Re: first firewall with pf
Hi, You were right it had to do my topology. The firewall is working correctly now. Thanks again for all you help On Thu, Mar 26, 2009 at 8:07 PM, Eric Magutu emag...@gmail.com wrote: Hi Micheal, I was trying to simulate the conditions of the server on a test machine. I'm pretty sure now I didn't take into account all the network aspects, silly mistake :-) Its probably my routing. I will check on my routes tomorrow and get back to you. I think there is only one active interface though. On Thu, Mar 26, 2009 at 7:33 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? -- Regards, Eric Magutu -- Regards, Eric Magutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
Hi everyone, Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? # #interfaces # # ext_if=le0 #ext_if2=bce1 # #ports to be opened # # #tcp ports good_port_tcp={ 80, 110, 143, 161, 443, 873 } #udp ports good_port_udp={ 161, 873 } ## #block all other traffic # ## # should be the first rule block in on $ext_if all #anti-spoofing # #traffic can't come in on your IP's #antispoof quick for { lo0 $ext_if $ext_if2 } inet # #allow all connections from and to loopback # # pass in quick on lo0 all keep state pass out quick on lo0 all keep state #allow all connections out through external interfaces # pass out quick on $ext_if all keep state ## #Blocked ips # ## #put ips or ip blocks as below badguys={ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 } block in quick on $ext_if from $badguys #smtp connections allowed # #European servers pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #American pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25 keep state ### # pass traffic from allowed ports # ### #pass traffic from allowed tcp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state #pass traffic from allowed udp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state ## # allow connections from NMC and servers # ## #my ip pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to 10.0.0.110 keep state #172.16.0.0/12 are the ips NMC access with pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to 10.0.0.110 keep state ## # enable logging # ## block in log on $ext_if # to view log run command below #tcpdump -n -e -ttt -i pflog0 ## #for any questions contact me# ## On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: I also forgot to mention: You should probably log your block rule so that you can see what's going on if things don't work as expected. So: block in log on $ext_if Note the lack of quick as well, as previously mentioned. With logging enabled, provided you have pflog running (which you should), you can use the following to see what's being blocked. tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface). Regards, Mike -- Regards, Eric Magutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: first firewall with pf
Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? PGP.sig Description: PGP signature
Re: first firewall with pf
Hi Micheal, I was trying to simulate the conditions of the server on a test machine. I'm pretty sure now I didn't take into account all the network aspects, silly mistake :-) Its probably my routing. I will check on my routes tomorrow and get back to you. I think there is only one active interface though. On Thu, Mar 26, 2009 at 7:33 PM, Michael K. Smith - Adhost mksm...@adhost.com wrote: Hello Eric: Hi everyone, Can you provide a little more information about your topology? Right now, you only have one interface defined in your rules, but you are attempting to pass traffic between two subnets. That would suggest you have two interfaces and, if so, both need to be accounted for in your rules below. You'll have to have pass/block rules for both. It looks like this: 172.16.0.0/16 - le0 firewall - (some other interface) - 10.0.0.0 Could you tell me if that is correct? Thanks, Mike - Original Message Snipped - Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? -- Regards, Eric Magutu ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
Also, it would be a good ideea to go through the pf manual at least once. I don't see any scrub or options or timeout periods (fine tunning). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: first firewall with pf
I forgot to mention... You have something like pass in/out on lo0 that's not wrong but it's not the way to do it set skip on lo0 # is the right way ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: first firewall with pf
I also forgot to mention: You should probably log your block rule so that you can see what's going on if things don't work as expected. So: block in log on $ext_if Note the lack of quick as well, as previously mentioned. With logging enabled, provided you have pflog running (which you should), you can use the following to see what's being blocked. tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface). Regards, Mike PGP.sig Description: PGP signature