Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 27th March 2010
Septic Septic is offline
New User
Join Date: Mar 2010
Posts: 9
Unhappy pf temporary dropouts

Hi all, I'm hoping the wealth of experience here will be able to solve my problem!

I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so.

e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too.

I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs.
This is definitely a pf issue, as if I do a pfctl -d everything works fine from that point on.

If anyone has any idea as to what could be at fault in my configuration I'd be most grateful - after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb.

Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply.


Simple Network Layout
       [ Router ]
      [ Firewall ]
       [ Switch ]
relevant ifconfig output
        lladdr 00:26:5a:e3:53:cc
        priority: 0
        groups: egress
        media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2
        inet netmask 0xffffff00 broadcast
        lladdr 00:26:5a:e3:52:8d
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3
bridge0: flags=41<UP,RUNNING> mtu 1500
        priority: 0
        groups: bridge
# Ignore the loopback interface
set skip on lo0

# Defines - NIC for external/internal network routes and other addresses
nic_ext = "re0"
nic_int = "re1"
myaddr = ""
mysub = ""
myweb = ""

# Allow everything through the secondary (Firewall->Switch) interface
set skip on $nic_int

# Implicit deny through the primary (Firewall->Router) interface
block in on $nic_ext all
block out on $nic_ext all

# Anti-spoof
antispoof quick for $nic_ext

# Now setup the standard rules

# SSH from internal network, else block & log
pass in quick proto tcp from $mysub to $myaddr port 22
block in log quick on $nic_ext proto tcp from any port 22

# Allow DNS requests, as we have a DNS server behind us (and in front)
pass out quick proto udp from $mysub port 53

# Hard-Coded blocks - todo: move these into a dedicated file & table
# Do not block: - proxyscan.rizon.net
# - google.com subnet, mostly for ad-blocking
# - webtrends
blacklist = "{,,,, }"
block in quick on $nic_ext from $blacklist

# Allow inbound port 8080 traffic to the webserver only
pass in quick on $nic_ext proto tcp from any to $myweb port 8080

# Allow outbound traffic from internal network
pass out quick on $nic_ext proto tcp all from $mysub flags S/SA
pass out quick on $nic_ext proto udp all from $mysub

# NAT rule
nat on $nic_ext from !($nic_ext) to any -> ($nic_ext)
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT. The time now is 08:59 PM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick