Group,
I have worked on the particular issues for some time (over 10 hours so
far), and have admitted I need some input to address the problem.
I have an interesting issue with a pf ruleset on OBSD 3.5 that I cannot
seem to overcome. Some basics:
- 4 interfaces (Internet, DMZ, LAN1, LAN2)
- nat and rdr rules work fine
- rules on external interface work fine
- rules for outgoing traffic work fine
Problem exists with controlling traffic from the DMZ to LAN1/LAN2. Here
is the DMZ ruleset:
####################################################
# BEGIN RULESET DMZ - NO SERVERS ON THIS NETWORK
####################################################
# Block traffic to Internal from DMZ
block in log on $dmz_if from $dmz_net to $lan_net
block in log on $dmz_if from $dmz_net to $cust_net
# Permit Traffic from LAN
pass out quick on $dmz_if proto tcp from $lan_net to $dmz_net keep state
pass out quick on $dmz_if proto {udp, icmp} from $lan_net to $dmz_net
keep state
pass out quick on $dmz_if proto tcp from $cust_net to $dmz_net keep
state
pass out quick on $dmz_if proto {udp, icmp} from $cust_net to $dmz_net
keep state
# Permit outgoing DMZ connections
# pass in on $dmz_if proto {tcp, udp, icmp} from $dmz_net to any keep
state
pass in quick on $dmz_if proto {tcp, udp, icmp} from $dmz_net to !<lan>
keep state
# Permit outgoing DMZ Citrix to LAN connection
# Citrix Secure Gateway
pass in log quick on $dmz_if proto tcp from $csg_dmz to <ctrx_lan> port
{80, 1494} keep state
pass in log quick on $dmz_if proto tcp from $csg_dmz to $at_sta port
{80, 443} keep state
pass in log quick on $dmz_if proto tcp from $csg_dmz to <cus_ctrx> port
1494 keep state
pass in log quick on $dmz_if proto tcp from $csg_dmz to $cus_sta port
{80, 443} keep state
# Citrix Web Interface
pass in log quick on $dmz_if proto tcp from $cwi_dmz to <ctrx_lan> port
{80, 1494} keep state
pass in log quick on $dmz_if proto tcp from $cwi_dmz to $at_sta port
{80, 443} keep state
pass in log quick on $dmz_if proto tcp from $cwi_dmz to <cus_ctrx> port
80 keep state
pass in log quick on $dmz_if proto tcp from $cwi_dmz to $cus_sta port
{80, 443} keep state
# Anti-spoofing on DMZ interface
block in quick on $dmz_if from <reserved> to any
block out quick on $dmz_if from any to <reserved>
# Allow traffic for servers
# website
pass out quick on $dmz_if proto tcp from any to $at_web_dmz port 80 keep
state
# email
pass out quick on $dmz_if proto tcp from any to $at_mail_dmz port {25,
80, 443, 993} keep state
# LCS
pass out quick on $dmz_if proto tcp from any to $lcs_dmz port {25, 80,
443} keep state
# Citrix Web Interface
pass out log quick on $dmz_if proto tcp from any to $cwi_dmz port {80,
443} keep state
# Citrix Secure Gateway
pass out log quick on $dmz_if proto tcp from any to $csg_dmz port 443
keep state
# email - server 2
pass out quick on $dmz_if proto tcp from any to $rgmail_dmz port {25,
80, 443, 993} keep state
# Website w/ ftp
pass out quick on $dmz_if proto tcp from any to $t_dmz port {21, 22, 80,
443, 222} keep state
pass out quick on $dmz_if proto tcp from any to $t_dmz port > 49151 keep
state
# Block traffic to Internal from DMZ
# block in log on $dmz_if from $dmz_net to $lan_net
# block in log on $dmz_if from $dmz_net to $cust_net
As you can see, I have "block in log on $dmz_if from $dmz_net to
$lan_net" at the beginning and end of the section. The specific issue is
this:
- Traffic from the DMZ to LAN1/LAN2 for only the Citrix machines is to
be allowed
- All other direct traffic from the DMZ to LAN1/LAN2 should be blocked.
Currently, if the "block in log on $dmz_if from $dmz_net to $lan_net"
rule is left in play, then ALL traffic is blocked. This happens whether
or not the rule is used at the start or end of the section (only the
rule number in pflog changes). If the rule is removed, then all traffic
between the networks is permitted.
I welcome all comments, suggestions, or advice.
My thanks in advance,
Justin Cluer
