Re: passing to inside interface
On 2007/03/20 04:41, Lawrence Horvath wrote: > I have the below rule set in my pf.conf, i am having the following > problem, i need to be able to log into the firewall with ssh from > outside, and nothing should be able to hit the firewall from inside, > not even ping You don't "pass out" anything, either directly or via keep state. Also see the Notes section of bridge(4).
Re: passing to inside interface
On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/03/20 04:41, Lawrence Horvath wrote: > I have the below rule set in my pf.conf, i am having the following > problem, i need to be able to log into the firewall with ssh from > outside, and nothing should be able to hit the firewall from inside, > not even ping You don't "pass out" anything, either directly or via keep state. Also see the Notes section of bridge(4). then why can i get to the servers on the inside of the FW they dont have pass out, or keep state either? -- -Lawrence -Student ID 1028219 -CCNA
Re: passing to inside interface
On 2007/03/20 06:18, Lawrence Horvath wrote: > On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: > >On 2007/03/20 04:41, Lawrence Horvath wrote: > >> I have the below rule set in my pf.conf, i am having the following > >> problem, i need to be able to log into the firewall with ssh from > >> outside, and nothing should be able to hit the firewall from inside, > >> not even ping > > > >You don't "pass out" anything, either directly or via keep state. > >Also see the Notes section of bridge(4). ahh, I missed that you have a default "pass out" since your default blocks are only for inbound. tcpdump on various interfaces (including pflog0 with the relevant log keywords adding to pf.conf) will help you see how it works. Some things depend on which interface has the IP address. The advice in bridge(4) about passing/skipping traffic on one of the interfaces makes things easier to follow.
Re: passing to inside interface
is there a way to tag the packets going to pflog, i can see the packets being blocked with tcpdump on /var/log/pflog, but i would like to know what rule is blocking them i changed my rules a little bit here is the output of pfctl -s rules, i was hoping that explictly defining some of these would help but same result block return in log on xl0 all block drop in log on xl1 all pass in on xl0 inet from any to 192.168.25.253 keep state pass in on xl1 inet from 192.168.25.253 to any keep state pass out on xl0 all pass out on xl1 all pass in on xl0 inet from any to 192.168.25.33 pass in on xl1 inet from 192.168.25.33 to any pass in on xl0 inet from any to 192.168.25.69 pass in on xl1 inet from 192.168.25.69 to any pass in on xl0 inet from any to 192.168.25.84 pass in on xl1 inet from 192.168.25.64 to any pass in on xl0 inet from any to 192.168.25.100 pass in on xl1 inet from 192.168.25.100 to any pass in on xl0 inet from any to 192.168.25.201 pass in on xl1 inet from 192.168.25.201 to any pass in on xl0 inet from any to 192.168.25.252 pass in on xl1 inet from 192.168.25.252 to any On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/03/20 06:18, Lawrence Horvath wrote: > On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: > >On 2007/03/20 04:41, Lawrence Horvath wrote: > >> I have the below rule set in my pf.conf, i am having the following > >> problem, i need to be able to log into the firewall with ssh from > >> outside, and nothing should be able to hit the firewall from inside, > >> not even ping > > > >You don't "pass out" anything, either directly or via keep state. > >Also see the Notes section of bridge(4). ahh, I missed that you have a default "pass out" since your default blocks are only for inbound. tcpdump on various interfaces (including pflog0 with the relevant log keywords adding to pf.conf) will help you see how it works. Some things depend on which interface has the IP address. The advice in bridge(4) about passing/skipping traffic on one of the interfaces makes things easier to follow. -- -Lawrence -Student ID 1028219 -CCNA
Re: passing to inside interface
On 2007/03/20 09:24, Lawrence Horvath wrote: > is there a way to tag the packets going to pflog, i can see the > packets being blocked with tcpdump on /var/log/pflog, but i would like > to know what rule is blocking them if you use '-e' to tcpdump, it dumps the link-layer headers - on a pflog(4) interface this includes the rule number.
Re: passing to inside interface
On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: On 2007/03/20 09:24, Lawrence Horvath wrote: > is there a way to tag the packets going to pflog, i can see the > packets being blocked with tcpdump on /var/log/pflog, but i would like > to know what rule is blocking them if you use '-e' to tcpdump, it dumps the link-layer headers - on a pflog(4) interface this includes the rule number. switched to the below rules, it seems that it was ignoring the exterior interface, perhaps because it has no ip on it or perhaps because its in a bridge, not sure in fact it seems to ignore all rules on the exterior interface completely, could anyone shed some light on why that is? and how i can get it to pass through both interface rules? is it possible to put the IP on the bridge interface instead of one of the ether interfaces? in order to make the firewall IP independant of any one interface? # pfctl -s rules block return in log on xl0 all block drop in log on xl1 all pass in on xl1 inet from any to 192.168.25.253 keep state pass out on xl0 all pass out on xl1 all pass in on xl0 inet from any to 192.168.25.33 pass in on xl1 inet from 192.168.25.33 to any pass in on xl0 inet from any to 192.168.25.69 pass in on xl1 inet from 192.168.25.69 to any pass in on xl0 inet from any to 192.168.25.84 pass in on xl1 inet from 192.168.25.64 to any pass in on xl0 inet from any to 192.168.25.100 pass in on xl1 inet from 192.168.25.100 to any pass in on xl0 inet from any to 192.168.25.201 pass in on xl1 inet from 192.168.25.201 to any pass in on xl0 inet from any to 192.168.25.252 pass in on xl1 inet from 192.168.25.252 to any -- -Lawrence -Student ID 1028219 -CCNA
Re: passing to inside interface
On 3/20/07, Lawrence Horvath <[EMAIL PROTECTED]> wrote: On 20/03/07, Stuart Henderson <[EMAIL PROTECTED]> wrote: > On 2007/03/20 09:24, Lawrence Horvath wrote: > > is there a way to tag the packets going to pflog, i can see the > > packets being blocked with tcpdump on /var/log/pflog, but i would like > > to know what rule is blocking them > > if you use '-e' to tcpdump, it dumps the link-layer headers - > on a pflog(4) interface this includes the rule number. > > switched to the below rules, it seems that it was ignoring the exterior interface, perhaps because it has no ip on it or perhaps because its in a bridge, not sure in fact it seems to ignore all rules on the exterior interface completely, could anyone shed some light on why that is? and how i can get it to pass through both interface rules? A bridge isn't an in/out paradigm like a router in the way you're thinking. Filter on one interface as suggested in http://www.openbsd.org/faq/faq6.html#Bridge and it's less hassle. DS
