|
|||
Perfectly Frustrating/Part 2
The company I work for has a /26 subnet, and we have several servers (httpd, mail, ftp, ssh, etc..) that I need to poke hole in the firewall to allow access.
Basic setup: OBSD v5.4 em0 = Internet connection (all /26 public IP's are aliased in /etc/hostname.em0) em1 = future DMZ em2 = LAN (192.168.0.xxx) Right now everything is on the LAN, my workstation and the servers. I have a rule on the firewall that allows SSH access to my workstation as follows: This works 100% This is the result from tcpdump: Code:
rule 2/(match) match in on em0: 72.38.43.86.2776 > 50.x.x.x.22: rule 13/(match) pass in on em0: 72.38.43.86.2776 > 192.168.0.191.22: rule 11/(match) pass out on em2: 72.38.43.86.2776 > 192.168.0.191.22: Code:
RULE #2: match in log all scrub (no-df) RULE #13: pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $bsd_matt RULE #11: pass in log on { $int_if } New Line: Code:
pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs rule 2/(match) match in on em0: 72.38.43.86.3553 > 50.x.x.x.22 rule 15/(match) pass in on em0: 72.38.43.86.3553 > 192.168.0.152.22 rule 11/(match) pass out on em2: 72.38.43.86.3553 > 192.168.0.152.22 But the server at 192.168.0.152 never sees the ssh attempt. By watching: tail -f /var/log/auth.log So in summary: I have a line in my pf.conf that works perfectly, but it only connects to one computer. When I edit it to connect to other computers it doesn't work.. Last edited by ocicat; 5th December 2013 at 04:42 PM. Reason: fixed incorrect [/code] tag |
|
|||
Sanitized pf.conf
Code:
ext_if="em0" int_if="em2" testing_pub_ip = "50.x.x.a" sync_pub_ip = "50.x.x.b" netfs = "192.168.0.152" workstation = "192.168.0.191" icmp_types = "{ echoreq, unreach }" pass inet proto icmp all icmp-type $icmp_types set block-policy drop set loginterface egress set limit { states 1000000, src-nodes 100000, tables 1000000, table-entries 1000000 } set skip on lo0 match in log all scrub (no-df) # NAT match out log on egress inet from !(egress:network) to any nat-to (egress:0) antispoof quick for egress block in log quick on egress from urpf-failed block in log quick from no-route to any # No IPv6 please block in quick inet6 all block out quick inet6 all block in log all # Let your traffic go through to the internet pass out log quick inet keep state # Allow all LAN traffic pass in log on { $int_if } pass in log on egress inet proto { tcp, udp } to $testing_pub_ip port { ssh } rdr-to $workstation pass in log on egress inet proto { tcp, udp } to $sync_pub_ip port { ssh } rdr-to $netfs Last edited by ocicat; 5th December 2013 at 05:47 PM. Reason: fixed yet another incorrect [/code] tag |
|
|||
I figured it out!!!!
My problem was because all the other devices on my network were using a different gateway then this new firewall I was setting up. My workstation worked because I 'converted' it first!!! Note to future readers: Make sure your default Gateway is the same device on all devices you are testing against. Last edited by bsd_matt; 5th December 2013 at 08:01 PM. Reason: spelling |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
pf = Perfectly Frustrating? =) | bsd_matt | OpenBSD Security | 6 | 16th October 2013 08:40 PM |
OpenBSD installation goes perfectly | passthejoe | OpenBSD Installation and Upgrading | 4 | 16th November 2012 02:40 AM |
OBSD 4.9 Frustrating kernel panic on boot | edwebdev | OpenBSD General | 1 | 16th July 2011 09:37 PM |
pf.conf examples (part 2) | lumiwa | OpenBSD Security | 3 | 13th January 2010 05:07 AM |
shell: how to take part of the line... | graudeejs | Programming | 8 | 6th September 2008 11:13 PM |