[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

PF strange problems. Bad /etc/pf.conf or something else?

To: misc@openbsd.org
Subject: PF strange problems. Bad /etc/pf.conf or something else?
From: gica gica <magudexter@yahoo.com>
Date: Thu, 22 Aug 2002 01:21:16 -0700 (PDT)

Hello, everybody!

I am having a very awkward problem with a gateway I
installed a couple of week ago.  The system is running
a snapshot of OpenBSD 3.1 #55 made on 31 of July and
pf filter.

The purpose is a very common one - to hide the
internal network from outside and to provide access to
the internat with a single IP.



The topology is like this:

+---------------------------+
|Gate                       |
|$prv_if=rl0 (192.168.4.1)  |<------->Internet
|$ext_if=fxp0 (x.x.x.x)     |
+---------------------------+
          A
          |
          |----------------->[Web Server]
          V
+-------------+
|priv network |
+-------------+

All the NICs behind the firewall are in the
192.168.4.x family. Everything works just fine EXCEPT
for one thing - the private network can access the Web
server(and the rest of them)(not using the internal Ip
but the Domain Name just like the people outside the
firewall).

I have an IDENTICAL(same topology/IP's/OS) setting in
other location and there is no problem.

This is not my first gateway/firewall and I am not a
newbie still I cannot fix this problem. Below are my
rules and you will see that the firewall is not a
problem. Further more I've tried the same settings
with no firewall at all(pass out on $ext_if all/pass
in on $ext_if all) and not an answer.
 
Assuming that the web server is example.com, every
request to it from outside the server works, if I try
it from inside the firewall - no answer. The strange
thing is that I don't get a negative answer -
connection refused = I'm just trying and trying.

A telnet on x.x.x.x 80 stops on 
Trying x.x.x.x...

I'am using the simplest configuration possible. There
were some file access/rights modification on the
system but still they should not be connected to pf.
Here is the files

# less /etc/pf.conf

ext_if="fxp0"
ext_ip="x.x.x.x"


prv_if="rl0"
prv_ip="192.168.4.1"
prv_dm="192.168.4.0/24"


NoGoIPs="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 0.0.0.0/8 \
                169.254.0.0/16, 204.152.64.0/23,
224.0.0.0/3, 255.255.255.255/32  }"


web_ip="192.168.4.199"
mail_ip="192.168.4.100"
ftp_ip="192.168.4.199"
# internet

# WEB
rdr on $ext_if inet proto tcp from any to $ext_ip/32
port 80 -> $web_ip port 80

# MAIL
rdr on $ext_if inet proto { tcp,udp } from any to
$ext_ip/32 port 25 -> $mail_ip port 25
rdr on $ext_if inet proto { tcp,udp } from any to
$ext_ip/32 port 110  -> $mail_ip port 110 
rdr on $ext_if inet proto { tcp,udp } from any to
$ext_ip/32 port 143  -> $mail_ip port 143

### priv network

# WEB
rdr on $prv_if inet proto tcp from any to $ext_ip/32
port 80 -> $web_ip port 80

# MAIL

rdr on $prv_if inet proto { tcp,udp } from any to
$ext_ip/32 port 25 -> $mail_ip port 25
rdr on $prv_if inet proto { tcp,udp } from any to
$ext_ip/32 port 110  -> $mail_ip port 110             
rdr on $prv_if inet proto { tcp,udp } from any to
$ext_ip/32 port 143  -> $mail_ip port 143             

# nat
nat on $ext_if from $prv_dm to any -> $ext_ip


# stop IPv6 traffic

block in quick inet6 all
block out quick inet6 all

# pass local interface

pass in quick on lo0 all
pass out quick on lo0 all

# Internet

# prevent spoofing

block in quick  log on $ext_if from $NoGoIPs to any

pass out quick on $ext_if inet proto tcp all keep
state
pass out quick on $ext_if inet proto udp all keep
state

# default deny
block in on $ext_if all

# WEB
pass in quick on $ext_if inet proto tcp from any to
$web_ip/32 port 80 flags S/SA keep state

# MAIL
pass in quick on $ext_if inet proto {tcp,udp} from any
to $mail_ip/32 port { 25,110,143 }  flags S/SA keep
state

# allow PING
pass in quick on $ext_if inet proto icmp all icmp-type
8 code 0 keep state

# private network

pass in quick on $prv_if all keep state
pass out quick on $prv_if all keep state


####################

As you see I've used macros so any typo should be
eliminated.
All the computers from the internal network are
accessing a DNS from outside.Connections to outside
are possible. The problem is that trying to access the
 world visible site's or mail from the web/mail
servers is not working(not refusing but just holding
off). What could be the problem? Somewhere packets are
lost and I can't figure it out.


Thanks a lot,
   Costin
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

Follow-Ups:
- Re: PF strange problems. Bad /etc/pf.conf or something else?
  - From: "Brian Szymanski" <bks10@cornell.edu>

Prev by Date: Re: Shutdown for dumb users
Next by Date: kerb5/authpf/altq on same machine?
Prev by thread: QoS with open
Next by thread: Re: PF strange problems. Bad /etc/pf.conf or something else?
Index(es):
- Date
- Thread