subject:"What am I missing\? \(4\-leg setup\)"

Re: What am I missing? (4-leg setup)

2004-07-05 Thread RZR

Did that right after I had hit send.  I also found another problem I had 
with FTP:
..
# ISAKMPd
pass out on $wi_if proto esp keep state
pass in log on $wi_if inet proto udp from $wi_net \
to $wi_if port 500 keep state
pass out log on $wi_if inet proto udp from $wi_if \
to $wi_net port 500 keep state
# FTP - Proxy
pass in log on $ext_if inet proto tcp from any to $ext_if user proxy \
keep state queue(q_def, q_pri)
pass out log on $ext_if inet proto tcp from $ext_if to any user proxy \
keep state queue(q_def, q_pri)
pass out log on enc0 inet proto tcp from $wi_if to $wi_net user proxy \
keep state
pass out log on $int_if inet proto tcp from $int_if to $int_net user proxy \
keep state
..
-RZR

Jason Opperisano wrote:
the "teach a man to fish" response here is:  change your 'block all'
line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see
what's getting blocked.
the "give a man a fish" response would involve something along the lines
of (possibly amongst other things):
  pass in on $sec_if from $wi_net tag WI_INET keep state
as an unrelated tip, you could also exploit the super-handy
'$if:network' syntax to avoid creating macros for your networks...
HTH...
-j
On Fri, 2004-07-02 at 22:15, RZR wrote:
Following the directions from 
http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to 
include access for ipsec laptops on $wi_if (isakmpd on firewall), I came 
up with this.
However, ALL access becomes blocked; namely
-access from the firewall out
-access to the firewall from the ipsec laptops
-access to DMZ boxes from the ipsec laptops.

I know I'm missing something (hopefully small).
Any help would be much appreciated.
-RZR
pf.conf ->
# macros
int_if = "fxp0"
wi_if = "fxp1"
dmz_if = "sk0"
sec_if = "enc0"
ext_if = "tun0"
int_net = "192.168.1.0/24"
wi_net = "192.168.2.0/24"
dmz_net = "172.16.1.0/24"
www_server = "172.16.1.2"
mail_server = "172.16.1.3"
table  persist file "/etc/spammers"
set loginterface $ext_if
### AltQueue
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
##
# classification -- classify packets based on the defined firewall
# policy.
#rdr on $ext_if proto tcp from  to port smtp \
#   tag SPAMD -> 127.0.0.1 port 8025
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port 22 \
-> $mail_server port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 \
-> $mail_server port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 \
-> $www_server port 80
rdr on $ext_if proto tcp from any to $ext_if port 443 \
-> $www_server port 443
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
block all
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $wi_if from $wi_net tag WI_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
pass in on $ext_if proto tcp to $www_server port {www, https} \
tag INET_DMZ keep state
pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
tag INET_DMZ keep state

# policy enforcement -- pass/block based on the defined firewall policy.
pass in  quick on $ext_if tagged SPAMD keep state
pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged WI_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, 
q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri)

Re: What am I missing? (4-leg setup)

2004-07-05 Thread Jason Opperisano

the "teach a man to fish" response here is:  change your 'block all'
line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see
what's getting blocked.

the "give a man a fish" response would involve something along the lines
of (possibly amongst other things):

  pass in on $sec_if from $wi_net tag WI_INET keep state

as an unrelated tip, you could also exploit the super-handy
'$if:network' syntax to avoid creating macros for your networks...

HTH...

-j

On Fri, 2004-07-02 at 22:15, RZR wrote:
> Following the directions from 
> http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to 
> include access for ipsec laptops on $wi_if (isakmpd on firewall), I came 
> up with this.
> However, ALL access becomes blocked; namely
> -access from the firewall out
> -access to the firewall from the ipsec laptops
> -access to DMZ boxes from the ipsec laptops.
> 
> I know I'm missing something (hopefully small).
> 
> Any help would be much appreciated.
> -RZR
> 
> pf.conf ->
> # macros
> int_if = "fxp0"
> wi_if = "fxp1"
> dmz_if = "sk0"
> sec_if = "enc0"
> ext_if = "tun0"
> int_net = "192.168.1.0/24"
> wi_net = "192.168.2.0/24"
> dmz_net = "172.16.1.0/24"
> www_server = "172.16.1.2"
> mail_server = "172.16.1.3"
> 
> table  persist file "/etc/spammers"
> set loginterface $ext_if
> 
> ### AltQueue
> altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
> queue q_pri priority 7
> queue q_def priority 1 priq(default)
> 
> ##
> # classification -- classify packets based on the defined firewall
> # policy.
> #rdr on $ext_if proto tcp from  to port smtp \
> #   tag SPAMD -> 127.0.0.1 port 8025
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> #rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
> rdr on $ext_if proto tcp from any to $ext_if port 22 \
>  -> $mail_server port 22
> rdr on $ext_if proto tcp from any to $ext_if port 25 \
>  -> $mail_server port 25
> rdr on $ext_if proto tcp from any to $ext_if port 80 \
>  -> $www_server port 80
> rdr on $ext_if proto tcp from any to $ext_if port 443 \
>  -> $www_server port 443
> nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
> 
> block all
> pass in on $int_if from $int_net tag LAN_INET keep state
> pass in on $wi_if from $wi_net tag WI_INET keep state
> pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
> pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
> pass in on $ext_if proto tcp to $www_server port {www, https} \
>  tag INET_DMZ keep state
> pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
>  tag INET_DMZ keep state
> 
> 
> # policy enforcement -- pass/block based on the defined firewall policy.
> pass in  quick on $ext_if tagged SPAMD keep state
> pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
> pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
> pass out quick on $dmz_if tagged LAN_DMZ keep state
> pass out quick on $dmz_if tagged WI_DMZ keep state
> pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, 
> q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri)
> 

-- 
Jason Opperisano <[EMAIL PROTECTED]>

What am I missing? (4-leg setup)

2004-07-03 Thread RZR

Following the directions from 
http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to 
include access for ipsec laptops on $wi_if (isakmpd on firewall), I came 
up with this.
However, ALL access becomes blocked; namely
-access from the firewall out
-access to the firewall from the ipsec laptops
-access to DMZ boxes from the ipsec laptops.

I know I'm missing something (hopefully small).
Any help would be much appreciated.
-RZR
pf.conf ->
# macros
int_if = "fxp0"
wi_if = "fxp1"
dmz_if = "sk0"
sec_if = "enc0"
ext_if = "tun0"
int_net = "192.168.1.0/24"
wi_net = "192.168.2.0/24"
dmz_net = "172.16.1.0/24"
www_server = "172.16.1.2"
mail_server = "172.16.1.3"
table  persist file "/etc/spammers"
set loginterface $ext_if
### AltQueue
altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
##
# classification -- classify packets based on the defined firewall
# policy.
#rdr on $ext_if proto tcp from  to port smtp \
#   tag SPAMD -> 127.0.0.1 port 8025
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
#rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port 22 \
-> $mail_server port 22
rdr on $ext_if proto tcp from any to $ext_if port 25 \
-> $mail_server port 25
rdr on $ext_if proto tcp from any to $ext_if port 80 \
-> $www_server port 80
rdr on $ext_if proto tcp from any to $ext_if port 443 \
-> $www_server port 443
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
block all
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $wi_if from $wi_net tag WI_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state
pass in on $ext_if proto tcp to $www_server port {www, https} \
tag INET_DMZ keep state
pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \
tag INET_DMZ keep state

# policy enforcement -- pass/block based on the defined firewall policy.
pass in  quick on $ext_if tagged SPAMD keep state
pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged WI_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, 
q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri)

Re: What am I missing? (4-leg setup)

Re: What am I missing? (4-leg setup)

What am I missing? (4-leg setup)

3 matches

Site Navigation

Mail list logo

Footer information