[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with routing on OpenBSD firewall

To: misc@openbsd.org
Subject: Re: Problems with routing on OpenBSD firewall
From: Andre Solheim <andre.solheim@broadpark.no>
Date: Fri, 21 Jun 2002 21:36:59 +0200
References: <20020620222511.095B07DFD@mail.broadpark.no> <3D12D762.5060705@kosmoslink.gr>
User-Agent: KMail/1.4.1

Copyright by Andre L. Solheim: 2002
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200206212136.59578.andre.solheim@broadpark.no>

Hi

This time I have enclosed the pf.conf file that I use. When ever I load t=
his=20
the problem comes back. and when I reload a  blank pf.conf the problem is=
=20
away. It must be something wrong with the rule set.

# Packet firewalling rules by Andr =E9 Solheim -A
# 21.06.2002
# basis for this ruleset is by Jacek Artymiak in his
# artickles in the series Securing networks with OpenBSD on
# www.onlamp.com
#################################################################
# define variables
External=3D"xl0"
Private=3D"fxp1"
DMZ=3D"fxp0"
NoGoIPs=3D"{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.=
0.0/8,=20
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
PrivateIPs=3D"172.16.0.0/20"
DMZIPs=3D"172.16.16.0/20"
#################################################################
# normalize packets
scrub in all
#################################################################
# stop all IPv6 traffic
block in quick inet6 all
block out quick inet6 all
#################################################################
# pass everything on loopback (lo0)
pass in quick on lo0 all
pass out quick on lo0 all
#################################################################
# Internet (xl0)
# prevent spoofing of non-routable addresses
block in quick on $External from $NoGoIPs to any
block out quick on $External from any to $NoGoIPs
# stop all incoming packets
block in on $External all
# pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32=
 port=20
smtp keep state
pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32 p=
ort=20
www keep state
# block all outgoing packets
block out on $External all
# allow TCP IPv4 connections to the outside world, keep state
pass out on $External inet proto tcp all flags S/SA modulate state
pass out on $External inet proto { udp, icmp } all keep state
#################################################################
# private network (fxp1)
# prevent spoofing of non-routable addresses
# block in quick on $Private from ! $PrivateIPs to any
# block out quick on $Private from any to ! $PrivateIPs
# stop all incoming and outgoing packets
block in on $Private all
block out on $Private all
# allow TCP IPv4 connections to the outside world, keep state
pass in on $Private inet proto tcp from $PrivateIPs to any flags S/SA mod=
ulate=20
state
pass in on $Private inet proto { udp, icmp } from $PrivateIPs to any keep=
=20
state
#################################################################
# DMZ network (fxp0)
# prevent spoofing of non-routable addresses
block in quick on $DMZ from $DMZIPs to any
block out quick on $DMZ from any to $DMZIPs
# stop all incoming and outgoing packets
block in on $DMZ all
block out on $DMZ all
# allow TCP IPv4 connections to the outside world, keep state
pass in on $DMZ inet proto tcp from $DMZIPs to any flags S/SA modulate st=
ate
pass in on $DMZ inet proto { udp, icmp } from $DMZIPs to any keep state
block in on $DMZ inet from $DMZIPs to $PrivateIPs
pass out on $DMZ inet proto tcp from any to $DMZIPs flags S/SA modulate s=
tate
pass out on $DMZ inet proto { udp, icmp } from any to $DMZIPs keep state

On Friday 21 June 2002 09:36, Kekes Stamatis wrote:
> First of all have you enabled the packet forwarding ?
> if you did that then I don't know if you placed any route entry to the
> hop of your network to route the packets for the network that is locate=
d
> behind the firewall in the firewall.
> for example if you have a central hop with ip 192.168.0.1 and your firs=
t
> subnet is 192.168.0.0/24 and the network behind the firewall is the
> 192.168.1.0/24 and your firewalls "front" nic has 192.168.0.3 ip addres
> you have to add in the hop a static route that routes packets having
> destination the network 192.168.1.0/24 must been forwarded to
> 192.168.0.3 which knows better how to manage theese packets.
>  I'll be glad to help you more if you provide any network configuration
> sample and what you have done in your firewall
>  Best regards
>   Stamatis Kekes
>   Technical Director of KosmosLink LTD
>   mailto:skekes@kosmoslink.gr
>   http://www.kosmoslink.gr
>
> Andre Solheim wrote:
> >Copyright by Andre L. Solheim: 2002
> >MIME-Version: 1.0
> >Content-Transfer-Encoding: quoted-printable
> >Message-Id: <200206210024.12142.andre.solheim@broadpark.no>
> >
> >Hi
> >I've just installed an OpenBSD machine as firewall in my network. It h=
as =3D
> >3=3D20
> >nics. On as external interface, one for my DMZ and one for my internal=
=3D20
> >network.
> >When I am logged in on the firewall, I can ping machines on my interna=
l=3D20
> >network and on the internet. But I am unable to ping machines in the D=
MZ.
> >I get the message "No route found to host", but when I run the route s=
how=3D
> >=3D20
> >command i have a route to my DMZ (172.16.16.0, and the gateway is=3D20
> >172.16.16.1)
> >Anyone know how I can resolv this?
> >--=3D20
> >Sincere regards
> >
> >Andr=3DE9 L. Solheim
> >__________________________________________________________________
> >"Imagine a school with children =3D20
> > that can read and write, but with teachers who cannot, and you =3D20
> > have a metaphor of the Information Age in which we live." =3D20
> >                                                     Peter  Cochrane.

--=20
Sincere regards

Andr=E9 L. Solheim
__________________________________________________________________
"Imagine a school with children =20
 that can read and write, but with teachers who cannot, and you =20
 have a metaphor of the Information Age in which we live." =20
                                                     Peter  Cochrane.

__________________________________________________________________
Confidentiality Notice

The content of this e-mail is intended for the confidential use of the
person(s) to whom it is addressed. If the reader of this message is not s=
uch
a person, you are hereby notified that you have received this communicati=
on
in error and that reading it, or in any way disseminating its content to =
any
other person, is strictly prohibited. If you have received this message i=
n
error, please notify the author by replying to this e-mail immediately, a=
nd
subsequently delete all of its content.

Follow-Ups:
- Re: Problems with routing on OpenBSD firewall
  - From: "Jean-Christophe Sicard" <jc@sic-net.ca>

References:
- Problems with routing on OpenBSD firewall
  - From: Andre Solheim <andre.solheim@broadpark.no>
- Re: Problems with routing on OpenBSD firewall
  - From: Kekes Stamatis <skekes@kosmoslink.gr>

Prev by Date: Re: DivX movies and 3.1?
Next by Date: Yet another NAT + FTP question
Prev by thread: Re: Problems with routing on OpenBSD firewall
Next by thread: Re: Problems with routing on OpenBSD firewall
Index(es):
- Date
- Thread