DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 22nd August 2011
tomp's Avatar
tomp tomp is offline
Real Name: Tom Purvis
Local Area Nitwit
 
Join Date: Aug 2011
Location: Colorado
Posts: 17
Thanked 0 Times in 0 Posts
Default why won't my table work?

I've been working on understanding rules in pf.conf and I've made some progress, but I don't pretend to really get it all yet. I've been trying to define some groupings among our users in order to allow traffic from only some users to some ports. My basic plan is to have rank and file users be served DHCP addresses from the firewall box, and have blocks of static addresses that will be given privileges as needed. Tables of IP addresses stored in files seems like the cleanest way to define these groupings.

Problem is that I can't seem to make a simple example work.

I've set up a closed test network, one PC with an http server, a site at port 80 and another at 81. That machine sits on the "outside" lan connected to my firewall's rl0 NIC, the other one which is serving as client sits on the inside on rl1.

I want "everyone" to be able to get to port 80 on the outside, but only developers to be able to get to 81.

Here's my pf.conf currently not working:

Code:
#       $OpenBSD: pf.conf,v 1.49 2009/09/17 06:39:03 jmc Exp $
#
#  RockyMountainTrail.com Packet Filter Config File: Aug 18, 2011
ext_if="rl0"
int_if="rl1"
localnet=$int_if:network
outsidenet=$ext_if:network
tcp_services="{ 80 }"
tcp_services_dev="{ 81 }"
udp_services="{ domain, ntp, dhcpd-sync }"
netbios_services="{ netbios-ns, netbios-dgm, netbios-ssn }"
icmp_types="echoreq"
table <developers> persist file "/etc/developers"
#table <developers> { 192.168.0.10 }
# begin settings
set block-policy drop
set skip on lo
antispoof quick for $ext_if
# This is the NAT line:
match out on $ext_if from $localnet nat-to ($ext_if)
block log on $ext_if all
pass out inet proto tcp from <developers> to port $tcp_services_dev keep state
pass out inet proto { tcp, udp } from { self, $localnet } to port $tcp_services
pass inet proto { tcp, udp } from $outsidenet to $localnet port $netbios_services
pass inet proto { tcp, udp } to port $udp_services keep state
pass inet proto icmp all icmp-type $icmp_types
# allow sh to come in from "outside"
pass in proto tcp from $outsidenet to $ext_if port { ssh }
I tried making the <developers> table a simple single IP address (you can see that attempt commented out, did not work either). Developers contains

Code:
192.168.0.8
192.168.0.9
192.168.0.10
Sorry if this is a totally stupid mistake. I have a feeling that it is and I don't want to waste anybody's time, but I'm just not finding anything that points me to what's wrong. And I've spent a stupid amount of time trying to figure it out. (Some of the rules you see are based on wild-ass guesses from multiple attempts to conjure a solution out of what the log is spitting out as the connection request for port 81 fails).

Thanks as always.
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
static ip's not showing up in routing table birdmansdomain OpenBSD General 4 27th November 2009 12:57 AM
I think I just mangled my partition table Mantazz FreeBSD Installation and Upgrading 2 2nd July 2009 09:55 PM
PHP~MYSQL - Get list of all the fields within a table cksraj Programming 2 22nd April 2009 05:57 AM
table formatting (could not find better title) gosha Programming 10 19th March 2009 06:33 PM
Ajax dynamic table/spreadsheet robbak Programming 1 7th June 2008 10:33 PM


All times are GMT. The time now is 11:47 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick