Re: pf - 1 firewall 2 wans

[Johan Linner]

Joel Knight skrev:

--- Quoting Johan L on 2007/04/25 at 14:31 +0200:


Hi,

We have two internet connection with 2 different firewalls that we want 
to merge into a new single pf based firewall.

.
.
.



You should order a 4.1 CD, install it, and then do 'man pf.conf' and
then 'man route'. Look for the 'rtable' keyword in pf.conf and the -T
arg for route(8). Your requirements are a perfect use case for the new
multi routing table support in 4.1.




.joel



4.1 sets ordered over a month ago...
Yep, rtable/route -T seems to be exactly what we need, OpenBSD keeps 
making me happy over and over again :).

I will set up a test rig later this week and post back how it went.

/Johan

Re: pf - 1 firewall 2 wans

[Joel Knight]

--- Quoting Johan L on 2007/04/25 at 14:31 +0200:

> Hi,
> 
> We have two internet connection with 2 different firewalls that we want 
> to merge into a new single pf based firewall.
> Connection 1 (wan1) will be used for nat-ing the internal network (lan) 
> to the outside world and access to a few internal servers.
> Connection 2 (wan2) will be used for the dmz (dmz), public servers.
> 
> wan1 212.105.x.37/32 gw: 212.105.x.2 -||
>   |openbsd 4.1/pf  |
>   |default gateway:|
>   |213.106.x.2 |
> wan2 213.115.x.x/25 gw: 213.249.x.33 -||
>   | |
>   | |
>  lan   dmz
>172.16.90.1/24  192.168.78.1/25
> 


You should order a 4.1 CD, install it, and then do 'man pf.conf' and
then 'man route'. Look for the 'rtable' keyword in pf.conf and the -T
arg for route(8). Your requirements are a perfect use case for the new
multi routing table support in 4.1.




.joel

pf - 1 firewall 2 wans

[Johan L]

Hi,

We have two internet connection with 2 different firewalls that we want 
to merge into a new single pf based firewall.
Connection 1 (wan1) will be used for nat-ing the internal network (lan) 
to the outside world and access to a few internal servers.

Connection 2 (wan2) will be used for the dmz (dmz), public servers.

wan1 212.105.x.37/32 gw: 212.105.x.2 -||
  |openbsd 4.1/pf  |
  |default gateway:|
  |213.106.x.2 |
wan2 213.115.x.x/25 gw: 213.249.x.33 -||
  | |
  | |
 lan   dmz
   172.16.90.1/24  192.168.78.1/25


I guess we have to use route-to and reply-to, not sure how to do it, or 
if there's a more simple solution by using route.

Anyone out there running a similiar solution who can share your experience?

Thanks,
Johan Linner

pf.conf so far:

lan="em0"
dmz="em1"
wan1="em2"
wan2="em3"
tcpp="{21 22 80 443 3306}"
udpp="{53 123}"

table  const {213.115.x.5 213.115.x.6 213.115.x.7 213.115.x.11 
213.115.x.126}

table  persist
table  persist file "/var/log/blacklist"

set skip on lo
set loginterface $wan2
set limit { states 256000, frags 64000 }
scrub in

nat on $wan1 from $lan:network to any -> $wan1:0
nat on $wan2 from 192.168.78.5 to any -> 213.115.x.5
binat on $wan2 from 192.168.78.2 to any -> 213.115.x.1
rdr on $wan2 proto tcp from any to  port 80 -> 192.168.78.5
rdr on $wan1 proto tcp to port 80 -> 172.16.90.2
rdr on $wan1 proto tcp to port 22 -> 127.0.0.1

block in log
pass out quick
antispoof log quick for {$lan lo} inet

# public servers
pass in quick on $wan2 proto tcp from any to 192.168.78.5 port 80
pass in quick on $wan2 proto tcp from any to 192.168.78.2 port {25, 26, 
110, 143, 443, 993}

pass in quick on $dmz proto {tcp udp} from $dmz:network to ! $lan:network
# access to internal servers
pass in quick on $wan1 inet proto tcp from  to 172.16.90.2 
port 80
pass in log on $wan1 inet proto tcp from any to 127.0.0.1 port 22 flags 
S/SA modulate state (max-src-conn-rate 4/40, overload  flush)


#lan
pass in quick on $lan inet proto tcp from $lan:network to any port $tcpp
pass in quick on $lan inet proto udp from $lan:network to any port $udpp
pass in quick on $lan inet proto {tcp udp} from $lan:network to $dmz

# ping ping
pass in inet proto icmp all icmp-type echoreq code 0 keep state

# no logging:
block return in quick on {$wan1 $wan2} proto tcp from any to any port 113
block in on {$wan1 $wan2} proto {udp tcp} from any to any port {135:139 
445 1434}