Results 1 to 2 of 2

Thread: PF OpenBSD Prob

  1. August 8th, 2006, 01:01 PM #1
    bupati
    bupati is offline
    Junior Member
    Join Date
    May 2006
    Posts
    22

    PF OpenBSD Prob

    Something went wrong on my new firewal, when I enabled PF, I couldn't access outside world (look like PF firewall blocked the access).

    OK, hereis my PF:
    Code:
    #
# This ruleset is meant to work on a stateful firewall with a bridged DMZ 
# network configured on the third NIC. 
#
# .
#

###############################################################################
# Macros
#
# User-defined variables may be defined and used later, simplifying the
# configuration file. Macros must be defined before they are referenced.
#

# available interfaces
ext_if=		"rl0"
int_if=		"xl0"
dmz_if=		"fxp0"

# list of networks
ext_net=	"MY-REAL-IP/24"
int_net=	"192.168.0.0/24"

# list of hosts
fw_ext=		"MY-REAL-IP"
mail_dmz=	"192.168.0.252"
web_dmz=	"192.168.0.251"

###############################################################################
# Tables
#
# Tables provide a mechanism for increasing the performance and flexibility
# of rules with large numbers of source or destination addresses.
#

table 		<private> const { 127/8, 10/8, 172.16/12, 192.168/16 }
table 		<authpf_users> persist

###############################################################################
# Options
#
# Options tune the behaviour of the packet filtering engine.
#

set 		optimization normal
set 		block-policy drop
set		skip on lo0

###############################################################################
# Traffic Normalization
#
# Traffic normalization protects internal machines against inconsistencies
# in Internet protocols and implementations.
#

scrub 		in
#scrub 		out

###############################################################################
# Translation
#
# Translation rules specify how addresses are to be mapped or redirected to
# other addresses.
#

# ftp-proxy anchors
nat-anchor 	"ftp-proxy/*"
rdr-anchor 	"ftp-proxy/*"

# ip masquerading
nat 		on $ext_if inet from $int_net -> $fw_ext

# ftp-proxy
rdr pass	on $int_if inet proto tcp to port 21 -> 127.0.0.1 port 8021

# reverse ftp-proxy (/usr/sbin/ftp-proxy -R x.x.x.3 -p 8022)
#rdr pass	on $ext_if inet proto tcp to port 21 -> 127.0.0.1 port 8022

###############################################################################
# Packet Filtering
#
# Stateful and stateless packet filtering provides rule-based blocking or
# passing of packets.
#

# ftp-proxy anchor
anchor		"ftp-proxy/*"

# default policy
block 		in log
block 		out

# trusted interfaces
pass 		in quick on $int_if inet
pass 		out quick on $int_if inet

# dmz interface
pass		in quick on $dmz_if inet
#pass		out quick on $dmz_if route-to lo0 inet proto tcp to port 8022
pass		out quick on $dmz_if inet

# egress filtering
block		out quick on $ext_if inet from !$ext_net

# anti-spoofing
block 		drop in quick on $ext_if inet from <private>

# outbound traffic (fw + int_net)
pass		out on $ext_if inet proto { icmp, udp, tcp } from $fw_ext \
		keep state
# outbound traffic (dmz)
pass		out on $ext_if inet proto { udp, tcp } from !$fw_ext \
		to port 53 keep state

# inbound traffic (fw)
pass 		in on $ext_if inet proto tcp to $fw_ext \
		port 2222 flags S/SA keep state
# inbound traffic (mail)
pass		in on $ext_if inet proto tcp to $mail_dmz \
		port { 25, 53, 110 } flags S/SA keep state
pass		in on $ext_if inet proto udp to $mail_dmz port 53 keep state
# inbound traffic (web)
pass		in on $ext_if inet proto tcp to $web_dmz \
		port { 21, 53, 80, 443 } flags S/SA keep state
pass		in on $ext_if inet proto udp to $web_dmz port 53 keep state
# remote administration (authpf)
pass		in on $ext_if inet proto tcp from <authpf_users> \
		to { $mail_dmz, $web_dmz } port 22 flags S/SA keep state
    Code:
    #ifconfig rl0
rl0: flags=8943<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:e0:4c:a2:82:98
            media: Ethernet autoselect (10baseT)
            status: active
            inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x3
            inet MY-REAL-IP netmask 0xffffff00 broadcast MY-REAL-IP.255

#ifconfig xl0
xl0:  flags=8843<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:e0:4c:a2:82:98
            media: Ethernet autoselect (10baseT)
            status: active
            inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x1
            inet 192.168.0.253 netmask 0xffffff00 broadcast 192.168.0.255
#ifconfig fxp0
fxp0: flags=8943<UP,BROADCAST RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
            lladdr 00:e0:4c:a2:82:98
            media: Ethernet autoselect (10baseT)
            status: active
            inet6 fe80::2e0:4cff:fea2:8298%rl0 prefixlen 64 scopeid 0x2
            inet 192.168.0.252 netmask 0xffffff00 broadcast 192.168.0.255

#ifconfig bridge0
bridge0: flags=41<UP,RUNNING> mtu 1500
                 groups: bridge

    Look like I've been blocked from outside the world... any idea?

    I've already check /etc/hosts, /etc/resolv.conf everything OK, if I turn off my PF filter...I can easly access outside the world..
    Reply With Quote Reply With Quote
  2. August 8th, 2006, 01:24 PM #2
    SirDice
    SirDice is offline
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Use tcpdump on your ext_if to see what's going on. Maybe your nat rule, perhaps a forgotten keep state. Be aware of those quick keywords too..

    You can also tcpdump -i pflog0 to see what's being blocked.

    BTW It isn't called ip masquerading that's a Linux iptables term. It's called NAT or PAT.
    Oliver's Law:
    Experience is something you don't get until just after you need it.
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules