Hello,
I have been lurking on the list for many months now. I was hoping that I
would learn enough that when the time came I would not need to asking any
stupid question, However my cunning plan has failed and here is my first
(hopefully last?) stupid question.
I set up a new OpenBSD 3.2 box this weekend. It has three interfaces.
Internal, External and wireless. The external interface is connected to a
cable modem as a dhcp client.
I have (it seems) gotten everything to work except for two items. The first
being important, the second just a nicety.
1. I have webserver on the internal LAN which listens on port 8000. I can
view the webserver internally by IP and by name (using LMHOST records). I
have not however been able to access the internal webserver from the
outside. I saw a post the weekend about name based virtualhosting on web
servers. This does not seem to apply to me as I have the server setup to
respond to IP and have no virtualdomains configured. So I guess my question
is do I have my redirect setup correctly, and if so where lies the problem?
2. (and this one really is not that important) I can not seem to get a
response to ICMP to outside addresses. I can ping both directions from the
firewall and I believe my pings are getting out, but the responses to not
return to the internal clients.
Thanks,
Darley
# OpenBSD: pf.conf,v 1.6 2002/06/27 07:00:43 fgsch Exp $
#
#
###----------------------------------------------------------------------
### MACROS - define interfaces: internet, intranet, wireless net
###
if_ext = "dc0"
if_int = "fxp0"
if_wir = "an0"
INT_Net="192.168.XX.XX/27"
WIFI_Net="192.168.YY.YY/27"
bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345"
no_route = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, \
255.255.255.255/32 }"
###----------------------------------------------------------------------
### Optimization
###
#set optimization aggressive
#set timeout tcp.established 3600
#set timeout { tcp.opening 30, tcp.closing 120 }
#set limit { states 20000, frags 5000 }
###----------------------------------------------------------------------
### statistics logging on external interface
###
set loginterface $if_ext
set loginterface $if_wir
###----------------------------------------------------------------------
### NAT Gateways
###
nat on $if_ext from $INT_Net to any -> $if_ext
nat on $if_ext from $WIFI_Net to any -> $if_ext
# Redirect outside ports to internal servers
rdr on dc0 proto tcp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
rdr on dc0 proto udp from any to (dc0) port 8000 -> 192.168.XX.71 port 8000
###----------------------------------------------------------------------
### DEFAULT RULES
###
# INCOMING DEFAULT: block and normalize all
#scrub in on all
block in log all
# OUTGOING DEFAULT: block all
block out log all
# SPECIAL IMMEDIATE BLOCKS:
# block bad ports and external broadcasts
block in quick proto { udp,tcp } from any to any port { = $bad_ports }
block in quick on $if_ext from any to 255.255.255.255
block in quick on $if_wir from any to 255.255.255.255
# block weird tcp packets on WAN:
block in quick on $if_ext inet proto tcp from any to any flags FUP/FUP
block in quick on $if_ext inet proto tcp from any to any flags SF/SFRA
block in quick on $if_ext inet proto tcp from any to any flags /SFRA
# block weird tcp packets on WiFi:
block in quick on $if_wir inet proto tcp from any to any flags FUP/FUP
block in quick on $if_wir inet proto tcp from any to any flags SF/SFRA
block in quick on $if_wir inet proto tcp from any to any flags /SFRA
# don't allow anyone to spoof non-routeable addresses
block in quick on $if_ext from $no_route to any
block out quick on $if_ext from any to $no_route
###----------------------------------------------------------------------
### LOOPBACK
###
pass in quick on lo0 all
pass out quick on lo0 all
###----------------------------------------------------------------------
### EXTERNAL INTERFACE
###
# INCOMING: accept ssh
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 22 flags
S/SA keep state
pass in quick on $if_ext proto tcp from any to $if_ext/24 port = 8000
# INCOMING DEFAULT: block all incoming
# OUTGOING: block non nated packets, pass the others
block out quick on $if_ext from !$if_ext/24 to any
pass out quick on $if_ext proto tcp from $if_ext/24 to any flags S/SA keep
state
pass out quick on $if_ext proto { udp } from $if_ext/24 to any keep state
# ICMP: ping
# remove next to block ping from Internet
pass in on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
pass out on $if_ext inet proto icmp all icmp-type 8 code 0 keep state
# OUTGOING DEFAULT: block all outgoing
###----------------------------------------------------------------------
### INTERNAL INTERFACE
###
# INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
pass in quick on $if_int proto tcp from $if_int/27 to $if_int/27 port = 22
flags S/SA keep state
pass in quick on $if_int proto { tcp,udp } from $if_int/27 to $if_int/27
port = 67 keep state
block in quick on $if_int from any to $if_int/27
# INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
pass in quick on $if_int from $if_int/27 to any
# INCOMING DEFAULT: block the rest (spoofed packets...)
# OUTGOING: pass all.
pass out quick on $if_int proto { tcp,udp } from any to $if_int/27 keep
state
# ICMP: ping
pass out on $if_int inet proto icmp all icmp-type 8 code 0 keep state
###----------------------------------------------------------------------
### WIRELESS INTERFACE
###
# INCOMING: traffic to fw, accept ssh & dhcp only, block the rest
pass in quick on $if_wir proto tcp from $if_wir/27 to $if_wir/27 port = 22
flags S/SA keep state
pass in quick on $if_wir proto { tcp,udp } from $if_wir/27 to $if_wir/27
port = 67 keep state
block in quick on $if_wir from any to $if_wir/27
# INCOMING: frwd traffic to all destinations (except bad ports & broadcasts)
pass in quick on $if_wir from $if_wir/27 to any
# INCOMING DEFAULT: block the rest (spoofed packets...)
# OUTGOING: pass all.
pass out quick on $if_wir proto { tcp,udp } from any to $if_wir/27 keep
state
# ICMP: ping
