On 3/10/06, Stuart Henderson <[EMAIL PROTECTED]> wrote:
> On 2006/03/10 12:19, Bryan Irvine wrote:
> > On 3/6/06, Bryan Irvine <[EMAIL PROTECTED]> wrote:
> > > The problem only happens with remote users that come in via T1 and
> > > don't go through the gateway. The machines they are connecting to are
> > > using 10.0.0.1 as it's gateway and seems to occassionaly choke when
> > > receiving an icmp-redirect from 10.0.0.2 (or 10.0.0.3 depending on
> > > which one is master) when it has queried 10.0.0.1.
>
> Your post is missing a bit of information about the network, but if I'm
> not mistaken you sometimes have the start of the connection not passing
> through either firewall? If that's the case either make sure you allow
> packets from established connections that you don't have state for (this
> means you lose some of the protection of PF's stateful checking): i.e.
> don't use flags S/SA in the relevant rules... or rearrange the network
> routing so you don't need redirects (if you want advice on this you'll
> definitely need to post more details about the carp/PF setup, how the
> affected users reach the relevant hosts, etc: output from netstat -rn
> and ifconfig at strategic places will help illustrate, the PF ruleset
> may help too).
The packets never pass *through* the firewall, but since the firewall
is the default gateway it gets queried for certain routes, which pass
through one of the cisco's.
(Apologies for the ASCII)
Internet
/ \
[fw1]-carp-[fw2]
\ /
LAN1
|
Cisco
/ \
T1a T1b
| |
LAN2 LAN3
(There's more than 3 LANs but for simplicity we'll just show 2)
So what we have are some servers on LAN1 with a default gateway of the
carp IP on the firewalls. Somebody located on either LAN2 or LAN3
telnets to one of those servers, get connected and goes on about their
daily business.
Sometime later their connection drops.
It happened after we installed the carp firewalls, and seems to be
related to ICMP-Redirect coming from the real IP, as opposed to the
carp one the request went to.
pf.conf:
#######################
## Interface Macros ##
########################
WAN = "fxp0"
DMZ = "fxp3"
LOOPBACK = "lo0"
LAN1 = "fxp1"
LAN2 = "fxp2"
LANS = "{" $LAN1 $LAN2 "}"
ALL = "{" $LAN1 $LAN2 $WAN $DMZ "}"
KENTLEGACY = "'192.233.103.0/24'"
KENT = "'10.0.0.0/16'"
BELLEVUE = "'10.1.0.0/16'"
#Virtual access interface on cisco's
VIRTUAL = "'192.168.210.0/24'"
PENINSULA = "'192.233.99.0/24'"
MERCER = "'192.168.98.0/24'"
LEGACYWEB = "'207.109.73.0/24'"
REDMOND = "'10.2.0.1/24'"
WEB = "'10.5.1.0/24'"
#NATS = "{" $KENTLEGACY $KENT '192.233.100.0/24' '192.168.99.0/24' "}"
NATS = "{" $KENTLEGACY $KENT $BELLEVUE "}"
#####################
## Server Macros ##
#####################
localhost = "127.0.0.1"
firebox2 = "64.1.201.130"
Addesk = "64.1.201.146"
FTPServer = "64.1.201.147"
mailservers = "{" mx.kcjn.com 10.0.1.1 "}"
ghost = "64.1.201.149"
smtp = "64.1.201.150"
www3 = "www3.kcjn.com"
www5 = "64.1.201.153"
###################
## Port Macros ##
###################
ftpproxy = "8021"
vnc = "5900"
########################
## Start the fun!!! ##
########################
set limit { states 20000, frags 20000}
#####################
## Clean packets ##
#####################
scrub in all
####################
## Start up NAT ##
####################
nat on $WAN inet from $KENTLEGACY to any -> ($WAN)
nat on $WAN inet from $KENT to any -> ($WAN)
nat on $WAN inet from $BELLEVUE to any -> ($WAN)
nat on $WAN inet from $VIRTUAL to any -> ($WAN)
#nat on $WAN inet from $NAT4 to any -> ($WAN)
nat on $WAN inet from $PENINSULA to any -> ($WAN)
nat on $WAN inet from $MERCER to any -> ($WAN)
nat on $WAN inet from $LEGACYWEB to any -> ($WAN)
nat on $WAN inet from $REDMOND to any -> ($WAN)
nat on $WAN inet from $WEB to any -> ($WAN)
#######################
## spam tarpitting ##
#######################
table <spamd> persist
table <spamd-white> persist
table <spamd-mywhite> persist file "/etc/pf/whitelist.txt"
rdr pass on $WAN proto tcp from <spamd-mywhite> to port smtp ->
mx.kcjn.com port smtp
rdr pass on $WAN inet proto tcp from <spamd> to any port smtp ->
127.0.0.1 port 8025
rdr pass on $WAN inet proto tcp from !<spamd-white> to any port smtp
-> 127.0.0.1 port 8025
#############################
## Redirection for squid ##
#############################
#don't redirect local connections
no rdr on $LANS inet proto tcp from $NATS to { 192.233.100.110
10.0.5.1 10.0.5.2 10.0.5.3 10.0.5.4 64.1.201.149 64.122.4.29
207.109.73.105 207.109.73.66 intranet.horvitznewspapers.net } port www
#Don't proxy proxied connections
no rdr on $LANS inet proto tcp from { 10.0.5.1 10.0.5.2 10.0.5.3
10.0.5.4 64.1.201.149 64.122.4.29 207.109.73.105 207.109.73.66 } to
any port www
#redirect rule for Squid
#rdr pass on $LANS inet proto tcp from $NATS to any port www ->
$localhost port 3128
#################
## FTP Proxy ##
#################
no rdr on $LANS proto tcp from any to { 10.0.5.8 10.0.0.191
ftp.kingcountyjournal.com } port ftp
rdr pass on $LANS proto tcp from any to any port ftp -> $localhost
port $ftpproxy
###############################
## Block in all by default ##
###############################
#pass in quick all
#pass out quick all
block in log on $WAN all
####################################
## Pass pfsync and CARP packets ##
####################################
pass quick on fxp4 proto pfsync
pass quick proto carp
####################################################
## Pass certain things directly to the firewall ##
####################################################
#DNS
pass in on $WAN proto { tcp udp } from any to port domain keep state
##################################
## Block all RFC 1918 requests ##
##################################
antispoof for $WAN inet
#######################################
## Block outgoing SMTP connections ##
#######################################
pass in quick on $LANS inet proto tcp from $NATS to $mailservers port smtp
pass in quick on $LANS inet proto tcp from $NATS to $smtp port smtp
block in quick on $LANS inet proto tcp from $NATS to any port smtp
#############################
## New Mail server rules ##
#############################
pass in on $WAN inet proto tcp from any to $mailservers port { smtp,
2525, pop3, imap, www, ssh }
#################################
## Block nmap-style utilites ##
#################################
block in quick on $WAN inet proto tcp from any to any flags FUP/FUP
##########################################
## Pass all to the loopback interface ##
##########################################
pass in quick on $LOOPBACK all
pass in on $LOOPBACK inet proto tcp from any to $localhost port 8025 keep state
##################################
## BLACKLIST! ##
## Do not let these people in ##
##################################
table <blacklist> persist file "/etc/pf/blacklist.txt"
table <spyware> persist file "/etc/pf/spyware.txt"
table <phishers> persist file "/etc/pf/phishers.txt"
block log quick on $WAN inet from <blacklist> to any
block log quick on $WAN inet from <spyware> to any
block log quick on $WAN inet from <phishers> to any
####################################
## misc Chris's unnamed machine ##
####################################
pass in quick on $WAN proto tcp from { 168.85.177.4 168.212.143.159 }
to $ghost port www keep state (max-src-states 50)
pass in on $WAN proto tcp from any to $ghost port { smtp www https } keep state
pass in on $WAN proto tcp from any to $chris port { smtp www } keep state
#######################
## www5 web server ##
#######################
pass in on $WAN proto tcp from any to $www5 port { www smtp } keep state
###############################################
## Pass to SMTP ##
###############################################
pass in on $WAN proto tcp from any to $smtp port { ssh, 80, smtp,
pop3, imap, 443, 628 } keep state
pass in on $WAN proto { tcp udp } from $www3 to $smtp port domain
flags S/SA keep state
##################################
## Allow ping to all machines ##
##################################
pass in on $WAN proto icmp all
pass out on $WAN proto icmp all
pass in on $DMZ proto icmp all
######################
## FTP Proxy stuff ##
######################
pass in on $WAN proto tcp from any port ftp-data to $WAN port { 55000
>< 57000 } flags S/SA keep state
pass in on $WAN inet proto tcp from any to any port > 49151 keep state
pass out on $WAN inet proto { tcp, udp } all keep state
pass out on $LANS inet proto { tcp, udp } all keep state
pass out on $LANS inet proto { tcp udp } from any to any port domain
flags S/SA keep state
pass out on $LANS proto { tcp udp } from any to any port $smb keep state
