Re: PF Routing to VPN Device

2009-06-18 Thread Valentin Bud 
On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
mik...@adhost.comwrote:

 Hello,

 We have a network with a VPN device sitting beside a PF server, both
 connected to an internal network.

 PF Server: 10.1.4.1
 VPN Device: 10.1.4.200

 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
 these networks should be routed to 10.1.4.200.  We've set up routes on
 the PF server as such.

 We've set up the following rules:

 block in log
 pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
 10.1.2.0/24)

 However, the block in log is catching the return traffic.  From pflog
 when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
 port 80:

 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 
 10.1.2.105.3558: [|tcp]

 If we remove the block in log, the traffic works.

 What are we missing?

 Thanks,
 Mike


Hello Mike,

 What version on FBSD are you using? The keep state is implicit from 7.0 as
far as i know. I might not be right so someone please correct.

 If that is the case you should add keep state to your rule and see what
happens.

my 7c,
v
-- 
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

RE: PF Routing to VPN Device

2009-06-18 Thread Mike Sweetser - Adhost 
 -Original Message-
 From: Valentin Bud [mailto:valentin@gmail.com]
 Sent: Thursday, June 18, 2009 1:36 AM
 To: Mike Sweetser - Adhost
 Cc: freebsd-questions@freebsd.org
 Subject: Re: PF Routing to VPN Device
 
 
 
 On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost
 mik...@adhost.com wrote:
 
 
   Hello,
 
   We have a network with a VPN device sitting beside a PF server,
 both
   connected to an internal network.
 
   PF Server: 10.1.4.1
   VPN Device: 10.1.4.200
 
   The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any
 traffic to
   these networks should be routed to 10.1.4.200.  We've set up
 routes on
   the PF server as such.
 
   We've set up the following rules:
 
   block in log
   pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to {
 10.1.1.0/24
   10.1.2.0/24)
 
   However, the block in log is catching the return traffic.  From
 pflog
   when somebody on the VPN (10.1.2.105) tries to connect to
 10.1.4.25 on
   port 80:
 
   00 rule 28/0(match): block in on bge1: 10.1.4.25.80 
   10.1.2.105.3558: [|tcp]
 
   If we remove the block in log, the traffic works.
 
   What are we missing?
 
   Thanks,
   Mike
 
 
 Hello Mike,
 
  What version on FBSD are you using? The keep state is implicit from
 7.0 as
 far as i know. I might not be right so someone please correct.
 
  If that is the case you should add keep state to your rule and see
 what happens.

We're using FreeBSD 7.2.

Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: PF Routing to VPN Device

2009-06-18 Thread Valentin Bud 
On Thu, Jun 18, 2009 at 11:35 AM, Valentin Bud valentin@gmail.comwrote:



 On Wed, Jun 17, 2009 at 10:31 PM, Mike Sweetser - Adhost 
 mik...@adhost.com wrote:

 Hello,

 We have a network with a VPN device sitting beside a PF server, both
 connected to an internal network.

 PF Server: 10.1.4.1
 VPN Device: 10.1.4.200

 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
 these networks should be routed to 10.1.4.200.  We've set up routes on
 the PF server as such.

 We've set up the following rules:

 block in log
 pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
 10.1.2.0/24)

 However, the block in log is catching the return traffic.  From pflog
 when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
 port 80:

 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 
 10.1.2.105.3558: [|tcp]

 If we remove the block in log, the traffic works.

 What are we missing?

 Thanks,
 Mike

  Hello Mike,
 What version on FBSD are you using? The keep state is implicit from 7.0
AFAIK.

So if you are using a version prior 7.0 you should add keep state so the
return traffic
can be passed.

v
-- 
network warrior since 2005
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

Re: PF Routing to VPN Device

2009-06-18 Thread Tim Judd 
On 6/17/09, Mike Sweetser - Adhost mik...@adhost.com wrote:
 Hello,

 We have a network with a VPN device sitting beside a PF server, both
 connected to an internal network.

 PF Server: 10.1.4.1
 VPN Device: 10.1.4.200

 The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
 these networks should be routed to 10.1.4.200.  We've set up routes on
 the PF server as such.

 We've set up the following rules:

 block in log
 pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
 10.1.2.0/24)

 However, the block in log is catching the return traffic.  From pflog
 when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
 port 80:

 00 rule 28/0(match): block in on bge1: 10.1.4.25.80 
 10.1.2.105.3558: [|tcp]

 If we remove the block in log, the traffic works.

 What are we missing?

 Thanks,
 Mike



Mike,

I know the typical firewall rules that are googleable are one of two
basic starting policies..

-- 1.
  block in all
  pass out all


-- 2.
  block all



They've become a headache to me to configure a firewall and I now
start with this base.  In this example, fxp0 is facing the Internet,
and xl0 is facing the trusted network.

-- 3.
  block in on fxp0 all
  pass out

This adds the benefit that VPN connections, TUNs, GIFs, and all other
ethernet devices aren't blindly evaluated to a simple block in rule,
rather it's just the fxp0 interface public Internet traffic that is
being blocked, while TUNs, GIFs, and the like are exempt from that
rule entry line.



Might you try by editing your rules to just block your public IP
firewall interface?



Good luck.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org

PF Routing to VPN Device

2009-06-17 Thread Mike Sweetser - Adhost 
Hello,

We have a network with a VPN device sitting beside a PF server, both
connected to an internal network.  

PF Server: 10.1.4.1
VPN Device: 10.1.4.200

The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
these networks should be routed to 10.1.4.200.  We've set up routes on
the PF server as such.

We've set up the following rules: 

block in log
pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
10.1.2.0/24)

However, the block in log is catching the return traffic.  From pflog
when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
port 80:

00 rule 28/0(match): block in on bge1: 10.1.4.25.80 
10.1.2.105.3558: [|tcp]

If we remove the block in log, the traffic works.

What are we missing?

Thanks,
Mike
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org