Abraham Al-Saleh wrote:
On 1/10/06, Jonas Lindskog [EMAIL PROTECTED] wrote:
Hello,
We are using OpenBSD 3.8 as a firewall/router. We have two internal
nets; one with workstations (NAT) and one DMZ with a single server. And
thus we have three network interfaces installed in the router: one for
the NAT, one for the DMZ and one for the external net.
Our ISP has given us a range of IP adresses (the ones below are
obfuscated ;)), which we cant change:
Segment: 38.87.5.112 /28
net address: 38.87.5.112
gateway adress: 38.87.5.113
firewall: 38.87.5.114
fria fasta ip: 38.87.5.115-126
broadcast address:38.87.5.127
netmask: 255.255.255.240
I have set up the DMZ with
net adress 38.87.5.120
Gateway: 38.87.5.121
Server: 38.87.5.122
netmask: 255.255.255.252
To ensure that routing worked properly I just entered pass (and nat of
course) in the /etc/pf.conf file.
I have no trouble connecting to the server at 38.87.5.122 from the
internal net where nat-addresses are used, but for some reason
I cant connect to the server from the outside. I thought it was a
routing problem but when I entered a port redirect from the gateway
(38.87.5.113) to the server at 38.87.5.122 for the ssh port I reached
the server. I haven't got a
clue whats wrong. Can anybody help to explain this or have an idea of a
workaround (I dont want the port
redirect)? Thanks in advance.
/Jonas
It would help if you attached your pf.conf, and relevant configuration
files (hostname.if, for example)
ok, finally :) this is how my pf.conf and interfaces look like.
# 1. macros
if_ext=fxp0
if_int=bce0
if_dmz=re0
if_lo=lo0
icmp_types = echoreq
dmz_servers = {38.87.5.122}
services = {22, 8080, 8081}
internal_services ={2401}
reserved= { 0.0.0.0/8, 10.0.0.0/8, 20.0.0.0/24 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16,
\ 224.0.0.0/3, 255.255.255.255}
# 2. Tables
# No tables are defined
# 3. Options
# What should we do with blocked traffic? drop or return.
set block-policy return
# we can only gather statistics on one interface at a time
set loginterface $if_ext
# 4. Packet normalization
scrub in all
# 5. Queueing is not done
# 6. Adress translation
# The internal network has NAT-adresses
nat on $if_ext from $if_int:network to any - ($if_ext)
# Redirecting ports
# Port redirect to make ftp possible. See manual for OpenBSD
rdr on $if_int proto tcp from any to any port 21 - 127.0.0.1 port 8021
# temporary redirects
rdr on $if_ext proto tcp from any to any port 8080 - 38.87.5.122 port
8080 rdr on $if_ext proto tcp from any to any port 8081 - 38.87.5.122
port 8081 #rdr on $if_ext proto tcp from any to any port 22 - 38.87.5.122
port 22
# 7. Filtering
#allow loopback
# Block everything
block all
pass quick on if_lo all
# Antispoof
antispoof for { $if_lo, $if_ext, $if_int }
# Allow traffic in on our ssh-deamon
pass in log quick on $if_ext proto tcp from any to any port 22 flags S/SA
keep state
# Allow trafic to and from the internal interface
# are the lines below the same as
# pass quick on $if_int all
pass in on $if_int from $if_int:network to any keep state
pass out on $if_int from any to $if_int:network keep state
# block all traffic from reserved nets to external interface
block in quick on $if_ext from $reserved to any
#allow pinging
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
# Open ports 8080 and ssh to trused machines on the dmz
pass in on $if_ext proto tcp from any to any port 8081 keep state
pass in on $if_ext proto tcp from any to any port 8080 keep state
#Allow active ftp
pass in on $if_ext inet proto tcp from port 20 to ($if_ext) \
user proxy flags S/SA keep state
# Users on the internal network is allowd to initate external contact pass
out on $if_ext proto tcp all modulate state flags S/SA
pass out on $if_ext proto {udp, icmp} all keep state
# DMZ rules. As default we stop all traffic in to the dmz.
# To open up a service we use port forwarding in the external if
# to the specific server in the dmz
block in on $if_dmz all
pass out on $if_dmz proto tcp from any to any port $services flags S/SA
keep state
pass out on $if_dmz proto tcp from any to any port internal_services flags
S/SA keep state
pass in quick on $if_dmz proto tcp from $if_int to $dmz_servers port
internal_services keep state
#pf.conf ends here
### interfaces
hostname.fxp0
#external interface
inet 38.87.5.114 255.255.255.240 NONE
# more hostname.bce0
#internal interface
inet 192.168.97.254 255.255.255.0 NONE
# more hostname.re0
# dmz
inet 38.87.5.121 255.255.255.252 NONE
