Hello list
I'm managing a campus router with 7 interfaces (4 are vlans for
different parts of the campus, 1 dmz, 1 internet and 1 link to university)
The network provider rules forbided using NAT (we have plenty of IPs..
:-/ ).
And we have strict network traffic policy. (banned p2p etc)
Dmz contains few hosts with binat rules in the main ruleset.
I created separate rulesets for every main direction and I'm loading
them at anchor points of the quite simple main ruleset.
In the main ruleset I have global tables definitions and default deny
policy. (block in log all) and:
table <ssh-ban> persist
block drop in log from <ssh-ban> to any
I have two problems:
I pass by default all incoming traffic on every interface and tag it.
And I'm creating states for outgoing packets on those interfaces for
allowed directions (and ports etc) as:
#external interface example anchor (file)
pass in on $extif tag ext
pass out on $extif inet proto tcp from any to any port $allowed_out
flags S/SA keep state tagged campus
.
pass in quick on $extif proto tcp from any to ($extif) port ssh flags
S/SA keep state \
(max-src-conn-rate 3/30, overload <ssh-ban> flush global) tag ext
.
#internal interface example anchor (file)
pass in on $intif tag campus
pass out on $intif inet proto tcp from any to any port ssh flags S/SA
keep state tagged ext
########################################
now the fun part
everytime I'm trying to load the ruleset I get :
#pfctl -f /etc/pf.conf
pfctl: warning: namespace collision with <ssh-ban> global table.
and the other issue:
in this setup for the outgoing traffic, only allowed traffic is passed
and states are created ($allowed_out macro)
but all incoming traffic is passed even if no rules are in the ruleset
for the local interface. (no pass out on $intif)
when I change the default deny in the beginning of the main ruleset to:
block log all
no traffic will be passed at all :-?
I wanna pass incoming traffic and create states for outgoing traffic to
every allowed direction, so further communication would pass on the
incoming side too.
(floating state-policy)
##########################################
I thing I understand something wrong about how PF works :(
Can you help me please?
Thank you
Peter
