Re: What am I missing? (4-leg setup)
the teach a man to fish response here is: change your 'block all' line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see what's getting blocked. the give a man a fish response would involve something along the lines of (possibly amongst other things): pass in on $sec_if from $wi_net tag WI_INET keep state as an unrelated tip, you could also exploit the super-handy '$if:network' syntax to avoid creating macros for your networks... HTH... -j On Fri, 2004-07-02 at 22:15, RZR wrote: Following the directions from http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to include access for ipsec laptops on $wi_if (isakmpd on firewall), I came up with this. However, ALL access becomes blocked; namely -access from the firewall out -access to the firewall from the ipsec laptops -access to DMZ boxes from the ipsec laptops. I know I'm missing something (hopefully small). Any help would be much appreciated. -RZR pf.conf - # macros int_if = fxp0 wi_if = fxp1 dmz_if = sk0 sec_if = enc0 ext_if = tun0 int_net = 192.168.1.0/24 wi_net = 192.168.2.0/24 dmz_net = 172.16.1.0/24 www_server = 172.16.1.2 mail_server = 172.16.1.3 table spamd persist file /etc/spammers set loginterface $ext_if ### AltQueue altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) ## # classification -- classify packets based on the defined firewall # policy. #rdr on $ext_if proto tcp from spamd to port smtp \ # tag SPAMD - 127.0.0.1 port 8025 rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr on $sec_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr on $DMZ_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to $ext_if port 22 \ - $mail_server port 22 rdr on $ext_if proto tcp from any to $ext_if port 25 \ - $mail_server port 25 rdr on $ext_if proto tcp from any to $ext_if port 80 \ - $www_server port 80 rdr on $ext_if proto tcp from any to $ext_if port 443 \ - $www_server port 443 nat on $ext_if inet from ! ($ext_if) to any - ($ext_if) block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $wi_if from $wi_net tag WI_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state pass in on $ext_if proto tcp to $www_server port {www, https} \ tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \ tag INET_DMZ keep state # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri) pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri) pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged WI_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, q_pri) label $dstaddr:$dstport queue(q_def, q_pri) -- Jason Opperisano [EMAIL PROTECTED]
Re: What am I missing? (4-leg setup)
Did that right after I had hit send. I also found another problem I had with FTP: .. # ISAKMPd pass out on $wi_if proto esp keep state pass in log on $wi_if inet proto udp from $wi_net \ to $wi_if port 500 keep state pass out log on $wi_if inet proto udp from $wi_if \ to $wi_net port 500 keep state # FTP - Proxy pass in log on $ext_if inet proto tcp from any to $ext_if user proxy \ keep state queue(q_def, q_pri) pass out log on $ext_if inet proto tcp from $ext_if to any user proxy \ keep state queue(q_def, q_pri) pass out log on enc0 inet proto tcp from $wi_if to $wi_net user proxy \ keep state pass out log on $int_if inet proto tcp from $int_if to $int_net user proxy \ keep state .. -RZR Jason Opperisano wrote: the teach a man to fish response here is: change your 'block all' line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see what's getting blocked. the give a man a fish response would involve something along the lines of (possibly amongst other things): pass in on $sec_if from $wi_net tag WI_INET keep state as an unrelated tip, you could also exploit the super-handy '$if:network' syntax to avoid creating macros for your networks... HTH... -j On Fri, 2004-07-02 at 22:15, RZR wrote: Following the directions from http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to include access for ipsec laptops on $wi_if (isakmpd on firewall), I came up with this. However, ALL access becomes blocked; namely -access from the firewall out -access to the firewall from the ipsec laptops -access to DMZ boxes from the ipsec laptops. I know I'm missing something (hopefully small). Any help would be much appreciated. -RZR pf.conf - # macros int_if = fxp0 wi_if = fxp1 dmz_if = sk0 sec_if = enc0 ext_if = tun0 int_net = 192.168.1.0/24 wi_net = 192.168.2.0/24 dmz_net = 172.16.1.0/24 www_server = 172.16.1.2 mail_server = 172.16.1.3 table spamd persist file /etc/spammers set loginterface $ext_if ### AltQueue altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default) ## # classification -- classify packets based on the defined firewall # policy. #rdr on $ext_if proto tcp from spamd to port smtp \ # tag SPAMD - 127.0.0.1 port 8025 rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr on $sec_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 #rdr on $DMZ_if proto tcp from any to any port 21 - 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to $ext_if port 22 \ - $mail_server port 22 rdr on $ext_if proto tcp from any to $ext_if port 25 \ - $mail_server port 25 rdr on $ext_if proto tcp from any to $ext_if port 80 \ - $www_server port 80 rdr on $ext_if proto tcp from any to $ext_if port 443 \ - $www_server port 443 nat on $ext_if inet from ! ($ext_if) to any - ($ext_if) block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $wi_if from $wi_net tag WI_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state pass in on $ext_if proto tcp to $www_server port {www, https} \ tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \ tag INET_DMZ keep state # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri) pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri) pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged WI_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, q_pri) label $dstaddr:$dstport queue(q_def, q_pri)
PF $if:network syntax with more than one interface IP.
Hi ! I have used $if:network and $if:broadcast much to avoid specifying macros with IP addresses. However... I have recently fixed me a second public IP on my internet interface. Now I see the limitations with this and have to go back and specify the IP:s directly in pf.conf (for the Internet interface..) as I don't want both my public IP:s expanded in the ruleset. If I specify $if:network both addresses are expanded The question: Is is possible to fix the interface a'la Solaris where you can specify interfaces for example hme0:1, hme0:2 etc where you have a separate interface name for each IP on the same physical interface.. Then it would still be possible to use the syntax above that I really like. Thanks Per-Olov