[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems with routing on OpenBSD firewall

To: "Andre Solheim" <andre.solheim@broadpark.no>, <misc@openbsd.org>
Subject: Re: Problems with routing on OpenBSD firewall
From: "Jean-Christophe Sicard" <jc@sic-net.ca>
Date: Sat, 22 Jun 2002 14:25:43 -0400

You still haven't showed us a complete route -n show -inet...
My guess would be that you have a wrong netmask somewhere in your routes...
(I like to stick with more standard netmasks like 172.17/12 for DMZ subnet
instead of further subnetting 172.16 range but it should still work anyways)

JC


> -----Original Message-----
> From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf Of
> Andre Solheim
> Sent: June 21, 2002 15:37
> To: misc@openbsd.org
> Subject: Re: Problems with routing on OpenBSD firewall
>
>
> Copyright by Andre L. Solheim: 2002
> MIME-Version: 1.0
> Content-Transfer-Encoding: quoted-printable
> Message-Id: <200206212136.59578.andre.solheim@broadpark.no>
>
> Hi
>
> This time I have enclosed the pf.conf file that I use. When ever I load t=
> his=20
> the problem comes back. and when I reload a  blank pf.conf the problem is=
> =20
> away. It must be something wrong with the rule set.
>
> # Packet firewalling rules by Andr =E9 Solheim -A
> # 21.06.2002
> # basis for this ruleset is by Jacek Artymiak in his
> # artickles in the series Securing networks with OpenBSD on
> # www.onlamp.com
> #################################################################
> # define variables
> External=3D"xl0"
> Private=3D"fxp1"
> DMZ=3D"fxp0"
> NoGoIPs=3D"{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8, 0.0.=
> 0.0/8,=20
> 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
> PrivateIPs=3D"172.16.0.0/20"
> DMZIPs=3D"172.16.16.0/20"
> #################################################################
> # normalize packets
> scrub in all
> #################################################################
> # stop all IPv6 traffic
> block in quick inet6 all
> block out quick inet6 all
> #################################################################
> # pass everything on loopback (lo0)
> pass in quick on lo0 all
> pass out quick on lo0 all
> #################################################################
> # Internet (xl0)
> # prevent spoofing of non-routable addresses
> block in quick on $External from $NoGoIPs to any
> block out quick on $External from any to $NoGoIPs
> # stop all incoming packets
> block in on $External all
> # pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32=
>  port=20
> smtp keep state
> pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/32 p=
> ort=20
> www keep state
> # block all outgoing packets
> block out on $External all
> # allow TCP IPv4 connections to the outside world, keep state
> pass out on $External inet proto tcp all flags S/SA modulate state
> pass out on $External inet proto { udp, icmp } all keep state
> #################################################################
> # private network (fxp1)
> # prevent spoofing of non-routable addresses
> # block in quick on $Private from ! $PrivateIPs to any
> # block out quick on $Private from any to ! $PrivateIPs
> # stop all incoming and outgoing packets
> block in on $Private all
> block out on $Private all
> # allow TCP IPv4 connections to the outside world, keep state
> pass in on $Private inet proto tcp from $PrivateIPs to any flags S/SA mod=
> ulate=20
> state
> pass in on $Private inet proto { udp, icmp } from $PrivateIPs to any keep=
> =20
> state
> #################################################################
> # DMZ network (fxp0)
> # prevent spoofing of non-routable addresses
> block in quick on $DMZ from $DMZIPs to any
> block out quick on $DMZ from any to $DMZIPs
> # stop all incoming and outgoing packets
> block in on $DMZ all
> block out on $DMZ all
> # allow TCP IPv4 connections to the outside world, keep state
> pass in on $DMZ inet proto tcp from $DMZIPs to any flags S/SA modulate st=
> ate
> pass in on $DMZ inet proto { udp, icmp } from $DMZIPs to any keep state
> block in on $DMZ inet from $DMZIPs to $PrivateIPs
> pass out on $DMZ inet proto tcp from any to $DMZIPs flags S/SA modulate s=
> tate
> pass out on $DMZ inet proto { udp, icmp } from any to $DMZIPs keep state
>
> On Friday 21 June 2002 09:36, Kekes Stamatis wrote:
> > First of all have you enabled the packet forwarding ?
> > if you did that then I don't know if you placed any route entry to the
> > hop of your network to route the packets for the network that is locate=
> d
> > behind the firewall in the firewall.
> > for example if you have a central hop with ip 192.168.0.1 and your firs=
> t
> > subnet is 192.168.0.0/24 and the network behind the firewall is the
> > 192.168.1.0/24 and your firewalls "front" nic has 192.168.0.3 ip addres
> > you have to add in the hop a static route that routes packets having
> > destination the network 192.168.1.0/24 must been forwarded to
> > 192.168.0.3 which knows better how to manage theese packets.
> >  I'll be glad to help you more if you provide any network configuration
> > sample and what you have done in your firewall
> >  Best regards
> >   Stamatis Kekes
> >   Technical Director of KosmosLink LTD
> >   mailto:skekes@kosmoslink.gr
> >   http://www.kosmoslink.gr
> >
> > Andre Solheim wrote:
> > >Copyright by Andre L. Solheim: 2002
> > >MIME-Version: 1.0
> > >Content-Transfer-Encoding: quoted-printable
> > >Message-Id: <200206210024.12142.andre.solheim@broadpark.no>
> > >
> > >Hi
> > >I've just installed an OpenBSD machine as firewall in my network. It h=
> as =3D
> > >3=3D20
> > >nics. On as external interface, one for my DMZ and one for my internal=
> =3D20
> > >network.
> > >When I am logged in on the firewall, I can ping machines on my interna=
> l=3D20
> > >network and on the internet. But I am unable to ping machines in the D=
> MZ.
> > >I get the message "No route found to host", but when I run the route s=
> how=3D
> > >=3D20
> > >command i have a route to my DMZ (172.16.16.0, and the gateway is=3D20
> > >172.16.16.1)
> > >Anyone know how I can resolv this?
> > >--=3D20
> > >Sincere regards
> > >
> > >Andr=3DE9 L. Solheim
> > >__________________________________________________________________
> > >"Imagine a school with children =3D20
> > > that can read and write, but with teachers who cannot, and you =3D20
> > > have a metaphor of the Information Age in which we live." =3D20
> > >                                                     Peter  Cochrane.
>
> --=20
> Sincere regards
>
> Andr=E9 L. Solheim
> __________________________________________________________________
> "Imagine a school with children =20
>  that can read and write, but with teachers who cannot, and you =20
>  have a metaphor of the Information Age in which we live." =20
>                                                      Peter  Cochrane.
>
>
> __________________________________________________________________
> Confidentiality Notice
>
>
> The content of this e-mail is intended for the confidential use of the
> person(s) to whom it is addressed. If the reader of this message is not s=
> uch
> a person, you are hereby notified that you have received this communicati=
> on
> in error and that reading it, or in any way disseminating its content to =
> any
> other person, is strictly prohibited. If you have received this message i=
> n
> error, please notify the author by replying to this e-mail immediately, a=
> nd
> subsequently delete all of its content.

Follow-Ups:
- Re: Problems with routing on OpenBSD firewall
  - From: Andre Solheim <andre.solheim@broadpark.no>

References:
- Re: Problems with routing on OpenBSD firewall
  - From: Andre Solheim <andre.solheim@broadpark.no>

Prev by Date: The null fs layer does not release the space of a removed file.
Next by Date: Re: The null fs layer does not release the space of a removed file.
Prev by thread: Re: Problems with routing on OpenBSD firewall
Next by thread: Re: Problems with routing on OpenBSD firewall
Index(es):
- Date
- Thread