DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1   (View Single Post)  
Old 31st January 2012
alpha202ej alpha202ej is offline
Port Guard
 
Join Date: Dec 2011
Posts: 10
Default Dual WAN & HTTPS Sites

Hi everyone,

Anyone ever have any issues accessing certain HTTPS sites? We have have our OpenBSD box acting as the firewall and it utilizes an aysmetrical dual WAN connection (two different ISPs). The error that is most telling is from LogMeIn where it states I have an IP address mismatch. This doesn't make sense to me since I have a rule that forces HTTPS traffic to only go through the first WAN interface. Furthermore, I also went ahead an reloaded my PF to only utilize the one interface and still have the same issue (did a pfctl -F all -f /etc/pf.conf).

Below is my pf.conf.

Code:
# PF Configuration

############
## MACROS ##
############

# Interfaces
int_if  = "vr0" #Internal Interface
ext_if1 = "vr1" #External Interface T1
ext_if2 = "axe0" #External Interface WiMAX
ext_gw1 = "x.x.x.x"
ext_gw2 = "y.y.y.y"
vpn_if  = "tun0" #VPN Tunnel
vlan100 = "vlan100" #VLAN Interface 10.0.2.0/24

# Misc
ext = "{ vr1, axe0 }"
localnet = "10.0.0.0/24"
vlan100net = "10.0.2.0/24"
abcnet = "10.21.0.0/16"
vpnnet = "172.25.0.0/24"
#SH_Ext = "x.x.x.x"
SH_Int = "10.0.0.11"
nonroute = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
              10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
              0.0.0.0/8, 240.0.0.0/4 }"
snglextports = "{ 21, 22, 443, 1194, 3389, 8008, 10000 }"
abc_scanner = "{ 21, 80, 443, 990, 2002, 3000:3019 }"
DHCP = "{ 67, 68 }"
icmp_types = "echoreq"
voipport = "{ 4569 }"

# Addresses
MFC8780 = "10.0.0.5"

# Ports
RDP = "{ 3389 }"

# FTP Pass
anchor "ftp-proxy/*"
pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021

############
## TABLES ##
############


####################
## GLOBAL OPTIONS ##
####################

set skip on lo0

###########################
## TRAFFIC NORMALIZATION ##
###########################


####################
## QUEUEING RULES ##
####################


#########################################
## TRANSLATION RULES (NAT) & SCRUBBING ##
#########################################

match in all scrub (no-df max-mss 1440)

match out on $vpn_if from $localnet nat-to $vpn_if
match out on $ext_if1 from $localnet nat-to ($ext_if1)
match out on $ext_if2 from $localnet nat-to ($ext_if2)
match out on $ext_if1 from $vlan100net nat-to ($ext_if1)
match out on $ext_if2 from $vlan100net nat-to ($ext_if2)

###################
## FILTERS RULES ##
###################

#antispoof for $int_if
#antispoof for $ext_if1
#antispoof for $ext_if2

block in log
block out log

# Block Non-Routable Addresses
#block drop in quick on $ext_if from $nonroute to any
#block drop out quick on $ext_if from any to $nonroute

pass inet proto { tcp, udp } from { self, $localnet, $vlan100net, $vpnnet }

# Single WAN - DISABLED
#pass out log on $ext_if1 proto { tcp udp icmp } all

### Dual WAN Configuration
pass in log on $int_if from { $localnet, $vpnnet } route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin
pass in on $vlan100 from $vlan100net route-to { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin

# Single External Connection Path for Secure Ports
pass in on $int_if proto { tcp, udp } from { $localnet, $vpnnet } to port $snglextports route-to ($ext_if1 $ext_gw1)

# General "Pass Out" Rules For External Interface
pass out on $ext_if1
pass out on $ext_if2

# Route Packets From any IPs on on $ext_if1 to $ext_gw1 and the same for ext_if2 and $ext_gw2
pass out on $ext_if1 from $ext_if2 route-to ($ext_if2 $ext_gw2)
pass out on $ext_if2 from $ext_if1 route-to ($ext_if1 $ext_gw1)

pass in inet proto tcp to port ssh
pass inet proto icmp

# VPN
pass quick on $vpn_if
pass in on !$ext_if1 to $abcnet
pass in on !$ext_if2 to $abcnet
pass in quick proto udp from any to port 1194

block in on ! lo0 proto tcp to port 6000:6010
Anyone know what might be going on because at this point I am baffled. Thanks!
Reply With Quote
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Open Source E-commerce sites under attack! CyberJet News 0 29th July 2011 02:07 PM
https ports on PF mug23 OpenBSD Security 5 4th March 2011 10:11 PM
Best Way to sync web sites roundkat OpenBSD General 2 14th September 2008 01:48 PM
Collect visited sites bichumo General software and network 3 8th August 2008 06:32 PM
Cool sites 18Googol2 Off-Topic 0 2nd May 2008 09:19 AM


All times are GMT. The time now is 09:04 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick