|
OpenBSD Security Functionally paranoid! |
|
Thread Tools | Display Modes |
|
||||
Help needed with understanding PF rules
Hi,
I've created a router/NAT combo in OpenBSD 5.0 RELEASE and am trying to access outside of the NAT. However, I seem to be running into issues regarding the blocking of packets?? This is what I'm basing my PF rules on: http://www.openbsd.org/faq/pf/nat.html http://www.openbsd.org/faq/pf/example1.html and here is my pf.conf file: Code:
#macros int_if="em1" tcp_services="{ 22 }" icmp_types="echoreq" imap_box="10.0.0.9" http_box="10.0.0.8" #options set block-policy return set loginterface em0 set skip on "{ lo, em1 }" # HTTP Proxy rules #anchor "http-proxy/*" #pass in quick on $int_if inet proto tcp to any port http \ # divert-to 172.16.8.40 port 3128 #match rules #match out on egress inet from !(egress) to any nat-to (egress:0) match out on em1 from 10.0.0.0/24 to any nat-to 172.16.8.13 #filter rules block in log pass out quick pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 antispoof quick for { lo } pass in quick on egress inet proto tcp from any to (egress) port $tcp_services #pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state #pass on em0 from any to $imap_box binat-to em0 pass on em1 from $imap_box to any binat-to em0 pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state block in on egress inet proto icmp all icmp-type $icmp_types pass in quick on $int_if #pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 I have managed to gain access to the IMAP server running behind the router/NAT from outside (inside the production network) however, the systems behind the router/NAT don't seem to able to access anything outside...... as I'm trying to update the ports tree using FreeBSD but it cops out using FTP. I am testing with: Code:
pfctl -sr pfctl -ss tcpdump -eni pflog0 I don't seem to be able to see anything wrong however, can anyone help me out? Regards! Last edited by sparky; 23rd March 2012 at 07:30 PM. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Help needed with PF ruleset | spaghetti_bolognese | OpenBSD Security | 1 | 14th September 2010 11:37 AM |
help needed | Thelmaster | OpenBSD Installation and Upgrading | 8 | 10th May 2010 07:44 PM |
Understanding Fdisk, Slice, and the MBR (Master Boot Record) | FBSD | Guides | 1 | 20th February 2010 08:33 PM |
Desperate help needed for KDE | disappearedng | FreeBSD General | 12 | 17th July 2008 05:21 PM |
Understanding the FreeBSD kernel | TomAmundsen | FreeBSD General | 3 | 7th July 2008 02:48 PM |