|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
|||
PF: Two internal interfaces and routing
Hi,
I have a problem regarding my pf ruleset. My network setup looks as following: Code:
Internet ^ | if_wan [pppoe0] | v (client1..n) <-- if_wlan --> bsd-router <-- if_lan --> (clientn+1..m) I'd like to achieve the following state: 1a. if_lan can connect to the wlan-clients through if_wlan 1b. if_lan can connect to the sshd on the bsd-router 1c. if_lan can connect to the internet through if_wan 2a. if_wlan can connect to the dhcpd on the bsd-router 2b. if_wlan can connect to the internet Short: if_lan -> if_wan, if_wlan, bsd-router:ssh if_wlan -> if_wan, bsd-router:dhcp Coming from the iptables world, my current approach seems a little odd to me – although it seems to work out just fine. Anyways, the relevant lines are: Code:
# lan:network -> lan:ssh pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh # lan -> {wlan, internet} block in log quick on $if_lan to $if_lan pass in quick on $if_lan from $if_lan:network to $if_wlan:network pass in quick on $if_lan from $if_lan:network # lan -> router:dhcp pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67 pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68 # wlan -> pppoe block in log quick on $if_wlan to $if_lan:network block in log quick on $if_wlan to $if_wlan:network pass in quick on $if_wlan from $if_wlan:network pass out quick on $if_wlan from $if_lan:network Code:
pass in quick on $if_lan from $if_lan:network to ($if_wan) # allow if_lan -> internet pass in quick on $if_lan from $if_lan:network to $if_wlan:network # allow if_lan -> if_wlan pass in quick on $if_lan from $if_lan:network to $if_lan port ssh (I wanted to post a link to the entire ruleset but unfortunately I can't because I need to have at least five posts. Instead I'll just post it here, sorry) The whole ruleset: Code:
# interfaces if_lan="vr0" if_wan="pppoe0" if_wlan="vr2" if_wan_bandwith="1400Kb" # tables table <private_nets> const { 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } # qos definitions que_low_ports = "{ http, https, 8080, smtp, smtps, 6881:6889 }" # |-- SIP --| |ICQ| | Jabber | |-- Playstation Net --| que_int_ports_tcp = "{ ssh, 5060, 5061, 5190, 5222, 5223, irc, 3478, 3479, 3480, 5223 }" # |-- SIP --| |-- PSN --| que_int_ports_udp = "{ 5060, 5061, 3478, 3479 }" # options ############## # allow lo communication set skip on lo set block-policy drop # hygiene ############## # scrubbing match in all scrub (no-df random-id) match out on $if_wan all scrub (random-id) match on $if_wan scrub (max-mss 1440) # qos ############### altq on $if_wan priq bandwidth $if_wan_bandwith queue { que_low, que_def, que_int, que_dns, que_ack } queue que_low priq(default) qlimit 80 queue que_def priority 2 queue que_int priority 4 priq(red) queue que_dns priority 5 qlimit 25 queue que_ack priority 6 # nat ############### match out on $if_wan inet from { $if_lan:network, $if_wlan:network } to any nat-to ($if_wan) static-port # filtering ############### # block all packets block all # enable spoofing protection antispoof quick for { lo $if_wan $if_lan $if_wlan } # reject ipv6 block quick on $if_wan inet6 all # block private addresses on external interfaces block drop in quick on $if_wan from <private_nets> block drop out quick on $if_wan to <private_nets> # allow output for wan, fill queues pass out quick on $if_wan proto tcp to port $que_low_ports queue (que_low, que_ack) pass out quick on $if_wan proto tcp to port $que_int_ports_tcp queue (que_int, que_ack) pass out quick on $if_wan proto udp to port $que_int_ports_udp queue (que_int, que_ack) pass out quick on $if_wan proto { tcp, udp } to port domain queue (que_dns, que_ack) pass out quick on $if_wan queue (que_def, que_ack) # enable input # lan:network -> lan:ssh pass in quick on $if_lan proto tcp from $if_lan:network to $if_lan port ssh # lan -> {wlan, internet} block in log quick on $if_lan to $if_lan pass in quick on $if_lan from $if_lan:network to $if_wlan:network pass in quick on $if_lan from $if_lan:network # lan -> router:dhcp pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 67 pass in log quick on $if_wlan proto { tcp, udp } from $if_wlan:network to $if_wlan port 68 # wlan -> pppoe block in log quick on $if_wlan to $if_lan:network block in log quick on $if_wlan to $if_wlan:network pass in quick on $if_wlan from $if_wlan:network pass out quick on $if_wlan from $if_lan:network Sören |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
two lan interfaces and one network | peric0 | OpenBSD General | 1 | 29th March 2012 02:16 AM |
Routing internal requests to external IPs | jdude | FreeBSD General | 1 | 9th July 2009 07:25 AM |
PPTP Server, no internet connectivity (routing between interfaces?) | godfrank | FreeBSD Ports and Packages | 5 | 15th April 2009 04:44 PM |
Redirect Internal Network to Internal Website | plexter | OpenBSD Security | 12 | 12th February 2009 08:00 PM |
PHP database interfaces | TerryP | Programming | 6 | 11th September 2008 01:03 PM |