Re: pf problemer under bridging

From: Henrik Lund Kramshøj (none@hlk--kramse.dk.lh.bsd-dk.dk)
Date: Thu 29 Apr 2004 - 10:08:13 CEST

Next message: Hroi Sigurdsson: "Re: ^_^ meay-meay!"
Previous message: Flemming Laugaard: "Re: pf problemer under bridging"
In reply to: Allan Jensen: "pf problemer under bridging"
Next in thread: Allan Jensen: "Re: pf problemer under bridging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

From: Henrik Lund Kramshøj <none@hlk--kramse.dk.lh.bsd-dk.dk>
Subject: Re: pf problemer under bridging
Date: Thu, 29 Apr 2004 10:08:13 +0200
To: bsd-dk@bsd-dk.dk

On 28/4-2004, at 22.17, Allan Jensen wrote:

> Jeg kører OpenBSD 3.3-stable. Jeg skal bruge den som firewall og har
> sat en bridge op mellem xl0 (yderside) og em1 (inderside).
altid en god ide at opgradere sin OpenBSD så man følger med i forhold
til opdateringer.

Så opgrader da til 3.4 snarest muligt og 3.5 er også "klar" - som i
tilgængelig i CVS

>
> Min pf.conf ser ud som følgende:
Hvor er din ASCII tegning af dit netværk?
- det er altid godt i forhold til firewall spørgsmål

Jeg antager
inderside - [em1:firewall:xl0] - yderside ?

Dernæst følger man sådan set pf.conf som ligger i /etc/pf.conf og
vejledningen og sin sunde fornuft.

dvs efter min mening ALTID en block all på yderside interface

Mine input til en pf.conf:
# Lidt definitioner
outside=xl0
inside=em1
# Networks
homenet="10.20.30.0/24"
...

# first scrub - altid en god ide
scrub in all

# then filter
# default block everything - packet are marked as block
# later they may be pass'ed
block in all

# loopback and other interface rules
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on $inside all
pass out quick on $inside all

# Services provided to the Internet
# NB: jeg bruger hostdefinitioner i /etc/hosts til at pege på
"mailserver"
# og det giver for mig mening at sige "giv adgang til min postserver på
service
# smtp" YMMV
pass in proto tcp from any to mailserver port = smtp
pass in proto {tcp, udp} from any to nameserver port = domain
pass in proto tcp from any to webserver port = http
pass in on $outside proto tcp from any to mailserver port = 113

# statefull - måske grunden til dine problemer?
pass out on $outside proto {tcp, udp, icmp} from $homenet to any flags
S/S keep state

NB: disse er IKKE fra en firewall der bruger bridging! og det er lidt
tid siden
jeg brugte bridging - ovenstående er dog testet for syntaks med "pfctl
-n -f pf.conf"

Mvh

Henrik

>
> -----------------------------------------------------------------------
> ----------------
>
> pass in on em1 all
> pass out on em1 all
>
> #pass in quick on xl0 inet proto tcp from any to any port 22
> #pass in quick on xl0 inet proto tcp from any to any port 25
> #pass in quick on xl0 inet proto udp from any to any port 53
> #pass in quick on xl0 inet proto tcp from any to any port 110
> #pass in quick on xl0 inet proto tcp from any to any port 443
> #pass in quick on xl0 inet proto tcp from any to any port 3128
Ovenstående kan erstattes med:
pass in quick on $outside proto tcp from any to any port
{22,25,110,443,3128}
pass in quick on $outside proto udp from any to any port 53
(NB: POP3 eeeeew hvis du kører din egen POP3 server bør du IMHO bruge
POP3S altså POP3 over SSL, ligesom https ...)

> #pass in quick on xl0 inet proto icmp all
>
> #block in log quick on xl0 from any to any
> pass in on xl0 all
>
> #pass out quick on xl0 inet proto tcp from any to any port 22
> #pass out quick on xl0 inet proto tcp from any to any port 25
> #pass out quick on xl0 inet proto udp from any to any port 53
> #pass out quick on xl0 inet proto tcp from any to any port 110
> #pass out quick on xl0 inet proto tcp from any to any port 443
> #pass out quick on xl0 inet proto tcp from any to any port 3128
> #pass out quick on xl0 inet proto icmp all
>
> #block out log quick on xl0 from any to any
> pass out on xl0 all
>
> -----------------------------------------------------------------------
> ----------------
>
> På denne måde kan jeg godt få internetforbindelse på min client, som
> sidder på em1, men når jeg begynder at tage reglerne i brug kan jeg
> hverken det ene eller det andet på min client.
> Når reglerne er taget i brug vil det se ud som følgende:
>
> -----------------------------------------------------------------------
> ----------------
>
> pass in on em1 all
> pass out on em1 all
>
> pass in quick on xl0 inet proto tcp from any to any port 22
> pass in quick on xl0 inet proto tcp from any to any port 25
> pass in quick on xl0 inet proto udp from any to any port 53
> pass in quick on xl0 inet proto tcp from any to any port 110
> pass in quick on xl0 inet proto tcp from any to any port 443
> pass in quick on xl0 inet proto tcp from any to any port 3128
> pass in quick on xl0 inet proto icmp all
>
> block in log quick on xl0 from any to any
> #pass in on xl0 all
>
> pass out quick on xl0 inet proto tcp from any to any port 22
> pass out quick on xl0 inet proto tcp from any to any port 25
> pass out quick on xl0 inet proto udp from any to any port 53
> pass out quick on xl0 inet proto tcp from any to any port 110
> pass out quick on xl0 inet proto tcp from any to any port 443
> pass out quick on xl0 inet proto tcp from any to any port 3128
> pass out quick on xl0 inet proto icmp all
>
> block out log quick on xl0 from any to any
> #pass out on xl0 all
>
> -----------------------------------------------------------------------
> ----------------
>
> Jeg har fået det til at virke før på denne måde, hvor jeg brugte nat i
> stedet for bridge. Jeg brugte selvfølgelig ikke "pass in on em1 all"
> og "pass out on em1 all".
>
> Jeg kan ikke lige gennemskue, hvorfor jeg er løbet ind i dette problem.
>
> Er der nogen der kan hjælpe mig?
>
> /Allan.
>
> _________________________________________________________________
> Få alle de nye og sjove ikoner med MSN Messenger
> http://www.msn.dk/messenger
>
>

--
Henrik Lund Kramshøj, cand.scient, CISSP
e-mail: hlk@security6.net, tlf: 2026 6000
www.security6.net - IPv6, sikkerhed, netværk og UNIX

Next message: Hroi Sigurdsson: "Re: ^_^ meay-meay!"
Previous message: Flemming Laugaard: "Re: pf problemer under bridging"
In reply to: Allan Jensen: "pf problemer under bridging"
Next in thread: Allan Jensen: "Re: pf problemer under bridging"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:39 CET