I have recently upgraded our OpenBSD 4.8 bridge & firewall to OpenBSD 5.0 (GENERIC.MP) #57: Mon Aug 8 14:58:00 MDT 2011 and I'm having some problems with a rule set that used to work with 4.8. I took our backup firewall out of production, re-installed a fresh copy of the snapshot stated, and used site50.tgz to populate the hostname.* interfaces for physical devices, bridges and VLANs, sysctl.conf for interface forwarding, etc. The install went fine, all the files were put into place correctly, however, with the old rule set the network fails to come up. I read the source-changes list and recall the change for the set skip rules and interface groups, confirmed the changes as defined in the following -current web page which doesn't *seem* to apply to me since I am not using interface types, but instead physical interface names (or variables that define interface names). Please keep in mind that the rules load. In fact, if I do not enable PF during boot but enable PF afterwards it works fine so I must be missing something here... Do I now have to set skip on the physical interfaces for the VLANs/Bridge (em0 & em1) :'/
# See pf.conf(5) for syntax and examples. # Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1 # in /etc/sysctl.conf if packets are to be forwarded between interfaces. NS_DMZ="vlan1111" DMZ="vlan2111" NS_FASNET="vlan310" NS_ACS="vlan311" NS_EXPERIMENTAL="vlan312" NS_NAT="vlan313" NS_DMZ2="vlan314" NS_111B="vlan315" NS_NETM="vlan316" FASNET="vlan300" ACS="vlan301" EXPERIMENTAL="vlan302" NAT="vlan303" DMZ2="vlan304" 111B="vlan305" NETM="vlan306" FW_MGMT="bge0" # Service definitions CIFS_PORTS="{137 139 445 epmap kerberos ldap}" DNS_PORTS="{domain}" FILEMAKER_PORTS="{2339 5003 5353}" NFS_PORTS="{sunrpc 2049 4045}" PRINT_PORTS="{161 printer ipp 9100}" RDP_PORTS="{3389 5900:5999}" WEB_PORTS="{http https}" FLEXLM_PORTS="{ 1025:65535 }" AD_PORTS="{ 88 389 1025 3268 epmap kerberos kpasswd ldap ntp }" ARD_PORTS="{ 3283 }" # Table definitions # all hosts that get blocked due to too # many connections are added temporarily here table <bad_hosts> persist file "/etc/bad_hosts.list" # Hosts that should be allowed into the NETM table <netm_hosts> persist file "/etc/netm_hosts.list" # Hosts that have been blocked permanently table <blacklist_hosts> persist file "/etc/blacklist_hosts.list" # Hosts we should never block table <whitelist_hosts> persist file "/etc/whitelist_hosts.list" # DNS Servers that we should communicate with table <dns_servers> persist file "/etc/dns_servers.list" # Web Servers table <web_servers> persist file "/etc/web_servers.list" # Public SFU / FASNET IP space table <trusted_ip_space> persist file "/etc/trusted_ip_space.list" # Publically accessible printers table <public_printers> persist file "/etc/public_printers.list" # Sytems Lab machines table <systems_lab_hosts> persist file "/etc/systems_lab_hosts.list" # baltic.example.com access list table <baltic_acls> persist file "/etc/baltic_acls.list" # FlexLM servers table <flexlm_servers> persist file "/etc/flexlm_servers.list" # CIFS servers table <cifs_servers> persist file "/etc/cifs_servers.list" # Our domain controllers servers table <dc_servers> persist file "/etc/dc_servers.list" # Camups DC servers table <campus_dc_servers> persist file "/etc/campus_dc_servers.list" # PlanetLab Machines table <planet_lab_machines> persist file "/etc/planet_lab_machines.list" ## PF Engine paramaters # Play nicely and send return refused, # destination unreachable, etc on block set block-policy return # limit the number of states that can be created # monitor "congestion" and "state count" ouput # in systat pf set limit { states 50000, table-entries 500000 } # disable packet fragement reassembly to work with seven # this should be removed when seven is decommissioned set reassemble no # Log traffic statistics on all interfaces set loginterface all # don't do any filtering on these devices # only "public" side is filtered since you only # need to filter on one side of the bridge #set skip on { lo0 $FW_MGMT $NS_DMZ $NS_EXPERIMENTAL $NS_NAT $NS_DMZ2 $NS_111B $111B $ACS $DMZ $DMZ2 $EXPERIMENTAL $FASNET $NAT } set skip on { lo0 bge0 bge1 $FW_MGMT $NS_EXPERIMENTAL $NS_NAT $NS_DMZ2 $NS_111B $111B $ACS $DMZ2 $EXPERIMENTAL $FASNET $NAT } # scrub incoming packets match in all scrub (no-df) # NAT all 172.16.0/24 traffic to the external interface #match out on ! $NAT from 172.16.0.0/24 to any nat-to $FW_MGMT:network # block any host deemed for whatever reason to be bad # be meaner and just drop them which will use resources # of the attacker slightly longer block drop quick from <bad_hosts> block drop quick from <blacklist_hosts> # By default, do not permit remote connections to X11 # all X11 traffic should be tunnelled through SSH block in quick on ! lo0 proto tcp to port 6000:6010 # Allow ping and traceroute through pass quick log (to pflog1) inet proto icmp from any to any icmp-type echoreq keep state # traffic from these hosts should never be blocked pass quick from <whitelist_hosts> pass to <whitelist_hosts> ### NETM RULES ### ### # Block access to NETM block in log (to pflog2) on $NETM all pass out log (to pflog2) quick on $NETM all # Allow traffic to/from NETM allowed hosts pass in log (to pflog2) quick on $NETM from <netm_hosts> pass out log (to pflog2) quick on $NETM to <netm_hosts> # Allow the testing of NETM # Only enable for debugging #pass in log (to pflog2) on $NS_NETM all #pass out log (to pflog2) on $NS_NETM all ### FASNET RULES ### ### # Block access to FASNET block in log on $NS_FASNET all # use modulate state to generate stronger ISNs on outgoing packets # for OSs that don't already generate them pass out quick log (to pflog1) on $NS_FASNET # Allow SSH traffic but... # if a host is found to be connecting more than 15 times within 5 seconds # add them to bad_hosts table so they can be blocked pass in log (to pflog1) proto tcp to any port ssh keep state \ (max-src-conn-rate 15/5, overload <bad_hosts> flush global) # Allow RDP traffic but... # if a host is found to be connecting more than 15 times within 5 seconds # add them to bad_hosts table so they can be blocked pass in log (to pflog1) proto tcp to any port $RDP_PORTS keep state \ (max-src-conn-rate 15/5, overload <bad_hosts> flush global) # Allow DNS traffic to from our peers pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from <dns_servers> to any port $DNS_PORTS pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from <trusted_ip_space> to <dns_servers> port $DNS_PORTS # Allow HTTP traffic to FASNET web servers pass in log (to pflog1) quick on $NS_FASNET proto tcp from any to <web_servers> port $WEB_PORTS # Allow printing to public printers for trusted IP spaces pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from <trusted_ip_space> to <public_printers> port $PRINT_PORTS # Allow remote desktop and VNC connections pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to any port $RDP_PORTS # Allow trusted IP spaces access to bigmac to speak to FileMaker Pro pass in log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from <trusted_ip_space> to bigmac.example.com port $FILEMAKER_PORTS # Allow systems lab machines to talk to each other # regardless of networks pass log (to pflog1) quick on $NS_FASNET from <systems_lab_hosts> to <systems_lab_hosts> # Allow some systems access to baltic.example.com pass log (to pflog1) quick on $NS_FASNET proto tcp from <trusted_ip_space> to baltic.example.com port $CIFS_PORTS pass log (to pflog1) quick on $NS_FASNET proto tcp from <baltic_acls> to baltic.example.com port $CIFS_PORTS # Allow core.example.com to send statistics to wisteria.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from core.example.com to wisteria.example.com # Allow access to FLEXLM License servers pass log (to pflog1) quick on $NS_FASNET proto tcp from any to <flexlm_servers> port $FLEXLM_PORTS # Allow access to domain controller servers from trusted networks pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to <dc_servers> #port $AD_PORTS pass log (to pflog1) quick proto { tcp, udp } from <campus_dc_servers> to any #port $AD_PORTS pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to <dc_servers> port $CIFS_PORTS # Allow access to CIFS servers pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to <cifs_servers> #port $AD_PORTS pass log (to pflog1) quick proto { tcp, udp } from <trusted_ip_space> to <cifs_servers> port $CIFS_PORTS # Allow connections to neo for things like updates and policy stuff pass log (to pflog1) quick proto tcp from <trusted_ip_space> to neo.example.com port { 5723, 8531 } # Allow seven to talk to chuskawn so it can speak NIS pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from seven.example.com to chuskawn.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from seven.example.com to head1.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from seven.example.com to taiyang.example.com # Allow hosts to talk to ghost.example.com and head4.example.com for backups pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to { ghost.example.com, head4.example.com } pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from { ghost.example.com, head4.example.com } to any # Allow tftp traffic from mirror.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from mirror.example.com to any # Allow printing from staff.example.com pass quick log (to pflog1) on $NS_FASNET proto { tcp, udp } from staff.example.com to any # Allow puppet traffic from puppet.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from puppet.example.com to any port 8139 # Allow trend traffic from trend.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from trend.example.com to any port 43180 # Allow Managed Mac traffic from our trusted networks pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from <trusted_ip_space> to any port $ARD_PORTS # Allow FTP traffic to our compute servers pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to oak.example.com port ftp pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to dogwood.example.com port ftp pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to css.example.com port ftp # Allow syslog traffic from ra1.example.com and ra2.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from ra1.example.com to any port syslog pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from ra2.example.com to any port syslog # Allow external access to asb10830craig.example.com # RT 151528 pass log (to pflog1) quick on $NS_FASNET proto tcp from any to asb10830craig.example.com port 8085 # Allow redbug access to fornax pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from redbug.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from web.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from gradpcs.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from onara.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from intraweb.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from gradebook.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from cmpt165.example.com to fornax.example.com pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from portal.example.com to fornax.example.com # Allow all access to PlanetLab test machines from anywhere on unprivileged ports pass log (to pflog1) quick on $NS_FASNET proto { tcp, udp } from any to <planet_lab_machines> port 1025:65535 # Allows all traffic into FASNET # USE FOR TESTING ONLY #pass in log (to pflog1) on $NS_FASNET keep state -- James A. Peltier IT Services - Research Computing Group Simon Fraser University - Burnaby Campus Phone : 778-782-6573 Fax : 778-782-3045 E-Mail : jpelt...@sfu.ca Website : http://www.sfu.ca/itservices http://blogs.sfu.ca/people/jpeltier I will do the best I can with the talent I have