|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
PF cannot access Internet from internal network
My first try at PF and I must have something wrong because I'm unable to go out from the internal network. Would someone review my configuration and let me know where I've gone wrong. Also, any tips or hints would be helpful.
Code:
##### Macros ##### # ext_if -- the interface to the outside world ext_if="axe0" # prv_if -- the interface to the private hosts prv_if="axe1" localnet = $prv_if:network # dmz_if -- the interface to the DMZ dmz_if="axe2" # prv_hosts -- the list of addresses of hosts on the screened LAN prv_hosts = "{ 192.168.1.129/25, 192.168.1.130/25 }" # dmz_hosts -- the list of addresses of hosts in the DMZ dmz_hosts = "{ 192.168.2.1/25, 192.168.2.2/25, 192.168.2.3/25 }" # dmz_www -- the address of the WWW server in the DMZ dmz_www = "192.168.2.1/25" # dmz_smtp -- the address of the SMTP server in the DMZ dmz_smtp = "192.168.2.2/25" # dmz_dns -- the address of the DNS server in the DMZ dmz_dns = "192.168.2.3/25" # known ports www_ports = "{ http, https }" mail_ports = "{ smtp, pop3, imap, imaps, pop3s }" ##### Tables ##### # Non-routable addresses table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } ##### Options ##### set skip on lo set reassemble yes set require-order yes set block-policy drop set loginterface $ext_if set state-policy if-bound set fingerprints "/etc/pf.os" set ruleset-optimization none set optimization aggressive set timeout { frag 30, tcp.established 120 } set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { other.first 30, other.single 30, other.multiple 30 } ##### Traffic Normalization ##### match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp) match out on $ext_if scrub (no-df random-id) ##### Queueing ##### ##### Translation (NAT) ##### # Network Address Translation # nat for the private hosts match out on egress from $prv_hosts to any nat-to egress # nat for the DMZ hosts match out on egress from $dmz_hosts to any nat-to egress # redirect connections to port 80 (HTTP) to DMZ match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www # redirect connections to port 25 (SMTP) to DMZ match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp # redirect connections to port 53 (DNS) to DMZ match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns ##### Filtering ##### # Block all incoming connections sent from the outside # Log all blocked packets block log on $ext_if block return log on $prv_if block return log on $dmz_if # Block to/from illegal sources/destinations block drop in quick on $ext_if from <rfc1918> to any block drop out quick on $ext_if from any to <rfc1918> block in quick on $ext_if inet from any to 255.255.255.255 block in log quick on $ext_if inet from urpf-failed to any block in log quick on $ext_if inet from no-route to any # Block spoofed packets: enable "set state-policy if-bound" above antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) } # pass all connections originating from the firewall pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA # pass all connections originating from the DMZ pass in quick on $dmz_if from $dmz_hosts to any flags S/SA # pass all connections to the WWW host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_www \ port $www_ports flags S/SA synproxy state # pass all connections to the SMTP host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \ port $mail_ports flags S/SA synproxy state # pass all connections to the DNS host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \ port 53 flags S/SA keep state # Allow anything on the internal interface pass in on $prv_if from $localnet to any keep state pass out on $prv_if from any to $localnet keep state # Allow anything from the internal network out onto the Internet pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { tcp, icmp } all keep state |
|
|||
|
|
|||
Yes,
Code:
net.inet.ip.forwarding=1 |
|
|||
I made a change and can now successfully reach the Internet from my internal network.
Can someone review my configuration and let me know any problems you see? Code:
##### Macros ##### # ext_if -- the interface to the outside world ext_if="axe0" # prv_if -- the interface to the private hosts prv_if="axe1" localnet = $prv_if:network # dmz_if -- the interface to the DMZ dmz_if="axe2" # prv_hosts -- the list of addresses of hosts on the screened LAN prv_hosts = "{ 192.168.1.129/25, 192.168.1.130/25 }" # dmz_hosts -- the list of addresses of hosts in the DMZ dmz_hosts = "{ 192.168.1.1/25, 192.168.1.2/25, 192.168.1.3/25 }" # dmz_www -- the address of the WWW server in the DMZ dmz_www = "192.168.1.1/25" # dmz_smtp -- the address of the SMTP server in the DMZ dmz_smtp = "192.168.1.2/25" # dmz_dns -- the address of the DNS server in the DMZ dmz_dns = "192.168.1.3/25" # known ports www_ports = "{ http, https }" mail_ports = "{ smtp, pop3, imap, imaps, pop3s }" ##### Tables ##### # Non-routable addresses table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 } ##### Options ##### set skip on lo set reassemble yes set require-order yes set block-policy drop set loginterface $ext_if set state-policy if-bound set fingerprints "/etc/pf.os" set ruleset-optimization none set optimization aggressive set timeout { frag 30, tcp.established 120 } set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { other.first 30, other.single 30, other.multiple 30 } ##### Traffic Normalization ##### match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp) match out on $ext_if scrub (no-df random-id) ##### Queueing ##### ##### Translation (NAT) ##### # Network Address Translation # nat for the private hosts match out on egress from $prv_hosts to any nat-to egress # nat for the DMZ hosts match out on egress from $dmz_hosts to any nat-to egress # redirect connections to port 80 (HTTP) to DMZ match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www # redirect connections to port 25 (SMTP) to DMZ match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp # redirect connections to port 53 (DNS) to DMZ match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns ##### Filtering ##### # Block all incoming connections sent from the outside # Log all blocked packets block log on $ext_if block return log on $prv_if block return log on $dmz_if # Block to/from illegal sources/destinations block drop in quick on $ext_if from <rfc1918> to any block drop out quick on $ext_if from any to <rfc1918> block in quick on $ext_if inet from any to 255.255.255.255 block in log quick on $ext_if inet from urpf-failed to any block in log quick on $ext_if inet from no-route to any # Block spoofed packets: enable "set state-policy if-bound" above antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) } # pass all connections originating from the firewall pass out quick on $ext_if inet \ from ($ext_if) to any flags S/SA modulate state # pass all connections originating from the screened LAN pass in quick on $prv_if from $prv_hosts to any flags S/SA # pass all connections originating from the DMZ pass in quick on $dmz_if from $dmz_hosts to any flags S/SA # pass all connections to the WWW host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_www \ port $www_ports flags S/SA synproxy state # pass all connections to the SMTP host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \ port $mail_ports flags S/SA synproxy state # pass all connections to the DNS host in the DMZ pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \ port 53 flags S/SA keep state # Allow anything from the internal network out onto the Internet pass out on $ext_if proto tcp from $localnet to any modulate state flags S/SA pass out on $ext_if proto { tcp, icmp } from $localnet to any keep state |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Redirect Internal Network to Internal Website | plexter | OpenBSD Security | 12 | 12th February 2009 08:00 PM |
Internet Access Problem OpenBSD 4.3 | alcy | OpenBSD General | 3 | 19th September 2008 06:00 PM |
NIC with internal cable; how to remove? | TerryP | Off-Topic | 9 | 14th July 2008 06:33 AM |
Internet access within jail | Weaseal | FreeBSD General | 5 | 26th June 2008 02:45 PM |
2 external NIC + 1 internal NIC | AlexV | FreeBSD General | 7 | 4th June 2008 08:18 AM |