|
|||
Firewall Blocking Good Traffic
Hello,
First a quick text diagram. {internet} <--> [PIX Firewall] <--> [OpenBSD PF] <--> [rest of internal net] I believe my problem is with my PF firewall rules however if you feel otherwise I will investigate further on the PIX. What is happening is that while PF is enabled. (works after disabling it) I see the following (as an example) in my logs on the PIX: Code:
6|Jan 01 2009|19:24:05|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags FIN ACK on interface inside 6|Jan 01 2009|19:21:58|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags ACK on interface inside 6|Jan 01 2009|19:21:48|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12235 to CENSORED-IP/80 flags RST ACK on interface inside 6|Jan 01 2009|19:21:39|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12234 to CENSORED-IP/110 flags RST ACK on interface inside 6|Jan 01 2009|19:21:10|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags ACK on interface inside 6|Jan 01 2009|19:20:55|106015|10.10.200.3|CENSORED-IP|Deny TCP (no connection) from 10.10.200.3/12229 to CENSORED-IP/80 flags RST ACK on interface inside PF Configuration: Code:
#Last Modified Dec 29 2008 #Interfaces ext_if="fxp0" int_if="fxp1" #Devices dlbox = "{ 10.10.200.4 }" main = "{ 10.10.200.13 }" ftpsrv = "{ 192.168.233.3 }" websrv = "{ 192.168.233.4 }" exc2k3 = "{ 10.10.200.3 }" voipnet = "{ 192.168.255.0/24 }" sshport = "{ 2201 }" #Options set require-order yes set block-policy drop set loginterface $ext_if set loginterface $int_if set state-policy floating set fingerprints "/etc/pf.os" set ruleset-optimization none #Timeout Settings set optimization aggressive set timeout { frag 10, tcp.established 3600 } set timeout { tcp.first 30, tcp.closing 10, tcp.closed 10, tcp.finwait 10 } set timeout { udp.first 30, udp.single 30, udp.multiple 30 } set timeout { other.first 30, other.single 30, other.multiple 30 } set timeout { adaptive.start 5000, adaptive.end 10000 } #Connection Normalization scrub all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble #Queuing ALTQ #Upload assumed aprox 80kb or 640Kb queued aprox 94% altq on $ext_if cbq bandwidth 600Kb queue { tcpack, voip, dns, mainpc, webftp, dlbox, std } queue std bandwidth 10% priority 1 cbq(borrow red default) queue dlbox bandwidth 10% priority 2 cbq(borrow red) queue webftp bandwidth 5% priority 3 cbq(borrow red) queue mainpc bandwidth 10% priority 4 cbq(borrow red) queue dns bandwidth 5% priority 5 cbq(borrow red) queue tcpack bandwidth 20% priority 6 cbq(borrow red) queue voip bandwidth 40% priority 7 cbq(borrow red) block in log on $ext_if #TCP Traffic Out on $ext_if pass out on $ext_if inet proto tcp from any to any modulate state queue(std, tcpack) pass out quick on $ext_if inet proto tcp from $dlbox to any modulate state queue(dlbox, tcpack) pass out quick on $ext_if inet proto tcp from $ftpsrv to any port ftp synproxy state queue(webftp, tcpack) pass out quick on $ext_if inet proto tcp from $websrv to any port 10001 synproxy state queue(webftp, tcpack) pass out quick on $ext_if inet proto tcp from $exc2k3 to any synproxy state queue(webftp, tcpack) pass out quick on $ext_if inet proto tcp from $main to any modulate state queue(mainpc, tcpack) pass out quick on $ext_if inet proto tcp from any to any port domain modulate state queue(dns, tcpack) pass out quick on $ext_if inet proto tcp from $main to any port 63600 modulate state queue(dlbox, tcpack) #UDP Traffic Out on $ext_if #pass out on $ext_if inet proto udp from any to any keep state queue(std, tcpack) pass out quick on $ext_if inet proto udp from $main to any keep state queue(mainpc, tcpack) pass out quick on $ext_if inet proto udp from any to any port ntp keep state queue(dns, tcpack) pass out quick on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack) pass out quick on $ext_if inet proto udp from any to any port 514 queue(std, tcpack) pass out log quick on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack) pass out log quick on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack) pass out log quick on $ext_if inet from $voipnet to any keep state queue(voip, tcpack) pass out quick on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack) #TCP/UDP Traffic Out on $ext_if #TCP Traffic In on $ext_if pass in on $ext_if inet proto tcp from any to any port 63600 modulate state queue(dlbox, tcpack) pass in quick on $ext_if inet proto tcp from any to any port 10001 modulate state #UDP Traffic In on $ext_if pass in on $ext_if inet proto udp from any to any port domain keep state queue(dns, tcpack) pass in on $ext_if inet proto udp from any to any port 514 queue(std, tcpack) pass in on $ext_if inet proto udp from any to any port 63600 keep state queue(dlbox, tcpack) pass in log on $ext_if inet proto udp from any to any port 5060 keep state queue(voip, tcpack) pass in log on $ext_if inet proto udp from any to any port 5000 keep state queue(voip, tcpack) Hope someone can help! Thanks a bunch! |
Tags |
openbsd pf block |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
See what process is generating DNS traffic? | Bruco | FreeBSD General | 3 | 2nd July 2009 05:57 PM |
PF Blocking VPN Traffic | plexter | OpenBSD Security | 6 | 23rd January 2009 05:25 PM |
Dynamic Traffic Shaping | LordZ | OpenBSD Security | 6 | 19th January 2009 04:30 PM |
PF Blocking | schrodinger | OpenBSD Security | 6 | 6th October 2008 10:33 PM |
Suggestions for Web Traffic Logging? | Bruco | FreeBSD Ports and Packages | 16 | 18th September 2008 10:54 PM |