Hello,
First a quick text diagram.
{internet} <--> [PIX Firewall] <--> [OpenBSD PF] <--> [rest of internal net]
I believe my problem is with my PF firewall rules however if you feel otherwise I will investigate further on the PIX.
What is happening is that while PF is enabled. (works after disabling it)
I see the following (as an example) in my logs on the PIX:
Code:
6|Jan 01 2009|19:24:05|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags FIN ACK on interface inside
6|Jan 01 2009|19:21:58|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags ACK on interface inside
6|Jan 01 2009|19:21:48|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags RST ACK on interface inside
6|Jan 01 2009|19:21:39|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags RST ACK on interface inside
6|Jan 01 2009|19:21:10|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags ACK on interface inside
6|Jan 01 2009|19:20:55|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags RST ACK on interface inside
The connections are for port 80 which is software trying to get updates for itself. Also port 110 which is a connection to an external mail server.
PF Configuration:
Code:
#Last Modified Dec 29 2008
#Interfaces
ext_if="fxp0"
int_if="fxp1"
#Devices
dlbox = "{ 10.10.200.4 }"
main = "{ 10.10.200.13 }"
ftpsrv = "{ 192.168.233.3 }"
websrv = "{ 192.168.233.4 }"
exc2k3 = "{ 10.10.200.3 }"
voipnet = "{ 192.168.255.0/24 }"
sshport = "{ 2201 }"
#Options
set require-order yes
set block-policy drop
set loginterface $ext_if
set loginterface $int_if
set state-policy floating
set fingerprints "/etc/pf.os"
set ruleset-optimization none
#Timeout Settings
set optimization aggressive
set timeout { frag 10, tcp.established 3600 }
set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }
set timeout { adaptive.start 5000, adaptive.end 10000 }
#Connection Normalization
scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble
#Queuing ALTQ
#Upload assumed aprox 80kb or 640Kb queued aprox 94%
altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std }
queue std bandwidth 10% priority 1 cbq(borrow red default)
queue dlbox bandwidth 10% priority 2 cbq(borrow red)
queue webftp bandwidth 5% priority 3 cbq(borrow red)
queue mainpc bandwidth 10% priority 4 cbq(borrow red)
queue dns bandwidth 5% priority 5 cbq(borrow red)
queue tcpack bandwidth 20% priority 6 cbq(borrow red)
queue voip bandwidth 40% priority 7 cbq(borrow red)
block in log on $ext_if
#TCP Traffic Out on $ext_if
pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack)
pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack)
pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $exc2k3 to any synproxy state queue(webftp, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack)
pass out quick on $ext_if inet proto tcp from $main to any port 63600 modulate state queue(dlbox, tcpack)
#UDP Traffic Out on $ext_if
#pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack)
pass out quick on $ext_if inet proto udp from $main to any keep state queue(mainpc, tcpack)
pass out quick on $ext_if inet proto udp from any to any port ntp keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)
pass out log quick on $ext_if inet from $voipnet to any keep state queue(voip, tcpack)
pass out quick on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)
#TCP/UDP Traffic Out on $ext_if
#TCP Traffic In on $ext_if
pass in on $ext_if inet proto tcp from any to any port 63600 modulate state queue(dlbox, tcpack)
pass in quick on $ext_if inet proto tcp from any to any port 10001 modulate state
#UDP Traffic In on $ext_if
pass in on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack)
pass in on $ext_if inet proto udp from any to any port 514 queue(std, tcpack)
pass in on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack)
pass in log on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack)
Hope someone can help!
Thanks a bunch!