Re: What am I missing? (4-leg setup)

2004-07-05 Thread Jason Opperisano 
the teach a man to fish response here is:  change your 'block all'
line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see
what's getting blocked.

the give a man a fish response would involve something along the lines
of (possibly amongst other things):

  pass in on $sec_if from $wi_net tag WI_INET keep state

as an unrelated tip, you could also exploit the super-handy
'$if:network' syntax to avoid creating macros for your networks...

HTH...

-j

On Fri, 2004-07-02 at 22:15, RZR wrote:
 Following the directions from 
 http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to 
 include access for ipsec laptops on $wi_if (isakmpd on firewall), I came 
 up with this.
 However, ALL access becomes blocked; namely
 -access from the firewall out
 -access to the firewall from the ipsec laptops
 -access to DMZ boxes from the ipsec laptops.
 
 I know I'm missing something (hopefully small).
 
 Any help would be much appreciated.
 -RZR
 
 pf.conf -
 # macros
 int_if = fxp0
 wi_if = fxp1
 dmz_if = sk0
 sec_if = enc0
 ext_if = tun0
 int_net = 192.168.1.0/24
 wi_net = 192.168.2.0/24
 dmz_net = 172.16.1.0/24
 www_server = 172.16.1.2
 mail_server = 172.16.1.3
 
 table spamd persist file /etc/spammers
 set loginterface $ext_if
 
 ### AltQueue
 altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
 queue q_pri priority 7
 queue q_def priority 1 priq(default)
 
 ##
 # classification -- classify packets based on the defined firewall
 # policy.
 #rdr on $ext_if proto tcp from spamd to port smtp \
 #   tag SPAMD - 127.0.0.1 port 8025
 rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
 rdr on $sec_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
 #rdr on $DMZ_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
 rdr on $ext_if proto tcp from any to $ext_if port 22 \
  - $mail_server port 22
 rdr on $ext_if proto tcp from any to $ext_if port 25 \
  - $mail_server port 25
 rdr on $ext_if proto tcp from any to $ext_if port 80 \
  - $www_server port 80
 rdr on $ext_if proto tcp from any to $ext_if port 443 \
  - $www_server port 443
 nat on $ext_if inet from ! ($ext_if) to any - ($ext_if)
 
 block all
 pass in on $int_if from $int_net tag LAN_INET keep state
 pass in on $wi_if from $wi_net tag WI_INET keep state
 pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
 pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
 pass in on $ext_if proto tcp to $www_server port {www, https} \
  tag INET_DMZ keep state
 pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
  tag INET_DMZ keep state
 
 
 # policy enforcement -- pass/block based on the defined firewall policy.
 pass in  quick on $ext_if tagged SPAMD keep state
 pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
 pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
 pass out quick on $dmz_if tagged LAN_DMZ keep state
 pass out quick on $dmz_if tagged WI_DMZ keep state
 pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, 
 q_pri) label $dstaddr:$dstport queue(q_def, q_pri)
 

-- 
Jason Opperisano [EMAIL PROTECTED]

Re: What am I missing? (4-leg setup)

2004-07-05 Thread RZR 
Did that right after I had hit send.  I also found another problem I had 
with FTP:
..
# ISAKMPd
pass out on $wi_if proto esp keep state
pass in log on $wi_if inet proto udp from $wi_net \
to $wi_if port 500 keep state
pass out log on $wi_if inet proto udp from $wi_if \
to $wi_net port 500 keep state
# FTP - Proxy
pass in log on $ext_if inet proto tcp from any to $ext_if user proxy \
keep state queue(q_def, q_pri)
pass out log on $ext_if inet proto tcp from $ext_if to any user proxy \
keep state queue(q_def, q_pri)
pass out log on enc0 inet proto tcp from $wi_if to $wi_net user proxy \
keep state
pass out log on $int_if inet proto tcp from $int_if to $int_net user proxy \
keep state
..
-RZR

Jason Opperisano wrote:
the teach a man to fish response here is:  change your 'block all'
line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see
what's getting blocked.
the give a man a fish response would involve something along the lines
of (possibly amongst other things):
  pass in on $sec_if from $wi_net tag WI_INET keep state
as an unrelated tip, you could also exploit the super-handy
'$if:network' syntax to avoid creating macros for your networks...
HTH...
-j
On Fri, 2004-07-02 at 22:15, RZR wrote:
Following the directions from 
http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to 
include access for ipsec laptops on $wi_if (isakmpd on firewall), I came 
up with this.
However, ALL access becomes blocked; namely
-access from the firewall out
-access to the firewall from the ipsec laptops
-access to DMZ boxes from the ipsec laptops.

I know I'm missing something (hopefully small).
Any help would be much appreciated.
-RZR
pf.conf -
# macros
int_if = fxp0
wi_if = fxp1
dmz_if = sk0
sec_if = enc0
ext_if = tun0
int_net = 192.168.1.0/24
wi_net = 192.168.2.0/24
dmz_net = 172.16.1.0/24
www_server = 172.16.1.2
mail_server = 172.16.1.3
table spamd persist file /etc/spammers
set loginterface $ext_if
### AltQueue
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
##
# classification -- classify packets based on the defined firewall
# policy.
#rdr on $ext_if proto tcp from spamd to port smtp \
#   tag SPAMD - 127.0.0.1 port 8025
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
rdr on $sec_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#rdr on $DMZ_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port 22 \
- $mail_server port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 \
- $mail_server port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 \
- $www_server port 80
rdr on $ext_if proto tcp from any to $ext_if port 443 \
- $www_server port 443
nat on $ext_if inet from ! ($ext_if) to any - ($ext_if)
block all
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $wi_if from $wi_net tag WI_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
pass in on $ext_if proto tcp to $www_server port {www, https} \
tag INET_DMZ keep state
pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
tag INET_DMZ keep state

# policy enforcement -- pass/block based on the defined firewall policy.
pass in  quick on $ext_if tagged SPAMD keep state
pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged WI_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, 
q_pri) label $dstaddr:$dstport queue(q_def, q_pri)

PF $if:network syntax with more than one interface IP.

2004-07-05 Thread Per-Olov Sjöholm 
Hi !

I have used $if:network and $if:broadcast much to avoid specifying macros 
with IP addresses. However... I have recently fixed me a second public IP on 
my internet interface. Now I see the limitations with this and have to go 
back and specify the IP:s directly in pf.conf (for the Internet interface..) 
as I don't want both my public IP:s expanded in the ruleset. If I specify 
$if:network both addresses are expanded


The question:
Is is possible to fix the interface a'la Solaris where you can specify 
interfaces for example hme0:1, hme0:2 etc where you have a separate 
interface name for each IP on the same physical interface.. Then it would 
still be possible to use the syntax above that I really like.



Thanks
Per-Olov