Hi all, I'm hoping the wealth of experience here will be able to solve my problem!
I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so.
e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too.
I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs.
This is definitely a pf issue, as if I do a
pfctl -d everything works fine from that point on.
If anyone has any idea as to what could be at fault in my configuration I'd be most grateful
- after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb.
Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply.
Thanks
Simple Network Layout
Code:
INTERNET
|
|
[ Router ]
|
|
(re0)
[ Firewall ]
(re1)
|
|
[ Switch ]
|
|
LAN
relevant ifconfig output
Code:
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:26:5a:e3:53:cc
priority: 0
groups: egress
media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
status: active
inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
inet 192.168.134.2 netmask 0xffffff00 broadcast 192.168.134.255
re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:26:5a:e3:52:8d
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
priority: 0
groups: bridge
pf.conf
Code:
# Ignore the loopback interface
set skip on lo0
# Defines - NIC for external/internal network routes and other addresses
nic_ext = "re0"
nic_int = "re1"
myaddr = "192.168.134.2"
mysub = "192.168.134.0/24"
myweb = "192.168.134.250"
# Allow everything through the secondary (Firewall->Switch) interface
set skip on $nic_int
# Implicit deny through the primary (Firewall->Router) interface
block in on $nic_ext all
block out on $nic_ext all
# Anti-spoof
antispoof quick for $nic_ext
# Now setup the standard rules
# SSH from internal network, else block & log
pass in quick proto tcp from $mysub to $myaddr port 22
block in log quick on $nic_ext proto tcp from any port 22
# Allow DNS requests, as we have a DNS server behind us (and in front)
pass out quick proto udp from $mysub port 53
# Hard-Coded blocks - todo: move these into a dedicated file & table
# Do not block: 208.100.20.98 - proxyscan.rizon.net
# 66.102.9.0/24 - google.com subnet, mostly for ad-blocking
# 63.88.212.91 - webtrends
blacklist = "{ 208.201.239.101, 222.208.183.218, 125.230.150.249, 66.102.9.0/24, 63.88.212.91 }"
block in quick on $nic_ext from $blacklist
# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext proto tcp from any to $myweb port 8080
# Allow outbound traffic from internal network
pass out quick on $nic_ext proto tcp all from $mysub flags S/SA
pass out quick on $nic_ext proto udp all from $mysub
# NAT rule
nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)