View Single Post
  #1   (View Single Post)  
Old 20th January 2012
scrummie02 scrummie02 is offline
Port Guard
 
Join Date: Nov 2011
Posts: 27
Default Bridging firewall with OPenBSD 5.0

I have a switch with multiple VLANS with a DMZ. I nave some servers that need protecting within the DMZ so I've decided to implement an OpenBSD bridging/transparent firewall.

So far I'm connected and I can ping stuff from the internal network (i.e. I can ping my gateway and servers on the "other" side of the firewall), but I can't get to the internet from the servers or nodes behind the firewall.

For some clarification here is what I have:

ext-->ASA-->DMZ--->OBSD PF ---->Protected I.P.'s

They're all the same network (192.168.10.0/24). So I can easily connect to nodes on the other side of the OpenBSD firewall just not the internet.

Here is my pf.conf
Code:
int_if = "em1"
ext_if = "em2"

localnet = "192.168.0.0/24"



# we only want to filter one interface, so pass everything on the inside interface
pass in quick on $int_if all
pass out quick on $int_if all

# block everything by default on the external interface
block in log on $ext_if all
block out log on $ext_if all

# allow UDP DNS traffic
pass out log quick on $ext_if proto udp from $localnet to any port 53 keep state

# allow FTP, SSH, DNS and HTTP traffic to trusted networks
pass out log quick on $ext_if proto tcp from $localnet to any \
     port { 20, 21, 22, 53, 80, 81, 443 } modulate state

# allow incomming FTP, SSH, and HTTP traffic
pass in log quick on $ext_if proto tcp from any to $localnet \
     port { 80, 443 } modulate state

# allow pings
pass in log on $ext_if proto icmp from any to $localnet icmp-type 8 code 0 keep state
pass out log on $ext_if proto icmp from $localnet to any icmp-type 8 code 0 keep state
Also, I'm questioning whether a bridging firewall would be good as opposed to just a filtering firewall. Since all of the machines are already IP'ed I don't want to change any IP's and double NAT is messy.

Any help is appreciated.
Reply With Quote