Thread: why won't my table work?
View Single Post
  #1   (View Single Post)  
Old 22nd August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
  
Join Date: Aug 2011
Location: Colorado
Posts: 17
Default why won't my table work?
I've been working on understanding rules in pf.conf and I've made some progress, but I don't pretend to really get it all yet. I've been trying to define some groupings among our users in order to allow traffic from only some users to some ports. My basic plan is to have rank and file users be served DHCP addresses from the firewall box, and have blocks of static addresses that will be given privileges as needed. Tables of IP addresses stored in files seems like the cleanest way to define these groupings.

Problem is that I can't seem to make a simple example work.

I've set up a closed test network, one PC with an http server, a site at port 80 and another at 81. That machine sits on the "outside" lan connected to my firewall's rl0 NIC, the other one which is serving as client sits on the inside on rl1.

I want "everyone" to be able to get to port 80 on the outside, but only developers to be able to get to 81.

Here's my pf.conf currently not working:

Code:
#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
#  RockyMountainTrail.com Packet Filter Config File: Aug 18, 2011
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ 80 }"
tcp_services_dev="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="echoreq"
table <developers> persist file "/etc/developers"
#table <developers> { 192.168.0.10 }
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
block log on $ext_if all
pass out inet proto tcp from <developers> to port $tcp_services_dev keep state
pass out inet proto { tcp, udp } from { self, $localnet } to port $tcp_services
pass inet proto { tcp, udp } from $outsidenet to $localnet port $netbios_services
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
# allow sh to come in from "outside"
pass in proto tcp from $outsidenet to $ext_if port { ssh }
I tried making the <developers> table a simple single IP address (you can see that attempt commented out, did not work either). Developers contains

Code:
192.168.0.8
192.168.0.9
192.168.0.10
Sorry if this is a totally stupid mistake. I have a feeling that it is and I don't want to waste anybody's time, but I'm just not finding anything that points me to what's wrong. And I've spent a stupid amount of time trying to figure it out. (Some of the rules you see are based on wild-ass guesses from multiple attempts to conjure a solution out of what the log is spitting out as the connection request for port 81 fails).

Thanks as always.
Reply With Quote