Group, I have worked on the particular issues for some time (over 10 hours so far), and have admitted I need some input to address the problem.
I have an interesting issue with a pf ruleset on OBSD 3.5 that I cannot seem to overcome. Some basics: - 4 interfaces (Internet, DMZ, LAN1, LAN2) - nat and rdr rules work fine - rules on external interface work fine - rules for outgoing traffic work fine Problem exists with controlling traffic from the DMZ to LAN1/LAN2. Here is the DMZ ruleset: #################################################### # BEGIN RULESET DMZ - NO SERVERS ON THIS NETWORK #################################################### # Block traffic to Internal from DMZ block in log on $dmz_if from $dmz_net to $lan_net block in log on $dmz_if from $dmz_net to $cust_net # Permit Traffic from LAN pass out quick on $dmz_if proto tcp from $lan_net to $dmz_net keep state pass out quick on $dmz_if proto {udp, icmp} from $lan_net to $dmz_net keep state pass out quick on $dmz_if proto tcp from $cust_net to $dmz_net keep state pass out quick on $dmz_if proto {udp, icmp} from $cust_net to $dmz_net keep state # Permit outgoing DMZ connections # pass in on $dmz_if proto {tcp, udp, icmp} from $dmz_net to any keep state pass in quick on $dmz_if proto {tcp, udp, icmp} from $dmz_net to !<lan> keep state # Permit outgoing DMZ Citrix to LAN connection # Citrix Secure Gateway pass in log quick on $dmz_if proto tcp from $csg_dmz to <ctrx_lan> port {80, 1494} keep state pass in log quick on $dmz_if proto tcp from $csg_dmz to $at_sta port {80, 443} keep state pass in log quick on $dmz_if proto tcp from $csg_dmz to <cus_ctrx> port 1494 keep state pass in log quick on $dmz_if proto tcp from $csg_dmz to $cus_sta port {80, 443} keep state # Citrix Web Interface pass in log quick on $dmz_if proto tcp from $cwi_dmz to <ctrx_lan> port {80, 1494} keep state pass in log quick on $dmz_if proto tcp from $cwi_dmz to $at_sta port {80, 443} keep state pass in log quick on $dmz_if proto tcp from $cwi_dmz to <cus_ctrx> port 80 keep state pass in log quick on $dmz_if proto tcp from $cwi_dmz to $cus_sta port {80, 443} keep state # Anti-spoofing on DMZ interface block in quick on $dmz_if from <reserved> to any block out quick on $dmz_if from any to <reserved> # Allow traffic for servers # website pass out quick on $dmz_if proto tcp from any to $at_web_dmz port 80 keep state # email pass out quick on $dmz_if proto tcp from any to $at_mail_dmz port {25, 80, 443, 993} keep state # LCS pass out quick on $dmz_if proto tcp from any to $lcs_dmz port {25, 80, 443} keep state # Citrix Web Interface pass out log quick on $dmz_if proto tcp from any to $cwi_dmz port {80, 443} keep state # Citrix Secure Gateway pass out log quick on $dmz_if proto tcp from any to $csg_dmz port 443 keep state # email - server 2 pass out quick on $dmz_if proto tcp from any to $rgmail_dmz port {25, 80, 443, 993} keep state # Website w/ ftp pass out quick on $dmz_if proto tcp from any to $t_dmz port {21, 22, 80, 443, 222} keep state pass out quick on $dmz_if proto tcp from any to $t_dmz port > 49151 keep state # Block traffic to Internal from DMZ # block in log on $dmz_if from $dmz_net to $lan_net # block in log on $dmz_if from $dmz_net to $cust_net As you can see, I have "block in log on $dmz_if from $dmz_net to $lan_net" at the beginning and end of the section. The specific issue is this: - Traffic from the DMZ to LAN1/LAN2 for only the Citrix machines is to be allowed - All other direct traffic from the DMZ to LAN1/LAN2 should be blocked. Currently, if the "block in log on $dmz_if from $dmz_net to $lan_net" rule is left in play, then ALL traffic is blocked. This happens whether or not the rule is used at the start or end of the section (only the rule number in pflog changes). If the rule is removed, then all traffic between the networks is permitted. I welcome all comments, suggestions, or advice. My thanks in advance, Justin Cluer