PF OpenBSD Prob
Results 1 to 2 of 2

Thread: PF OpenBSD Prob

  1. #1
    Junior Member
    Join Date
    May 2006
    Posts
    22

    PF OpenBSD Prob

    Something went wrong on my new firewal, when I enabled PF, I couldn't access outside world (look like PF firewall blocked the access).

    OK, hereis my PF:
    Code:
    #
    # This ruleset is meant to work on a stateful firewall with a bridged DMZ 
    # network configured on the third NIC. 
    #
    # .
    #
    
    ###############################################################################
    # Macros
    #
    # User-defined variables may be defined and used later, simplifying the
    # configuration file. Macros must be defined before they are referenced.
    #
    
    # available interfaces
    ext_if=		"rl0"
    int_if=		"xl0"
    dmz_if=		"fxp0"
    
    # list of networks
    ext_net=	"MY-REAL-IP/24"
    int_net=	"192.168.0.0/24"
    
    # list of hosts
    fw_ext=		"MY-REAL-IP"
    mail_dmz=	"192.168.0.252"
    web_dmz=	"192.168.0.251"
    
    ###############################################################################
    # Tables
    #
    # Tables provide a mechanism for increasing the performance and flexibility
    # of rules with large numbers of source or destination addresses.
    #
    
    table 		<private> const { 127/8, 10/8, 172.16/12, 192.168/16 }
    table 		<authpf_users> persist
    
    ###############################################################################
    # Options
    #
    # Options tune the behaviour of the packet filtering engine.
    #
    
    set 		optimization normal
    set 		block-policy drop
    set		skip on lo0
    
    ###############################################################################
    # Traffic Normalization
    #
    # Traffic normalization protects internal machines against inconsistencies
    # in Internet protocols and implementations.
    #
    
    scrub 		in
    #scrub 		out
    
    ###############################################################################
    # Translation
    #
    # Translation rules specify how addresses are to be mapped or redirected to
    # other addresses.
    #
    
    # ftp-proxy anchors
    nat-anchor 	"ftp-proxy/*"
    rdr-anchor 	"ftp-proxy/*"
    
    # ip masquerading
    nat 		on $ext_if inet from $int_net -> $fw_ext
    
    # ftp-proxy
    rdr pass	on $int_if inet proto tcp to port 21 -> 127.0.0.1 port 8021
    
    # reverse ftp-proxy (/usr/sbin/ftp-proxy -R x.x.x.3 -p 8022)
    #rdr pass	on $ext_if inet proto tcp to port 21 -> 127.0.0.1 port 8022
    
    ###############################################################################
    # Packet Filtering
    #
    # Stateful and stateless packet filtering provides rule-based blocking or
    # passing of packets.
    #
    
    # ftp-proxy anchor
    anchor		"ftp-proxy/*"
    
    # default policy
    block 		in log
    block 		out
    
    # trusted interfaces
    pass 		in quick on $int_if inet
    pass 		out quick on $int_if inet
    
    # dmz interface
    pass		in quick on $dmz_if inet
    #pass		out quick on $dmz_if route-to lo0 inet proto tcp to port 8022
    pass		out quick on $dmz_if inet
    
    # egress filtering
    block		out quick on $ext_if inet from !$ext_net
    
    # anti-spoofing
    block 		drop in quick on $ext_if inet from <private>
    
    # outbound traffic (fw + int_net)
    pass		out on $ext_if inet proto { icmp, udp, tcp } from $fw_ext \
    		keep state
    # outbound traffic (dmz)
    pass		out on $ext_if inet proto { udp, tcp } from !$fw_ext \
    		to port 53 keep state
    
    # inbound traffic (fw)
    pass 		in on $ext_if inet proto tcp to $fw_ext \
    		port 2222 flags S/SA keep state
    # inbound traffic (mail)
    pass		in on $ext_if inet proto tcp to $mail_dmz \
    		port { 25, 53, 110 } flags S/SA keep state
    pass		in on $ext_if inet proto udp to $mail_dmz port 53 keep state
    # inbound traffic (web)
    pass		in on $ext_if inet proto tcp to $web_dmz \
    		port { 21, 53, 80, 443 } flags S/SA keep state
    pass		in on $ext_if inet proto udp to $web_dmz port 53 keep state
    # remote administration (authpf)
    pass		in on $ext_if inet proto tcp from <authpf_users> \
    		to { $mail_dmz, $web_dmz } port 22 flags S/SA keep state
    Code:
    #ifconfig rl0
    rl0: flags=8943<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
                lladdr 00:e0:4c:a2:82:98
                media: Ethernet autoselect (10baseT)
                status: active
                inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x3
                inet MY-REAL-IP netmask 0xffffff00 broadcast MY-REAL-IP.255
    
    #ifconfig xl0
    xl0:  flags=8843<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
                lladdr 00:e0:4c:a2:82:98
                media: Ethernet autoselect (10baseT)
                status: active
                inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x1
                inet 192.168.0.253 netmask 0xffffff00 broadcast 192.168.0.255
    #ifconfig fxp0
    fxp0: flags=8943<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
                lladdr 00:e0:4c:a2:82:98
                media: Ethernet autoselect (10baseT)
                status: active
                inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x2
                inet 192.168.0.252 netmask 0xffffff00 broadcast 192.168.0.255
    
    #ifconfig bridge0
    bridge0: flags=41<UP,RUNNING> mtu 1500
                     groups: bridge

    Look like I've been blocked from outside the world... any idea?

    I've already check /etc/hosts, /etc/resolv.conf everything OK, if I turn off my PF filter...I can easly access outside the world..

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Use tcpdump on your ext_if to see what's going on. Maybe your nat rule, perhaps a forgotten keep state. Be aware of those quick keywords too..

    You can also tcpdump -i pflog0 to see what's being blocked.

    BTW It isn't called ip masquerading that's a Linux iptables term. It's called NAT or PAT.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •