Re: Problems with routing on OpenBSD firewall

[Andre Solheim <andre.solheim@broadpark.no>]

Copyright by Andre L. Solheim: 2002
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Message-Id: <200206222110.49475.andre.solheim@broadpark.no>

And here it is:

Internet:
Destination      Gateway            Flags
default          213-187-161-85.dd. UG
127.0.0.0        localhost          UG
localhost        localhost          UH
172.16.0.0       link#3             U
172.16.1.1       0:50:da:4b:ce:73   UH
172.16.1.6       0:2:b3:9a:7b:c6    UH
172.16.16.0      link#2             U
172.16.16.2      0:50:4:50:1c:cc    UH
213-187-161-84.d link#1             U
213-187-161-85.d 0:4:27:b:54:15     UH
doorkeeper       localhost          UGH
BASE-ADDRESS.MCA localhost

This is the Output when I have a completely blank pf.conf file.
My IPs are as follows
Internet (xl0) 213.187.161.86
dmz (fxp1) 172.16.16.1/20
internal (fxp0) 172.16.0.1/20

On Saturday 22 June 2002 20:25, Jean-Christophe Sicard wrote:
> You still haven't showed us a complete route -n show -inet...
> My guess would be that you have a wrong netmask somewhere in your route=
s...
> (I like to stick with more standard netmasks like 172.17/12 for DMZ sub=
net
> instead of further subnetting 172.16 range but it should still work
> anyways)
>
> JC
>
> > -----Original Message-----
> > From: owner-misc@openbsd.org [mailto:owner-misc@openbsd.org]On Behalf=
 Of
> > Andre Solheim
> > Sent: June 21, 2002 15:37
> > To: misc@openbsd.org
> > Subject: Re: Problems with routing on OpenBSD firewall
> >
> >
> > Copyright by Andre L. Solheim: 2002
> > MIME-Version: 1.0
> > Content-Transfer-Encoding: quoted-printable
> > Message-Id: <200206212136.59578.andre.solheim@broadpark.no>
> >
> > Hi
> >
> > This time I have enclosed the pf.conf file that I use. When ever I lo=
ad
> > t=3D his=3D20
> > the problem comes back. and when I reload a  blank pf.conf the proble=
m
> > is=3D =3D20
> > away. It must be something wrong with the rule set.
> >
> > # Packet firewalling rules by Andr =3DE9 Solheim -A
> > # 21.06.2002
> > # basis for this ruleset is by Jacek Artymiak in his
> > # artickles in the series Securing networks with OpenBSD on
> > # www.onlamp.com
> > #################################################################
> > # define variables
> > External=3D3D"xl0"
> > Private=3D3D"fxp1"
> > DMZ=3D3D"fxp0"
> > NoGoIPs=3D3D"{ 192.168.0.0/16, 172.16.0.0/12, 127.0.0.0/8, 10.0.0.0/8=
,
> > 0.0.=3D 0.0/8,=3D20
> > 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
> > PrivateIPs=3D3D"172.16.0.0/20"
> > DMZIPs=3D3D"172.16.16.0/20"
> > #################################################################
> > # normalize packets
> > scrub in all
> > #################################################################
> > # stop all IPv6 traffic
> > block in quick inet6 all
> > block out quick inet6 all
> > #################################################################
> > # pass everything on loopback (lo0)
> > pass in quick on lo0 all
> > pass out quick on lo0 all
> > #################################################################
> > # Internet (xl0)
> > # prevent spoofing of non-routable addresses
> > block in quick on $External from $NoGoIPs to any
> > block out quick on $External from any to $NoGoIPs
> > # stop all incoming packets
> > block in on $External all
> > # pass in on $External inet proto { tcp, udp } from any to
> > 172.16.16.2/32=3D port=3D20
> > smtp keep state
> > pass in on $External inet proto { tcp, udp } from any to 172.16.16.2/=
32
> > p=3D ort=3D20
> > www keep state
> > # block all outgoing packets
> > block out on $External all
> > # allow TCP IPv4 connections to the outside world, keep state
> > pass out on $External inet proto tcp all flags S/SA modulate state
> > pass out on $External inet proto { udp, icmp } all keep state
> > #################################################################
> > # private network (fxp1)
> > # prevent spoofing of non-routable addresses
> > # block in quick on $Private from ! $PrivateIPs to any
> > # block out quick on $Private from any to ! $PrivateIPs
> > # stop all incoming and outgoing packets
> > block in on $Private all
> > block out on $Private all
> > # allow TCP IPv4 connections to the outside world, keep state
> > pass in on $Private inet proto tcp from $PrivateIPs to any flags S/SA
> > mod=3D ulate=3D20
> > state
> > pass in on $Private inet proto { udp, icmp } from $PrivateIPs to any
> > keep=3D =3D20
> > state
> > #################################################################
> > # DMZ network (fxp0)
> > # prevent spoofing of non-routable addresses
> > block in quick on $DMZ from $DMZIPs to any
> > block out quick on $DMZ from any to $DMZIPs
> > # stop all incoming and outgoing packets
> > block in on $DMZ all
> > block out on $DMZ all
> > # allow TCP IPv4 connections to the outside world, keep state
> > pass in on $DMZ inet proto tcp from $DMZIPs to any flags S/SA modulat=
e
> > st=3D ate
> > pass in on $DMZ inet proto { udp, icmp } from $DMZIPs to any keep sta=
te
> > block in on $DMZ inet from $DMZIPs to $PrivateIPs
> > pass out on $DMZ inet proto tcp from any to $DMZIPs flags S/SA modula=
te
> > s=3D tate
> > pass out on $DMZ inet proto { udp, icmp } from any to $DMZIPs keep st=
ate
> >
> > On Friday 21 June 2002 09:36, Kekes Stamatis wrote:
> > > First of all have you enabled the packet forwarding ?
> > > if you did that then I don't know if you placed any route entry to =
the
> > > hop of your network to route the packets for the network that is
> > > locate=3D
> >
> > d
> >
> > > behind the firewall in the firewall.
> > > for example if you have a central hop with ip 192.168.0.1 and your
> > > firs=3D
> >
> > t
> >
> > > subnet is 192.168.0.0/24 and the network behind the firewall is the
> > > 192.168.1.0/24 and your firewalls "front" nic has 192.168.0.3 ip ad=
dres
> > > you have to add in the hop a static route that routes packets havin=
g
> > > destination the network 192.168.1.0/24 must been forwarded to
> > > 192.168.0.3 which knows better how to manage theese packets.
> > >  I'll be glad to help you more if you provide any network configura=
tion
> > > sample and what you have done in your firewall
> > >  Best regards
> > >   Stamatis Kekes
> > >   Technical Director of KosmosLink LTD
> > >   mailto:skekes@kosmoslink.gr
> > >   http://www.kosmoslink.gr
> > >
> > > Andre Solheim wrote:
> > > >Copyright by Andre L. Solheim: 2002
> > > >MIME-Version: 1.0
> > > >Content-Transfer-Encoding: quoted-printable
> > > >Message-Id: <200206210024.12142.andre.solheim@broadpark.no>
> > > >
> > > >Hi
> > > >I've just installed an OpenBSD machine as firewall in my network. =
It
> > > > h=3D
> >
> > as =3D3D
> >
> > > >3=3D3D20
> > > >nics. On as external interface, one for my DMZ and one for my
> > > > internal=3D
> >
> > =3D3D20
> >
> > > >network.
> > > >When I am logged in on the firewall, I can ping machines on my
> > > > interna=3D
> >
> > l=3D3D20
> >
> > > >network and on the internet. But I am unable to ping machines in t=
he
> > > > D=3D
> >
> > MZ.
> >
> > > >I get the message "No route found to host", but when I run the rou=
te
> > > > s=3D
> >
> > how=3D3D
> >
> > > >=3D3D20
> > > >command i have a route to my DMZ (172.16.16.0, and the gateway is=3D=
3D20
> > > >172.16.16.1)
> > > >Anyone know how I can resolv this?
> > > >--=3D3D20
> > > >Sincere regards
> > > >
> > > >Andr=3D3DE9 L. Solheim
> > > >__________________________________________________________________
> > > >"Imagine a school with children =3D3D20
> > > > that can read and write, but with teachers who cannot, and you =3D=
3D20
> > > > have a metaphor of the Information Age in which we live." =3D3D20
> > > >                                                     Peter  Cochra=
ne.
> >
> > --=3D20
> > Sincere regards
> >
> > Andr=3DE9 L. Solheim
> > __________________________________________________________________
> > "Imagine a school with children =3D20
> >  that can read and write, but with teachers who cannot, and you =3D20
> >  have a metaphor of the Information Age in which we live." =3D20
> >                                                      Peter  Cochrane.
> >
> >
> > __________________________________________________________________
> > Confidentiality Notice
> >
> >
> > The content of this e-mail is intended for the confidential use of th=
e
> > person(s) to whom it is addressed. If the reader of this message is n=
ot
> > s=3D uch
> > a person, you are hereby notified that you have received this
> > communicati=3D on
> > in error and that reading it, or in any way disseminating its content=
 to
> > =3D any
> > other person, is strictly prohibited. If you have received this messa=
ge
> > i=3D n
> > error, please notify the author by replying to this e-mail immediatel=
y,
> > a=3D nd
> > subsequently delete all of its content.

--=20
Sincere regards

Andr=E9 L. Solheim
__________________________________________________________________
"Imagine a school with children =20
 that can read and write, but with teachers who cannot, and you =20
 have a metaphor of the Information Age in which we live." =20
                                                     Peter  Cochrane.


__________________________________________________________________
Confidentiality Notice


The content of this e-mail is intended for the confidential use of the
person(s) to whom it is addressed. If the reader of this message is not s=
uch
a person, you are hereby notified that you have received this communicati=
on
in error and that reading it, or in any way disseminating its content to =
any
other person, is strictly prohibited. If you have received this message i=
n
error, please notify the author by replying to this e-mail immediately, a=
nd
subsequently delete all of its content.