I am in the process of seeting up a firewall for our datacenter. The
issue I am having is that I have setup the interfaces both internal
and external. So they are:
ext_if= 192.0.0.36 255.255.255.224
dmz_if= 10.1.12.1 255.255.255.0
The external gateway is 192.0.0.33
The issue I am having is I can ping internal and externals from the
firewall. But can not get out from my internal servers. I'm sure it
is something pretty simple I am over looking.
Also with the below rules when I have pf running and try to ssh to
internal boxes from the firewall I get:
ssh: connect to host 10.1.12.10 port 22: No route to host
Thanks for any insight!
-J
(My pf.conf)
# Here is my macros:
# Network 10.1.12.0/24 is my dmz, 10.1.10.0/24 and 10.1.11.0/24
# are my internal networks.
dmz = "10.1.12.0/24"
internal_net1 = "10.1.10.0/24"
internal_net2 = "10.1.11.0/24"
internal_nets = "{" $internal_net1, $internal_net2 "}"
dnsServer = "10.1.12.1" # fw does dns cache
web_servers = "{ 10.1.12.10, 10.1.12.11, 10.1.12.12 }"
web_servers_ext = "{ 192.0.0.40 }"
dmz_servers = "{" $web_servers, $dnsServer "}"
mail_server = "{ 10.1.12.100 }"
mail_server_ext = "{ 192.0.0.38 }"
controller = "{ 10.1.12.60 }"
controller_ext = "{ 192.0.0.45 }"
adminbox = "{ 10.1.12.50 }"
adminbox_ext = "{ 192.0.0.44 }"
ext_if = "vr0"
dmz_if = "re0"
table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }
table <blocklist> persist file "/etc/blacklist" file "/etc/spammers"
scrub in all
nat on $ext_if from any to any -> ($ext_if)
binat on $ext_if from $dnsServer to any -> $dnsExternalIp # nat external
traffic
binat on $ext_if from $web_servers to any -> $web_serv_ext
block log all
antispoof log quick for $ext_if inet
# block and log incoming packets from reserved address space and
# invalid addresses, they are either spoofed or misconfigured.
block in log quick on $ext_if from <rfc1918> to any
# Block and don't log stuff we don't want to log
block in quick on $ext_if proto { tcp, udp } from any to any \
port { 137:139, 1433:1434 }
block in log quick proto tcp from { <blocklist>, <spammers> } to any
# ------------------------------------
# General Policy
# ------------------------------------
pass on lo0 all keep state
pass out on $ext_if proto { tcp, udp } from $internal_nets to any keep state
pass proto icmp all icmp-type echoreq keep state # Allow ping everywhere
pass in proto { tcp, udp } from any to $dnsServer port domain keep state
pass in proto tcp from any to $dnsServer port smtp keep state flags S/SA
pass in proto tcp from any to { $int1_if, $int2_if, $dmz_servers, }
port ssh keep state
pass in proto tcp from any to { $controller_ext $adminbox_ext } port
445 keep state
# Load-balance across web nodes
rdr on $ext_if proto tcp from any to $web_servers_ext port 80 -> $web_servers \
round-robin sticky-address
#
# Allow VPN traffic
#
pass in proto esp from any to $ext_if
pass in proto udp from any to $ext_if port = 500 keep state
pass in on enc0 all
