|
|||
pf temporary dropouts
Hi all, I'm hoping the wealth of experience here will be able to solve my problem!
I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so. e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too. I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs. This is definitely a pf issue, as if I do a pfctl -d everything works fine from that point on. If anyone has any idea as to what could be at fault in my configuration I'd be most grateful - after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb. Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply. Thanks Simple Network Layout Code:
INTERNET | | [ Router ] | | (re0) [ Firewall ] (re1) | | [ Switch ] | | LAN Code:
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:5a:e3:53:cc priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2 inet 192.168.134.2 netmask 0xffffff00 broadcast 192.168.134.255 re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:5a:e3:52:8d priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3 bridge0: flags=41<UP,RUNNING> mtu 1500 priority: 0 groups: bridge Code:
# Ignore the loopback interface set skip on lo0 # Defines - NIC for external/internal network routes and other addresses nic_ext = "re0" nic_int = "re1" myaddr = "192.168.134.2" mysub = "192.168.134.0/24" myweb = "192.168.134.250" # Allow everything through the secondary (Firewall->Switch) interface set skip on $nic_int # Implicit deny through the primary (Firewall->Router) interface block in on $nic_ext all block out on $nic_ext all # Anti-spoof antispoof quick for $nic_ext # Now setup the standard rules # SSH from internal network, else block & log pass in quick proto tcp from $mysub to $myaddr port 22 block in log quick on $nic_ext proto tcp from any port 22 # Allow DNS requests, as we have a DNS server behind us (and in front) pass out quick proto udp from $mysub port 53 # Hard-Coded blocks - todo: move these into a dedicated file & table # Do not block: 208.100.20.98 - proxyscan.rizon.net # 66.102.9.0/24 - google.com subnet, mostly for ad-blocking # 63.88.212.91 - webtrends blacklist = "{ 208.201.239.101, 222.208.183.218, 125.230.150.249, 66.102.9.0/24, 63.88.212.91 }" block in quick on $nic_ext from $blacklist # Allow inbound port 8080 traffic to the webserver only pass in quick on $nic_ext proto tcp from any to $myweb port 8080 # Allow outbound traffic from internal network pass out quick on $nic_ext proto tcp all from $mysub flags S/SA pass out quick on $nic_ext proto udp all from $mysub # NAT rule nat on $nic_ext from !($nic_ext) to any -> ($nic_ext) |
|
|