPs?

I tried removing 10.0.0.0/8 from the table, but it did not work?
Also, as far as tables is concerned, does it matter which order you place 
the entries in?

Thanks everyone.

Cheers,

Jason

Re: Cant seem to get my rules correct...RESOLVED, almost

2003-10-02 Thread j knight 
Jason Williams wrote:

Our company firewall is a Watchguard (but goodnews is, our branch 
offices are going to be deploying OpenBSD!!)

Ok...since this mail gateway is on the DMZ, I had to setup a rule on our 
Company firewall, to allow traffic from the DMZ to our internal mail 
server.
As it stands right now, the rule allows IP address, 10.0.1.80 to 
192.168.1.165...
See, this is what I meant by sparsness of information. Why didn't you 
mention this earlier? Please everyone, be _detailed_ in your problem 
descriptions.

That has to be it.
So what I should change is the IP to, 10.0.1.100...that would allow 
traffic from that interface to the internal mail server, correct?
I have no idea what .100 is. I'm not even sure what 10.0.1/24 is anymore.

Let me give that a shot and see what happens.

Thanks for turning the light bulb on in my head. :)
Guy, this is not at all what I had in mind with my previous email :-/



.joel

Re: Cant seem to get my rules correct...RESOLVED

2003-09-30 Thread Jason Williams 
Figured it out! Woot!
Feels good when you put your nose to the grind and hammer it out.
Did some mixing around, but this is the end result:

# Define useful variables
ext_if=fxp0  # External Interface
int_if=fxp1
int_net=192.168.1.0/24
tcp_services = { 25 }
tcp_int_services = { 22 }
#Tables
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8, 
192.168.0.0/16, !192.168.0.0/24 }
table trusted persist file /etc/tables/trusted

# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block in log on $ext_if all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services 
flags S/SAFR keep state

# pass trusted for SSH
pass in log quick on $int_if inet proto tcp from trusted to $int_if port 
22 keep state

# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
pfctl -s rules output:

scrub in all fragment reassemble
block drop in log on fxp0 all
pass in quick on lo0 all
block drop in log quick on fxp0 from NoRouteIPs to any
block drop out log quick on fxp0 from any to NoRouteIPs
pass in on fxp0 inet proto tcp from any to (fxp0) port = smtp flags S/FSRA 
keep state
pass in log quick on fxp1 inet proto tcp from trusted to 10.0.1.100 port 
= ssh keep state
pass out on fxp1 inet from any to 10.0.1.0/24 keep state
pass out on fxp0 proto tcp all flags S/FSRA modulate state
pass out on fxp0 proto udp all keep state
pass out on fxp0 proto icmp all keep state

I can telnet to port 25 on it and it works. denied on all other ports so far.
I can SSH from my intranet...
Im happy. :)

Anyone care to make any comments or suggestions?

Thanks.

Jason

At 03:22 PM 9/30/2003 -0700, you wrote:
I keep locking myself out the box. heheheh

Here is what I have: I have a OpenBSD Mail gateway on my DMZ. I want to 
only allow SMTP connections coming from my firewall, but allow SSH 
connections coming from my intranet.

My subnets:

DMZ = 10.0.1.1/24
Private = 192.168.1.0/24
RULES:

# Define useful variables
ext_if=fxp0  # External Interface
int_if=fxp1
tcp_services = { 25 }
tcp_int_services = { 22 }
table NoRouteIPs { 127.0.0.1/8, 172.16.0.0/12, 10.0.0.0/8 }

# Clean up fragmented and abnormal packets
scrub in all
#default Deny all
block log all
#loopback rules
pass in quick on lo0 all
# don't allow anyone to spoof non-routeable addresses
block in  log quick on $ext_if from NoRouteIPs to any
block out log quick on $ext_if from any to NoRouteIPs
# block NMAP stuff
block in log quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags /SFRA
block in log quick on $ext_if inet proto tcp from any to any flags F/SFRA
block in log quick on $ext_if inet proto tcp from any to any flags U/SFRAU
block in log on $ext_if all
#Passing in email
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services 
flags S/SAFR keep state

#Passing in SSH from intranet
pass in on $int_if inet proto tcp from $int_if:network port 
$tcp_int_services flags S/SAFR keep state
pass in on $int_if from $int_if:network to any keep state

# and let out-going traffic out and maintain state on established connections
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state
Im reading over the PF FAQ right now, trying to see where i've gone wrong.

I'm wondering if I need to add something like this:

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
Like I said, I want to be able to SSH to the box on the DMZ.

Any recommendations?

Thanks.

jason