Subject says it. I'm trying to bring up a new firewall with OpenBSD 3.8
+ pf to replace the aging Linux one here, and something is not clicking
for me between the ears. Right now all I'm trying to do is get NATing
working between the internal network and the internet, but I'm not even
getting that far. For some reason my initial "nat pass" rules never
kick off and the default block rule snarfs the return packets coming
back from the net. At least that's what tcpdump seems to be trying to
tell me
Setup is simple: internal net with static IPs at 192.168.0.x, external
link to the internet with a single static IP. Firewall has xl0 at the
net and xl1 on the internal net at 192.168.0.128. Working backwards,
here's what I'm seeing from tcpdump when I try to make a simple HTTP
request from the internal net and get a reply back:
#tcpdump -n -e -ttt -i pflog 0
tcpdump : listening on pflog, link-type PFLOG
Dec 13 12:41:02.4133 rule 20/(match) block out on xl1: 64.33.534.90.80
> 192.168.0.129.1110: [|tcp]
etc...
Here's the (simplified) pf.conf:
----------------
ext_if = "xl0"
good_if = "xl1"
ext_ip0 = "64.81.173.10"
ext_ip1 = "64.81.173.11"
good_net = "192.168.0.128/26"
good_gw = "192.168.0.128"
table <firewall_ips> const { $good_gw, $ext_all }
# policies / runtime options
set loginterface $good_if
set debug loud
set state-policy if-bound
# scrub
scrub in on $ext_if all
# Rule 1 (NAT) translate source address for outgoing connections
nat pass on $ext_if proto {tcp udp icmp} from $good_net to any ->
$ext_ip0
# antispoof
pass quick on lo0 all label "pass any->loopback"
antispoof log quick for { $good_if $ext_if } inet label "block
antispoof"
# Rule 1.5 get stuff in to the firewall for NATing
pass in quick on $good_if inet from $good_net to any
# Rule 2 (global) All other attempts to connect to the firewall itself
from other than the good network are denied and logged.
block in log quick inet from any to <firewall_ips> label "block in
other->fw_any"
# Rule 7 (global) Provide for outgoing traffic
pass out quick on $ext_if proto tcp all modulate state flags S/SA label
"pass out ext "
pass out quick on $ext_if proto { udp icmp } all keep state label "pass
out ext"
pass out quick on $good_if proto tcp from any to $good_net modulate
state flags S/SA label "pass out good"
pass out quick on $good_if proto udp from any to $good_net keep state
label "pass out good"
# Rule 99 (global) Anything that falls through is denied and logged.
block in log quick inet all label "block in (default)"
block out log quick inet all label "block out (default)"
-------------
BTW, the "rule 20" referred to in the tcpdump is the final "block out"
rule.
I actually don't know why I even need the rule #7 rules at all - I
would have expected the "nat pass" to have taken care of the outgoing
NATable traffic. Regardless, now that they're there, I can't understand
why they're getting evaluated (I can see this from pfctl -sa) but not
catching the return traffic, and letting it fall through to the default
block rule.
So, again, I think I'm missing something basic here. Help?
thanks ---jon---
