View Single Post
  #1   (View Single Post)  
Old 27th March 2010
Septic Septic is offline
New User
 
Join Date: Mar 2010
Posts: 9
Unhappy pf temporary dropouts

Hi all, I'm hoping the wealth of experience here will be able to solve my problem!

I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so.

e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too.

I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs.
This is definitely a pf issue, as if I do a pfctl -d everything works fine from that point on.

If anyone has any idea as to what could be at fault in my configuration I'd be most grateful - after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb.

Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply.

Thanks

Simple Network Layout
Code:
	INTERNET
	   |
	   |
       [ Router ]
	   |
	   |
	 (re0)
      [ Firewall ]
	 (re1)
	   |
	   |
       [ Switch ]
	   |
	   |
	  LAN
relevant ifconfig output
Code:
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:53:cc
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
        inet 192.168.134.2 netmask 0xffffff00 broadcast 192.168.134.255
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:26:5a:e3:52:8d
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: bridge
pf.conf
Code:
# Ignore the loopback interface
set skip on lo0

# Defines - NIC for external/internal network routes and other addresses
nic_ext = "re0"
nic_int = "re1"
myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"


# Allow everything through the secondary (Firewall->Switch) interface
set skip on $nic_int

# Implicit deny through the primary (Firewall->Router) interface
block in on $nic_ext all
block out on $nic_ext all

# Anti-spoof
antispoof quick for $nic_ext


# Now setup the standard rules


# SSH from internal network, else block & log
pass in quick proto tcp from $mysub to $myaddr port 22
block in log quick on $nic_ext proto tcp from any port 22

# Allow DNS requests, as we have a DNS server behind us (and in front)
pass out quick proto udp from $mysub port 53

# Hard-Coded blocks - todo: move these into a dedicated file & table
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends
blacklist = "{ 208.201.239.101, 222.208.183.218, 125.230.150.249, 66.102.9.0/24, 63.88.212.91 }"
block in quick on $nic_ext from $blacklist

# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext proto tcp from any to $myweb port 8080

# Allow outbound traffic from internal network
pass out quick on $nic_ext proto tcp all from $mysub flags S/SA
pass out quick on $nic_ext proto udp all from $mysub

# NAT rule
nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)
Reply With Quote