|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
Bridging firewall with OPenBSD 5.0
I have a switch with multiple VLANS with a DMZ. I nave some servers that need protecting within the DMZ so I've decided to implement an OpenBSD bridging/transparent firewall.
So far I'm connected and I can ping stuff from the internal network (i.e. I can ping my gateway and servers on the "other" side of the firewall), but I can't get to the internet from the servers or nodes behind the firewall. For some clarification here is what I have: ext-->ASA-->DMZ--->OBSD PF ---->Protected I.P.'s They're all the same network (192.168.10.0/24). So I can easily connect to nodes on the other side of the OpenBSD firewall just not the internet. Here is my pf.conf Code:
int_if = "em1" ext_if = "em2" localnet = "192.168.0.0/24" # we only want to filter one interface, so pass everything on the inside interface pass in quick on $int_if all pass out quick on $int_if all # block everything by default on the external interface block in log on $ext_if all block out log on $ext_if all # allow UDP DNS traffic pass out log quick on $ext_if proto udp from $localnet to any port 53 keep state # allow FTP, SSH, DNS and HTTP traffic to trusted networks pass out log quick on $ext_if proto tcp from $localnet to any \ port { 20, 21, 22, 53, 80, 81, 443 } modulate state # allow incomming FTP, SSH, and HTTP traffic pass in log quick on $ext_if proto tcp from any to $localnet \ port { 80, 443 } modulate state # allow pings pass in log on $ext_if proto icmp from any to $localnet icmp-type 8 code 0 keep state pass out log on $ext_if proto icmp from $localnet to any icmp-type 8 code 0 keep state Any help is appreciated. |
|
|||
The classic setup for a DMZ firewall with pf is one with a box with three NIC's:
Is this an option for your?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Quote:
I have some web servers that need extra protection that's why 80/443 are open. My pf.conf is as follows: Code:
int_if = "em1" ext_if = "em2" localnet = "192.168.100.0/24" set loginterface em2 # we only want to filter one interface, so pass everything on the inside interface pass in quick on $int_if all pass out quick on $int_if all # block everything by default on the external interface block in log on $ext_if all block out log on $ext_if all # allow UDP DNS traffic pass out log quick on $ext_if proto udp from $localnet to any port 53 keep state # allow FTP, SSH, DNS and HTTP traffic to trusted networks pass out log quick on $ext_if proto tcp from $localnet to any port { 20, 21, 22, 53, 80, 443, } modulate state # allow incomming FTP, SSH, and HTTP traffic #pass in log quick on $ext_if proto tcp from any to $localnet port {20, 21, 22, 80, 81, 443 } modulate state # allow pings pass in log on $ext_if proto icmp from any to $localnet icmp-type 8 code 0 keep state pass out log on $ext_if proto icmp from $localnet to any icmp-type 8 code 0 keep state |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
OpenBSD, PF, bridging and 10gE | mbw | OpenBSD Security | 6 | 5th January 2012 08:51 PM |
requesting help with "New" way to do Bridging in OpenBSD 4.7 | mbw | OpenBSD Installation and Upgrading | 1 | 30th May 2010 12:06 AM |
OpenBSD firewall with only one physical NIC | idosch | OpenBSD Security | 5 | 25th April 2010 12:11 AM |
DIY OpenBSD Firewall Appliance | mikesg | OpenBSD Security | 34 | 6th January 2010 06:17 AM |
OpenBSD firewall resources | J65nko | OpenBSD Security | 0 | 1st June 2008 02:28 AM |