Newbie Network/PF Question
I have been running OpenBSD as my home "router" for a couple of years
now and everything has worked well thus far. However this evening I
added a second network interface to my router because I would like to
add some hosts for testing on a separate network segment and am
running into some difficulties.
My network is configured as follows:
gem0 - DHCP address and link to internet
rl0 - 10.66.66.1/24 - original home network segment
rl1 - 10.66.67.1/24 - new test network segment
from a host on the 10.66.66.1/24 network I am able to connect to
10.66.67.1 but no other host on that network segment. However I am
able to connect to any host on this segment from my openbsd router.
Here is my pf.conf:
#pf.conf jcsmith 2011-12-04
#macros
int_if0="rl0" #internal network interface for home network 10.66.66.0/24
int_if1="rl1" #internal networl interface for test network 10.66.67.0/24
ext_if="gem0" #external (internet) network interface
allowed_services = "{ ssh }"
allowed_icmp = "{ echoreq, unreach }"
#options
set block-policy return
set loginterface $ext_if
set skip on lo
#match rules for nat
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)
match out on egress inet from !(egress) to any nat-to (egress:0) scrub
(no-df max-mss 1440)
#filter rules
block in log #block all incomming traffic
antispoof quick for { $int_if0 $ext_if $int_if1 } label AntiSpoofFailed
pass in on $int_if0 # pass all incomming traffic on our internal interface
pass in on $int_if1 # pass all incomming traffic on our internal
interface from the test network
pass in log on $ext_if inet proto tcp from any to ($ext_if) port
$allowed_services # allow selected services in from the net
pass in on $ext_if inet proto icmp all icmp-type $allowed_icmp #allow
some icmp traffic in from the net
pass out quick # allow outgoing traffic
I'm sure I'm just missing a quick setting in my pf configuration or
somewhere else on the box.
Any help is greatly appreciated.
Thanks,
--
Josh Smith
KD8HRX
email/jabber:B juice...@gmail.com
phone:B 304.237.9369(c)
Re: Newbie Network/PF Question
Joshua, I would like the two networks to be able to talk directly to each other using plain old routing, however I would like to be able to filter this traffic using PF in the future if I choose to, but the only traffic that should be natted is from either of these networks out to the internet. Thanks, -- Josh Smith KD8HRX email/jabber:B juice...@gmail.com phone:B 304.237.9369(c) On Tue, Jan 4, 2011 at 11:16 PM, joshua stein wrote: >> My network is configured as follows: >> gem0 - DHCP address and link to internet >> rl0 - 10.66.66.1/24 - original home network segment >> rl1 - 10.66.67.1/24 - new test network segment >> >> from a host on the 10.66.66.1/24 network I am able to connect to >> 10.66.67.1 but no other host on that network segment. B However I am >> able to connect to any host on this segment from my openbsd router. > > do you want the traffic from 10.66.66.1/24 to 10.66.67.1/24 to be natted > through 10.66.67.1 (using pf) or do you want the two networks to be able to > talk directly to each other (using plain old routing)?
Re: Newbie Network/PF Question
Hi Josh,
I guess the problem is that everything matches your NAT rules.
Try adding something like this before the match rules for nat:
pass in quick on $int_if0 from 10.66.66.0/24 to 10.66.67.0/24
pass out quick on $int_if0 from 10.66.67.0/24 to 10.66.66.0/24
pass in quick on $int_if1 from 10.66.67.0/24 to 10.66.66.0/24
pass out quick on $int_if1 from 10.66.66.0/24 to 10.66.67.0/24
Those rules should make pf "almost ignore" traffic between your
two home networks. I don't know if it works but give it a try.
BR,
Teemu
> #match rules for nat
> match out on egress inet from !(egress) to any nat-to (egress:0) scrub
> (no-df max-mss 1440)
> match out on egress inet from !(egress) to any nat-to (egress:0) scrub
> (no-df max-mss 1440)
>
>
> #filter rules
> block in log #block all incomming traffic
>
> antispoof quick for { $int_if0 $ext_if $int_if1 } label AntiSpoofFailed
>
> pass in on $int_if0 # pass all incomming traffic on our internal interface
> pass in on $int_if1 # pass all incomming traffic on our internal
> interface from the test network
>
> pass in log on $ext_if inet proto tcp from any to ($ext_if) port
> $allowed_services # allow selected services in from the net
>
> pass in on $ext_if inet proto icmp all icmp-type $allowed_icmp #allow
> some icmp traffic in from the net
>
> pass out quick # allow outgoing traffic
>
>
> I'm sure I'm just missing a quick setting in my pf configuration or
> somewhere else on the box.
>
> Any help is greatly appreciated.
>
>
> Thanks,
> --
> Josh Smith
> KD8HRX
> email/jabber:B juice...@gmail.com
> phone:B 304.237.9369(c)
Re: Newbie Network/PF Question
Josh Smith wrote: > I have been running OpenBSD as my home "router" for a couple of years > now and everything has worked well thus far. However this evening I > added a second network interface to my router because I would like to > add some hosts for testing on a separate network segment and am > running into some difficulties. > > My network is configured as follows: > gem0 - DHCP address and link to internet > rl0 - 10.66.66.1/24 - original home network segment > rl1 - 10.66.67.1/24 - new test network segment > > from a host on the 10.66.66.1/24 network I am able to connect to > 10.66.67.1 but no other host on that network segment. However I am > able to connect to any host on this segment from my openbsd router. > The one thing I tend to overlook is enabling IP forwarding: $ sysctl |grep forward net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0 net.inet6.ip6.forwarding=1 net.inet6.ip6.mforwarding=0 Otherwise your best friends are probably ping and tcpdump ... -ipflog0 to see if PF is blocking anything.
Re: Newbie Network/PF Question
On 1/4/2011 at 10:57 PM Josh Smith wrote: | |pass in on $int_if0 # pass all incomming traffic on our internal interface |pass in on $int_if1 # pass all incomming traffic on our internal interface from the test network = I have two internal subnetworks, one for standard frames and one for jumbo frames. Instead of the two rules you cite, I use the following: # macros std_if = "em1" jum_if = "em0" loc_if = "lo0" # let internal traffic flow unimpeded pass quick on $loc_if pass quick on $std_if pass quick on $jum_if
Re: Newbie Network/PF Question
On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote: > On 1/4/2011 at 10:57 PM Josh Smith wrote: > > | > |pass in on $int_if0 # pass all incomming traffic on our internal > interface > |pass in on $int_if1 # pass all incomming traffic on our internal > interface from the test network > = > > > > > I have two internal subnetworks, one for standard frames and one for > jumbo frames. > > Instead of the two rules you cite, I use the following: > > > > > # macros > std_if = "em1" > jum_if = "em0" > loc_if = "lo0" > > > # let internal traffic flow unimpeded > pass quick on $loc_if > pass quick on $std_if > pass quick on $jum_if > > "set skip" is probably more efficient.
Re: Newbie Network/PF Question
While we're piling on ... I have three interfaces, vr0 is my internet (pppoe), vr1 and vr2 are my internal networks. This gives me a good mental picture ... # packet filtering block all # pppoe0:network pass out on pppoe0 inet from (pppoe0) to any pass out on pppoe0 inet from vr1:network nat-to (pppoe0) pass out on pppoe0 inet from vr2:network nat-to (pppoe0) # vr1:network pass in on vr1 inet from vr1:network to any pass out on vr1 inet from vr1 to vr1:network pass out on vr1 inet from vr2:network to vr1:network # vr2:network pass in on vr2 inet from vr2:network to any pass out on vr2 inet from vr2 to vr2:network pass out on vr2 inet from vr1:network to vr2:network ... add echo, port rules, etcetera as necessary. I think that does pretty much what you want - my setup is ziggactly the same. Best wishes.
Re: Newbie Network/PF Question
On 1/5/2011 at 2:56 PM Axton wrote: |On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote: | |> On 1/4/2011 at 10:57 PM Josh Smith wrote: |> |> | |> |pass in on $int_if0 # pass all incomming traffic on our internal |> interface |> |pass in on $int_if1 # pass all incomming traffic on our internal |> interface from the test network |> = |> |> |> |> |> I have two internal subnetworks, one for standard frames and one for |> jumbo frames. |> |> Instead of the two rules you cite, I use the following: |> |> |> |> |> # macros |> std_if = "em1" |> jum_if = "em0" |> loc_if = "lo0" |> |> |> # let internal traffic flow unimpeded |> pass quick on $loc_if |> pass quick on $std_if |> pass quick on $jum_if |> |> |"set skip" is probably more efficient. = It's a very light-duty firewall, but I'll read up on your suggestion anyway. Thanks.
Re: Newbie Network/PF Question
On 1/6/2011 at 10:40 AM Mike. wrote: |On 1/5/2011 at 2:56 PM Axton wrote: | ||On Wed, Jan 5, 2011 at 10:14 AM, Mike. wrote: || ||> On 1/4/2011 at 10:57 PM Josh Smith wrote: ||> ||> | ||> |pass in on $int_if0 # pass all incomming traffic on our internal ||> interface ||> |pass in on $int_if1 # pass all incomming traffic on our internal ||> interface from the test network ||> = ||> ||> ||> ||> ||> I have two internal subnetworks, one for standard frames and one for ||> jumbo frames. ||> ||> Instead of the two rules you cite, I use the following: ||> ||> ||> ||> ||> # macros ||> std_if = "em1" ||> jum_if = "em0" ||> loc_if = "lo0" ||> ||> ||> # let internal traffic flow unimpeded ||> pass quick on $loc_if ||> pass quick on $std_if ||> pass quick on $jum_if ||> ||> ||"set skip" is probably more efficient. | = | | |It's a very light-duty firewall, but I'll read up on your suggestion |anyway. | |Thanks. = I read through the documentation, and it looks like I cannot use 'set skip' on my firewall. Set skip bypasses all pf processing for the interface noted, and I need for pf to perform the ftp proxy processing on those two interfaces. So I'll keep the pass quick rules. Thanks again for your comment, though. I learned something as I researched it.
