DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 22nd December 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default DMZ zone - I can't find a mistake...

Hello,
I must create a DMZ zone for my second local net: 192.168.1.0/16

this is my pf.conf:

----
Code:
### macros
int_if = "re0"
dmz_if = "re1"
ext_if = "pppoe0"

tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"
dmz_net = "192.168.1.0/16"

bnd_upstream="512Kb"
bnd_downstream="7168Kb"

host_usr1="192.168.0.1"
host_usr4="192.168.0.4"
host_usr5="192.168.0.5"
host_usr6="192.168.0.6"
host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
host_usr13="192.168.1.13"
host_usr14="192.168.1.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"
host_usr17="192.168.0.17"
host_usr18="192.168.0.18"


### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0


### scrub
scrub in all
scrub out on $ext_if max-mss 1440


### altq
altq on $ext_if cbq bandwidth $bnd_upstream   queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }

queue up_def    bandwidth   100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 up_host17 up_host18 }
        queue up_host1   bandwidth   13% cbq(borrow)
        queue up_host4   bandwidth    7% cbq(borrow)
        queue up_host5   bandwidth    7% cbq(borrow)
        queue up_host6   bandwidth    7% cbq(borrow)
        queue up_host8   bandwidth    6% cbq(borrow)
        queue up_host9   bandwidth    6% cbq(borrow)
        queue up_host10  bandwidth    6% cbq(borrow)
        queue up_host11  bandwidth    6% cbq(borrow)
        queue up_host12  bandwidth    6% cbq(borrow)
        queue up_host13  bandwidth    6% cbq(borrow)
        queue up_host14  bandwidth    6% cbq(borrow)
        queue up_host15  bandwidth    6% cbq(borrow)
        queue up_host16  bandwidth    6% cbq(borrow)
        queue up_host17  bandwidth    6% cbq(borrow)
        queue up_host18  bandwidth    6% cbq(borrow)

queue dn_def    bandwidth   100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 dn_host17 dn_host18}
        queue dn_host1   bandwidth   13% cbq(borrow)
        queue dn_host4   bandwidth    7% cbq(borrow)
        queue dn_host5   bandwidth    7% cbq(borrow)
        queue dn_host6   bandwidth    7% cbq(borrow)
        queue dn_host8   bandwidth    6% cbq(borrow)
        queue dn_host9   bandwidth    6% cbq(borrow)
        queue dn_host10  bandwidth    6% cbq(borrow)
        queue dn_host11  bandwidth    6% cbq(borrow)
        queue dn_host12  bandwidth    6% cbq(borrow)
        queue dn_host13  bandwidth    6% cbq(borrow)
        queue dn_host14  bandwidth    6% cbq(borrow)
        queue dn_host15  bandwidth    6% cbq(borrow)
        queue dn_host16  bandwidth    6% cbq(borrow)
        queue dn_host17  bandwidth    6% cbq(borrow)
        queue dn_host18  bandwidth    6% cbq(borrow)
### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $dmz_if:network to any -> ($ext_if)
#redirect per nucleo, anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {4001:4005, 1063:1083} -> $host_usr1
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10


### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in quick on $ext_if from $dmz_net to any
block drop out quick on $ext_if from any to $dmz_net

pass in on $int_if proto { tcp udp } from $host_usr1  to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr4  to any queue up_host4
pass in on $int_if proto { tcp udp } from $host_usr5  to any queue up_host5
pass in on $int_if proto { tcp udp } from $host_usr6  to any queue up_host6
pass in on $int_if proto { tcp udp } from $host_usr8  to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9  to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $dmz_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $dmz_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host17
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host18

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in on $ext_if inet proto { tcp udp } from any to ($dmz_if) keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass in on $dmz_if all keep state


pass out on $int_if proto { tcp udp } from any to $host_usr1  queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr4  queue dn_host4
pass out on $int_if proto { tcp udp } from any to $host_usr5  queue dn_host5
pass out on $int_if proto { tcp udp } from any to $host_usr6  queue dn_host6
pass out on $int_if proto { tcp udp } from any to $host_usr8  queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9  queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $dmz_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $dmz_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host17
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host18

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network
pass out on $dmz_if all keep state


###Deny spoofing
antispoof for $ext_if
antispoof for $dmz_if
antispoof for $int_if
------------------

I need to leave open ALL TCP AND UDP ports on the dmz network and this is not happen with this firewall...
And, I can ping from server/router every ip of 192.168.1.0 but from pc of lan (in the 192.168.0.0) I can't ping a pc in the dmz...where is the mistake?!
Thanks a lot.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by maurobottone; 22nd December 2008 at 08:21 PM.
Reply With Quote
  #2   (View Single Post)  
Old 23rd December 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

It's always helpful to draw pictures. I started to do that, and noticed, immediately, a problem with the priv_nets and dmz_net macros. It is not clear what your netmasks are, but if they match these definitions, you have a subnet configuration problem.

It is not clear from this pf.conf file how your interfaces are actually configured.

Is your internal LAN (on re0) really 192.168.0.0/16 (netmask 255.255.0.0)?

Is your DMZ lan (on re1) really 192.168.1.0/16 (netmask 255.255.0.0)?

If so, these two LANs have overlapping subnets, and problems will occur.

-----

Show us your network configuration. Post the output of:

$ ifconfig
$ route -n show -inet
Reply With Quote
  #3   (View Single Post)  
Old 30th December 2008
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

Thanks for reply jggimi;
outputs here:

----
Code:
bash-3.2# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33160
        groups: lo
        inet 127.0.0.1 netmask 0xff000000
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:19:db:81:72:a8
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        inet6 fe80::219:dbff:fe81:72a8%re0 prefixlen 64 scopeid 0x1
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:14:c1:0f:b2:fa
        media: Ethernet autoselect (100baseTX full-duplex)
        status: active
        inet6 fe80::214:c1ff:fe0f:b2fa%rl0 prefixlen 64 scopeid 0x2
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 00:50:fc:f5:c4:62
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
        inet6 fe80::250:fcff:fef5:c462%re1 prefixlen 64 scopeid 0x3
enc0: flags=0<> mtu 1536
pppoe0: flags=8851<UP,POINTOPOINT,RUNNING,SIMPLEX,MULTICAST> mtu 1492
        dev: rl0 state: session
        sid: 0xa77e PADI retries: 3 PADR retries: 0 time: 7d 17:26:49
        sppp: phase network authproto pap authname "4813296885"
        groups: pppoe egress
        inet6 fe80::219:dbff:fe81:72a8%pppoe0 ->  prefixlen 64 scopeid 0x6
        inet 78.134.10.25 --> 81.174.0.1 netmask 0xffffff00
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33160
        groups: pflog



Code:
bash-3.2# route -n show -inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            0.0.0.1            UGS        5   362936     -    48 pppoe0
81.174.0.1         78.134.10.25       UH         0        0     -    48 pppoe0
127/8              127.0.0.1          UGRS       0        0 33160    48 lo0
127.0.0.1          127.0.0.1          UH         2    23197 33160    48 lo0
192.168.0/24       link#1             UC         3        0     -    48 re0
192.168.0.8        00:01:29:a6:22:05  UHLc       1    56479     -    48 re0
192.168.0.9        00:1a:4d:5d:44:a5  UHLc       2      948     -    48 re0
192.168.0.10       00:00:4d:83:08:98  UHLc       0    34550     -    48 re0
192.168.1/24       link#3             UC         1        0     -    48 re1
192.168.1.13       link#3             UHLc       1     8183     -    48 re1
224/4              127.0.0.1          URS        0        0 33160    48 lo0
-bash-3.2#
----

however netmask of both LANs is: 255.255.255.0
Thanks.
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by maurobottone; 30th December 2008 at 02:13 PM.
Reply With Quote
  #4   (View Single Post)  
Old 30th December 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

All I can tell, at this point, are two things:

1) Your dmz_net macro uses an incorrect CIDR. It overlaps priv_nets, and goes beyond the RFC 1918 address range. Your priv_nets, 192.168.0.0/16 covers the addresses 192.168.0.0 thru 192.168.255.255.

2) Since your DMZ lan is included in priv_nets, and both are only used for antispoofing, it appears to be unnecessary.

----

You have a default gateway address of 0.0.0.1, which I find very odd, but it still routes through your pppoe0 connection, so I don't think that is anything to worry about. It might be a pppoe-ism. I'm not familiar with pppoe.

You pass ICMP echo requests, without specifying any interface, so I am not sure why you are unable to successfully ping.

Further diagnostics will require the use of tcpdump(8). I recommend using it with the pflog(4) device. If you change your pass/block rules to "pass log..." and "block log..." you can see what rule was applied to any particular packet, either a pass or a block. Some people only log blocking rules, as they are uninterested in which pass rules apply to particular packets.
Reply With Quote
  #5   (View Single Post)  
Old 31st December 2008
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

You have your interfaces set to 192.168.0.1 netmask 255.255.255.0, but have specified 192.168.0.1/16 in your pf.conf. 255.255.255.0 means a /24 in CIDR notation.

The netmask is a value that is binary-ORed with the address to find the network address. If you used 8-bit addresses, it would look like this-
Code:
10100101 - address, decimal 165
11110000 - netmask, decimal 240 - or /4 because 4 of the bits are '1's
10100000 - network address, via binary OR -160
So with 255.255.255.0, in binary 11111111 11111111 11111111 0000000, there are 24 1's, so in CIDR notation, that's /24.

Hope that helps!
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.
Reply With Quote
  #6   (View Single Post)  
Old 2nd January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

I've modified in pf.conf 192.168.0.0/16 to 192.168.0.1/24 and 192.168.1.0/16 to 192.168.1.0/24.
The problem is here yet! I can ping pc of 192.168.1.0 from server but can't ping that from a pc of 192.168.0.0
Help me pls :/
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
  #7   (View Single Post)  
Old 2nd January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

I've added in pf.conf these two line:

Code:
nat on $int_if from $dmz_if:network to any -> ($int_if)
nat on $dmz_if from $int_if:network to any -> ($dmz_if)
Now pings work?! o_0
I need all the other line I set?!
Well...how for dmz?! I need to leave all subnet 192.168.1.0 with open ports...
Thanks
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."

Last edited by J65nko; 27th January 2010 at 02:32 AM. Reason: Correction of wrong closing code tag (Missing / )
Reply With Quote
  #8   (View Single Post)  
Old 2nd January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

I'm glad you discovered your problem was misconfigured NAT rules.

I do not understand what you are asking, now, regarding your 192.168.1 LAN. As you have crafted your pf.conf, you have pass in and pass out rules by individual system. If you want filter rules by interface or network, you can certainly write them.
Reply With Quote
  #9   (View Single Post)  
Old 2nd January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

sorry for my english; well...I was saying that I need the all 192.168.1.0 is a DMZ: in this net I've ps3, wii, pc mediacenter and other consoles that need to bypass firewall block rules and to be open to the internet. Example: I've ps3 on 192.168.1.13 and I need a rule that let me to pass in ALL traffic on ALL port from internet to ps3 and from ps3 to internet...how can I do this?!
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Old 2nd January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

If I understand your network, there is a single IP address exposed to the Internet.

If any system on your local network originates traffic destined for the Internet, its state table entry will be used to redirect any return inbound packets back to that system.

But ... any network traffic that originates on the Internet has no state table entry. The only way to reach a system behind the NAT firewall is via a redirection (rdr) rule.

Your last filter rule:
Code:
pass out on $dmz_if all keep state
will allow Internet originated traffic to transit onto the DMZ subnet, only if a rdr rule is defined that routes the traffic there.
Reply With Quote
Old 3rd January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

Well jggimi, then...Can I use a rule like this:

rdr on $ext_if proto {tcp udp} from ($ext_if) to any -> 192.168.1.0

?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Old 3rd January 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

So you want any traffic trying to leave your external interface to be redirected to your server on its 192.168.1.0 address? That is what that rule says - find any packet on ext_if with the from address set to ext_if's address and change it's to address to 192.168.1.0. I think that will fail spectacularly, as the packets will hit the public network with a non-routeable address, and be summarily dropped by your isp's gateway.

Try this: If you want a computer on the DMZ network (192.168.1.5, say) to handle http: traffic, then this rule accomplishes that:
Code:
rdr on ext_if proto tcp from any to ($ext_if) port http -> 192.168.1.5
A similar rule will be required for each service you want to expose in the DMZ. (This is not really a DMZ, as to properly set one up, you need multiple routable IP addresses to assign to your servers.)
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 3rd January 2009 at 01:09 AM.
Reply With Quote
Old 5th January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

thanks robbak...
I try to explain better:
I need to pass ALL in my 192.168.1.0 from the net, beacuse in this private net I've ps3 and other consoles that must be setted in a DMZ...I don't need open only some port.
Well...can I pass all in 192.168.1.0? how?
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Old 5th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

You only have a single IP address on the Internet ... correct?

If so, as configured, you cannot easily redirect all ports. Particularly to a subnet, rather than an individual IP.

You should either obtain multiple IP addresses from your ISP, or set up your DMZ with two firewalls. Something like this:

Internet - <fw1> - DMZ - <fw2> - protected LAN
Reply With Quote
Old 5th January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

yeah, correct! Well...I can't obtain multiple IP address, so...when can I read something about two firewalls? I didn't know that possibility...thanks and sorry :/
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Old 5th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Quote:
Originally Posted by maurobottone View Post
yeah, correct! Well...I can't obtain multiple IP address, so...when can I read something about two firewalls? I didn't know that possibility...thanks and sorry :/
Two firewalls are very common in internet application environments, such as dot coms. The DMZ is where all of the internet-exposed systems reside. Webservers, particularly. The "bastion" firewall, that touches the internet, has rules which are fairly open, such allowing http and https from anywhere. The inner firewall has much more restrictive rules, such as restricting inbound traffic to database calls from the webservers.

There's a good discussion of tiered firewalls in Michael Lucas's book, Absolute OpenBSD, which is out-of-print currently. The publisher (No Starch Press) has a .pdf available for sale; in addition, the example pf.conf files for a tiered firewall setup (in Appendex B) are available for download at www.absoluteopenbsd.com for your review -- see Example 3. Note: Tiered configurations require routing table additions, which are described in the book but not in the examples.
Reply With Quote
Old 5th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Further clarification of NAT and redirection

If there are specific ports you know about, or, ranges of ports you know about, for specific systems in your DMZ, you may write a redirect rule.

In situations where port numbers are unknown .... how do you redirect that traffic to the appropriate system?

Let us pretend that your various systems have TCP ports open, but you don't know the port number, nor can you limit the port number to a specific range.

Let us also pretent that your firewall receives a TCP SYN packet incoming to your single IP address, TCP protocol, port number 12345. A SYN packet is the first packet of the three-way TCP handshake.

NAT allows the firewall to replace the 78.134.x.x Internet IP address with the appropriate private IP address, such as 192.168.1.13 or 192.168.0.8, and then route the packet on to that address. State is tracked. Packets sent in reply from 192.168.1.13 or 192.168.0.8 will have their IPs replace with 78.134.x.x and be routed on via your ISP.

If there is no rdr rule for that port, the firewall will assume the packet is destined for the firewall itself, and will respond according to inbound pass/block rules and if a service is listening on that port.

Since NAT only allows the replacement of one IP address with another, I suppose it is possible to redirect to the broadcast address. However, I doubt a broadcast will work: IP supports multicasting (the broadcasting of packets), but TCP cannot be broadcast.

Think about it for a moment. If that SYN packet is sent to every device in the DMZ, every device will respond to it, and, to any all follow-on packets. The handshake will likely never properly complete, since the first rejection packet will stop the attempted connection.
Reply With Quote
Old 5th January 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,435
Thanked 214 Times in 189 Posts
Default

Now that I think about it, you *still* have the same problem ... as you will be using NAT. How do you know which of your systems in the DMZ is supposed to respond to an inbound TCP packet on some random port?
Reply With Quote
Old 6th January 2009
robbak's Avatar
robbak robbak is offline
Real Name: Robert Backhaus
VPN Cryptographer
 
Join Date: May 2008
Location: North Queensland, Australia
Posts: 366
Thanked 40 Times in 39 Posts
Default

You cannot do this without multiple IP addresses. Think about it - You have one IP address, so any incoming packets will come to that address. How will your firewall know what machine in the DMZ to send this packet to? And how would a remote machine indicate that it wanted the packet sent to a particular machine?

Well the answer is, of course, using ports. Each system offers a service on one or more ports, and the firewall uses rdr rules to redirect matching packets to that machine. rdr rules can also redirect to different ports - for instance, say you have 5 machines that you need to ssh to. consider these rdr rules:
Code:
rdr on $ext_if from any to ($ext_if) port 1022 -> 102.168.1.101 port 22
rdr on $ext_if from any to ($ext_if) port 2022 -> 102.168.1.102 port 22
rdr on $ext_if from any to ($ext_if) port 3022 -> 102.168.1.103 port 22
rdr on $ext_if from any to ($ext_if) port 4022 -> 102.168.1.104 port 22
rdr on $ext_if from any to ($ext_if) port 5022 -> 102.168.1.105 port 22
Edit: I thought that it might be usefull to translate that rule from pf to English. It goes like this
"Redirect packets arriving on interface $ext_if with the to address set to the current address of $ext_if and the port set to 1022, by changing their address to "192.168.1.101" and changing the port number to "22".

So a remote user can access ssh on machine ..105 with ssh -p 5022 [your one external ip address] . (Just noted: the port numbers can be specified in the config file!)
__________________
The only dumb question is a question not asked.
The only dumb answer is an answer not given.

Last edited by robbak; 9th January 2009 at 11:25 AM.
Reply With Quote
Old 8th January 2009
maurobottone maurobottone is offline
Real Name: Mauro Bottone
Port Guard
 
Join Date: May 2008
Location: Aversa, IT
Posts: 24
Thanked 0 Times in 0 Posts
Default

thanks to all for help: now I've understood how to proced! You're indications well for me
:°)
__________________
"Non ex regula ius sumatur, sed ex iure quod est regula fiat."
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
K3b cannot find growisofs maxrussell FreeBSD General 5 26th April 2009 12:20 PM
hahaha noob mistake, file called -z... michaelrmgreen FreeBSD General 8 9th December 2008 12:12 AM
pkg inside non-global zone? nacredata Solaris 2 30th September 2008 11:50 PM
pkg_add g95;g95 x.f95: cannot find g95 enpey OpenBSD Packages and Ports 8 27th August 2008 12:48 AM
Zone problem c0mrade General software and network 3 22nd June 2008 03:31 PM


All times are GMT. The time now is 12:52 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick