I've been scratching my head over this one. Here is my pf.conf:
int_if = "em0"
dmz_if = "em1"
block log all
set skip on lo0
block log quick inet6
block in log quick on $int_if from ! <rfc1918> to any
block out log quick on $int_if from any to ! <rfc1918>
pass out log on $int_if inet proto tcp from $int_if:0 to 10.1.1.1 port ldap
pass in log on $dmz_if inet proto tcp from $dmz_if:network to $dmz_if:0 port
ldap
pass in log on $dmz_if inet proto icmp from $dmz_if:network to $dmz_if:0
pass out log on $dmz_if inet proto icmp from $dmz_if:0 to $dmz_if:network
pass in log on $int_if inet proto icmp from <rfc1918> to $int_if:0
pass out log on $int_if inet proto icmp from $int_if:0 to <rfc1918>
pass in log on $int_if inet proto icmp from <rfc1918> to $dmz_if:network
pass out log on $dmz_if inet proto icmp from <rfc1918> to $dmz_if:network
pass in log on $dmz_if inet proto udp from $dmz_if:network to $dmz_if:0 port
ntp
pass in log on $int_if inet proto tcp from <rfc1918> to { $int_if:0
$dmz_if:network } port ssh
pass out log on $dmz_if inet proto tcp from <rfc1918> to $dmz_if:network port
ssh
pass out log on $dmz_if inet proto tcp from $int_if:0 to $dmz_if:network port
ssh
pass out log on $int_if inet proto udp from $int_if:0 to <dns> port domain
pass out log on $int_if inet proto udp from $int_if:0 to <ntp> port ntp
The problem is that some rules end up out of order in the "pfctl -s rules"
output (note the icmp rules in particular):
0 block drop log all
1 block drop in log quick on em0 from ! <rfc1918> to any
2 block drop out log quick on em0 from any to ! <rfc1918>
3 block drop log quick inet6 all
4 pass in log on em0 inet proto icmp from <rfc1918> to 192.168.7.2
5 pass in log on em0 inet proto icmp from <rfc1918> to 192.168.8.0/24
6 pass in log on em0 inet proto tcp from <rfc1918> to 192.168.7.2 port =
22 flags S/SA
7 pass in log on em0 inet proto tcp from <rfc1918> to 192.168.8.0/24 port
= 22 flags S/SA
8 pass out log on em0 inet proto udp from 192.168.7.2 to <dns> port = 53
9 pass out log on em0 inet proto udp from 192.168.7.2 to <ntp> port = 123
10 pass out log on em0 inet proto tcp from 192.168.7.2 to 10.1.1.1 port =
389 flags S/SA
11 pass out log on em0 inet proto icmp from 192.168.7.2 to <rfc1918>
12 pass out log on em1 inet proto icmp from 192.168.8.1 to 192.168.8.0/24
13 pass out log on em1 inet proto icmp from <rfc1918> to 192.168.8.0/24
14 pass out log on em1 inet proto tcp from <rfc1918> to 192.168.8.0/24
port = 22 flags S/SA
15 pass out log on em1 inet proto tcp from 192.168.7.2 to 192.168.8.0/24
port = 22 flags S/SA
16 pass in log on em1 inet proto tcp from 192.168.8.0/24 to 192.168.8.1
port = 389 flags S/SA
17 pass in log on em1 inet proto icmp from 192.168.8.0/24 to 192.168.8.1
18 pass in log on em1 inet proto udp from 192.168.8.0/24 to 192.168.8.1
port = 123
This is under OpenBSD 5.1. Am I misunderstanding something? Is some kind of
optimization taking place behind the scenes?
Andy
