|
|||
pf temporary dropouts
Hi all, I'm hoping the wealth of experience here will be able to solve my problem!
I've recently setup an OpenBSD 4.6 box to use as a dedicated firewall, got it configured, and all seems well - except that the packet filter is causing connection dropouts every few minutes or so. e.g. If I try to download a large file, it will download for anywhere between 1 - 9 minutes, then simply hang, until I manually cancel. My connection to IRC is also dropped out constantly too. I also bought 2 dedicated NICs (Dlink DGE-528T, supported Chipset) to use instead of the onboard gigabit NICs to see if they could be at fault, but the same thing occurs. This is definitely a pf issue, as if I do a pfctl -d everything works fine from that point on. If anyone has any idea as to what could be at fault in my configuration I'd be most grateful - after what little troubleshooting I can do at the moment, being somewhat of a BSD noob, all I can think of is forcing the adapters to 100/Mb & 1000/Mb. Below are my ifconfig & pf.conf, and I also attached an image with systat output, with pf enabled on the left, and with it disabled on the right (my IRC connection got reset twice in the 6 minute period it was enabled). If any extra info. is needed I'd be happy to supply. Thanks Simple Network Layout Code:
INTERNET | | [ Router ] | | (re0) [ Firewall ] (re1) | | [ Switch ] | | LAN Code:
re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:5a:e3:53:cc priority: 0 groups: egress media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2 inet 192.168.134.2 netmask 0xffffff00 broadcast 192.168.134.255 re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:5a:e3:52:8d priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3 bridge0: flags=41<UP,RUNNING> mtu 1500 priority: 0 groups: bridge Code:
# Ignore the loopback interface set skip on lo0 # Defines - NIC for external/internal network routes and other addresses nic_ext = "re0" nic_int = "re1" myaddr = "192.168.134.2" mysub = "192.168.134.0/24" myweb = "192.168.134.250" # Allow everything through the secondary (Firewall->Switch) interface set skip on $nic_int # Implicit deny through the primary (Firewall->Router) interface block in on $nic_ext all block out on $nic_ext all # Anti-spoof antispoof quick for $nic_ext # Now setup the standard rules # SSH from internal network, else block & log pass in quick proto tcp from $mysub to $myaddr port 22 block in log quick on $nic_ext proto tcp from any port 22 # Allow DNS requests, as we have a DNS server behind us (and in front) pass out quick proto udp from $mysub port 53 # Hard-Coded blocks - todo: move these into a dedicated file & table # Do not block: 208.100.20.98 - proxyscan.rizon.net # 66.102.9.0/24 - google.com subnet, mostly for ad-blocking # 63.88.212.91 - webtrends blacklist = "{ 208.201.239.101, 222.208.183.218, 125.230.150.249, 66.102.9.0/24, 63.88.212.91 }" block in quick on $nic_ext from $blacklist # Allow inbound port 8080 traffic to the webserver only pass in quick on $nic_ext proto tcp from any to $myweb port 8080 # Allow outbound traffic from internal network pass out quick on $nic_ext proto tcp all from $mysub flags S/SA pass out quick on $nic_ext proto udp all from $mysub # NAT rule nat on $nic_ext from !($nic_ext) to any -> ($nic_ext) |
|
|||
The ruleset allows out requests to your blacklisted IP addresses, but block
the incoming replies. Try this (untested) version which does not allow outgoing requests to your blacklist. Code:
# Defines - NIC for external/internal network routes and other addresses nic_ext = "fxp0" nic_int = "lo1" myaddr = "192.168.134.2" mysub = "192.168.134.0/24" myweb = "192.168.134.250" # Hard-Coded blocks # Do not block: 208.100.20.98 - proxyscan.rizon.net # 66.102.9.0/24 - google.com subnet, mostly for ad-blocking # 63.88.212.91 - webtrends table <blacklist> { 208.201.239.101 222.208.183.218 125.230.150.249 66.102.9.0/24 63.88.212.91 } # Allow everything through the secondary (Firewall->Switch) interface # and the loopback interface set skip on { $nic_int lo0 } # --- NAT rule #nat on $nic_ext from !($nic_ext) to any -> ($nic_ext) # --- Default policy block log all # -- External interface antispoof quick for $nic_ext # Allow outbound traffic from internal network pass out quick on $nic_ext inet proto tcp from $mysub to !<blacklist> port != ssh pass out quick on $nic_ext inet proto udp from $mysub to !<blacklist> # Allow inbound port 8080 traffic to the webserver only pass in quick on $nic_ext inet proto tcp from any to $myweb port 8080 If this doesn't work as expected, you can visualize which packets are being blocked with running tcpdump on the pflog0 interface. Code:
# tcpdump -eni pflog0
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
My apologies - my desired setup was to have a transparent Firewall, so all that would be needed was a straight bridged connection between the two adapters. I think I mis-read part of the documentation, but as it was working (~ish) I hadn't noticed!
Something along the lines of: Code:
INTERNET -> [ Router ] -> (re0 - 1st NIC) [ Firewall ] | (Bridge) [ Firewall ] (re1 - 2nd NIC) -> [ Switch ] -----> LAN Client <--- Internet Access |-> LAN Client Ctrl+C'ing out of it provided the stats (and yes, pf was enabled): Code:
0 packets received by filter 0 packets dropped by kernel Here is what I did: Code:
# nano /etc/hostname.re0 up # nano /etc/hostname.re1 up # nano /etc/sysctl.conf net.inet.ip.forwarding=1 # nano /etc/resolv.conf nameserver 192.168.134.1 lookup file bind # nano /etc/mygate 192.168.134.1 # nano /etc/bridgename.bridge0 add re0 add re1 up # nano /etc/rc.conf pf=YES # pfctl -nf /etc/pf.conf # reboot # ifconfig re0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> MTU 1500 lladdr 00:26:5a:e3:53:cc priority: 0 media: Ethernet autoselect (100baseTX full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:53cc%re0 prefixlen 64 scopeid 0x2 re1: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500 lladdr 00:26:5a:e3:52:8d priority: 0 media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause) status: active inet6 fe80::226:5aff:fee3:528d%re1 prefixlen 64 scopeid 0x3 bridge0: flags=41<UP,RUNNING> mtu 1500 priority: 0 groups: bridge I've updated the pf.conf to handle some of the new changes now too (such as the onboard NIC just for SSH), and so far all is running smoothly. I had originally setup the blacklist purely for hosts that flagged in my webservers apache log, hence only the inbound block - thanks for pointing out it needed updating! Many thanks for all your help, I would've spent many more hours banging my head against the table in frustration otherwise I have only one remaining question - when I try to browse to a site that has a blacklisted entry, the page will continue to be in a loading state until the TCP connection times out - will set block-policy return solve this by simply resetting it immediately? Thanks again |
|
|||
The ifconfig output from your first post shows 192.168.134.2 as the IP address of re0, and no IP for re1.
In your revised configuration, both re0 and re1 don't have an IP address. That could be a difference. Re: set block-policy return Just try it, it won't make your firewall less secure. From the pf.conf man page, the block policy section Code:
return This causes a TCP RST to be returned for TCP pack- ets and an ICMP UNREACHABLE for other types of packets.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Yeah, that works exactly as the man page describes.
Have found some interesting side effects from blacklisting the 3 main Google subnets I have seen so far (good luck trying to use youtube, for example), but browsing the web on the whole is quicker now |
|
|