DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th March 2010
xinform3n xinform3n is offline
Port Guard
 
Join Date: Jun 2009
Posts: 15
Thanked 0 Times in 0 Posts
Unhappy pf.conf / Which interface ?

Hello everybody !

I'm installing an OpenBSD 4.6 CARPed firewall cluster and I doubt of my pf.conf.

My physical interface is "vic0".
There are 8 vlan interfaces "vlan10", "vlan20", "vlan30", ...
There are 8 carp interfaces "carp10", "carp20", "carp30", ...

If I would like to allow HTTP from vlan10 to vlan20, which rule is correct ?

pass in on vlan10 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80
pass in on carp10 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80
pass in on vic0 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80

After reading the Man Page, I Think that the first one is correct, is it correct ?

Thanks !
Reply With Quote
  #2   (View Single Post)  
Old 8th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,190
Thanked 182 Times in 149 Posts
Default

Quote:
Originally Posted by xinform3n View Post
If I would like to allow HTTP from vlan10 to vlan20, which rule is correct ?

pass in on vlan10 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80
pass in on carp10 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80
pass in on vic0 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80

After reading the Man Page, I Think that the first one is correct, is it correct ?

Thanks !
If vlan10 is the initiatior of the connection to vlan20 it should be
Code:
pass out quick on vlan10 inet proto tcp from $vlan10_subnet to $vlan20_subnet port 80
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 8th March 2010
xinform3n xinform3n is offline
Port Guard
 
Join Date: Jun 2009
Posts: 15
Thanked 0 Times in 0 Posts
Default

Okay, the right interface is "vlan10" and not "carp10".

What looks like a basic ruleset for CARPed Firewall ?
Have you got an exemple ?

Thanks a lot for your help.
Reply With Quote
  #4   (View Single Post)  
Old 8th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,190
Thanked 182 Times in 149 Posts
Default

http://www.openbsd.dk/faq/pf/carp.html has an example
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Web interface for rTorrent Beastie FreeBSD Ports and Packages 0 24th August 2009 11:53 AM
CARP interface with DHClient xinform3n OpenBSD General 5 22nd July 2009 12:41 PM
NAT with only one interface zapov General software and network 4 16th February 2009 03:45 AM
difference between rc.conf and loader.conf disappearedng FreeBSD General 5 3rd September 2008 05:54 AM
Web interface for pf? windependence OpenBSD Security 4 20th May 2008 03:58 AM


All times are GMT. The time now is 09:11 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick