[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
pf / bridge question

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: pf / bridge question
From: Christoph Schneeberger <cschnee_(_at_)_box_(_dot_)_telemedia_(_dot_)_ch>
Date: Sun, 07 Jul 2002 17:46:40 +0200
Organization: SCS Telemedia
Hi All,

I have a 4-legged firewall on OpenBSD 3.1, the two interfaces of the
DMZ/SSN (xl1 & wi0) are bridged and have both ips on the same subnet
(10.1.10.1 & 10.1.10.2). tl0 is the external interface and xl0 the
internal. Like:

external --- firewall --- internal
              /     \
             /  -*b- \                  (*b= bridged)
            /         \
       SSN wired   SSN wireless



Now all of the rules work as expected, expect the ones that care about
traffic to the DMZ/SSN.

I have a host (10.1.10.3) connected to the tl0 interface (SSN wired
above). If I try to connect to it, i.e. by ssh, the packet reaches this
machine and a state is created, however the return packet gets blocked
as if there was no state. 
While testing with the following rule at the top of my rule file I've
found that the state initially is created for interface wi0, even if I
see no obvious reason why this should happen, also a tcpdump shows no
packets on wi0 so I suspect the bridge to be the culprit:

pass out log proto tcp from any to any flags S/SA keep state

this gives me the following pflog entries:

Jul 07 17:12:29.740677 rule 2/0(match): pass out on wi0: 10.1.1.5.6583 >
10.1.10.3.22: S 2325887254:2325887254(0) win 16384 <mss
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 2031242840 0> (DF)
Jul 07 17:12:29.741590 rule 2/0(match): pass in on xl1: 10.1.10.3.22 >
10.1.1.5.6583: S 496064088:496064088(0) ack 2325887255 win 17376 <mss
1460,nop,nop,sackOK,nop,wscale 0,nop,nop,timestamp 343142901 2031242840>
(DF)


Means the traffic goes out on wi0 but comes back on xl1... Now I at
least understand why i.e. 
   pass out log on $ssnif inet proto tcp from $intra to any keep state
doesn't create the desired state that matches the returning packets
cause they are returning from another interface not covered by this
rule/state (?). 
This also happens to be the problem with the redirections from the
outside, their state never matches, because it gets created on wi0.
Now my questions are:

-Why does the firewall resp. pf send out the packets on wi0 even it
knows that the machine is on xl1 ?
-How can I avoid it, I would like to have different policies for the
both SSN/DMZ interfaces xl1 and wi0 ?


Configuration below.
Sorry if this covered elsewhere, I probably search with the wrong
keywords on the archives.
Thanks for any help, hints and pointers,

Christoph Schneeberger



--pf.conf
# define vars
intra="10.1.1.0/24"
intra6="3ffe:4029:a001:a110::/64"
ssn="10.1.10.0/24"
ssn6="3ffe:4029:a001:a1a0::/64"
wl="10.1.10.0/24"
tiswan="10.0.0.0/16"
mywan="10.1.0.0/16"
snaplan="172.16.100.0/24"
ttrlan="10.2.1.0/24"

iif="xl0"
extif="tl0"
ssnif="xl1"
wlif="wi0"

extip="1.1.184.5/32"
intip="10.1.1.1/32"
ssnip="10.1.10.1/32"
wlip="10.1.10.2/32"

argus="1.1.128.4/32"
hal="1.1.128.5/32"
snapgear="1.1.128.9/32"
ttrgate="2.0.8.32/32"

norouteip="{ 0.0.0.0/32, 255.255.255.255/32, 127.0.0.1/8, \
                10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"

# packet normalization
scrub in all

# lo0 interface
pass in on lo0 all
pass out on lo0 all

# temporary hack to find out what's going on
# pass out log-all proto tcp from any to any flags S/SA keep state

# external interface
#
# block unroutable src/dst
block in log quick on $extif from $norouteip to any
block in log on $extif from any to $norouteip
# block default
block in log on $extif all
block return-rst in log on $extif proto tcp all
block return-icmp in log on $extif proto icmp all
# pass out from intra / ssn
pass out on $extif inet proto tcp from { $intra, $ssn } to any flags
S/SA keep state
pass out on $extif inet proto { udp, icmp } from { $intra, $ssn } to any
keep state
# icmp
pass in on $extif inet proto icmp all icmp-type 0
pass in on $extif inet proto icmp all icmp-type 3
pass in on $extif inet proto icmp all icmp-type 3
pass in on $extif inet proto icmp all icmp-type 11
pass out on $extif inet proto icmp all icmp-type 0
# ipsec
pass in on $extif inet proto esp from { $argus, $hal, $snapgear,
$ttrgate } to $extip
pass in on $extif inet proto udp from { $argus, $hal, $snapgear,
$ttrgate } to $extip port = 500
pass out on $extif inet proto esp from $extip to { $argus, $hal,
$snapgear, $ttrgate }
pass out on $extif inet proto udp from $extip port = 500 to { $argus,
$hal, $snapgear, $ttrgate } 
# allow identd from outside
pass in quick on $extif proto tcp from any to $extip port = 113 flags S
keep state
# ssh for management and authpf
pass in on $extif inet proto tcp from $argus to $extip port = 22
# allow in web traffic to ssn
pass in on $extif proto tcp from any to 10.1.10.3/32 port = 80 keep
state
# allow in irc traffic to ssn
pass in on $extif proto tcp from any to 10.1.10.3/32 port = 6667 keep
state
# allow mail traffic to ssn
pass in on $extif proto tcp from any to 10.1.10.3/32 port = 25 keep
state


# ssn interface
#
block in log on $ssnif from any to any
block return-rst in log on $ssnif proto tcp all
block return-icmp in log on $ssnif proto icmp all
pass out log on $ssnif inet proto tcp from $intra to any keep state
pass out log on $ssnif inet proto { udp, icmp } from $intra to any keep
state
# ssn dns lookups to internal
pass in on $ssnif proto udp from $ssn to 10.1.1.2/32 port = 53 keep
state


# wlan interface
#
block in log on $wlif from any to any
block return-rst in log on $wlif proto tcp all
block return-icmp in log on $wlif proto icmp all
# icmp
pass in on $wlif inet proto icmp all icmp-type 0
pass in on $wlif inet proto icmp all icmp-type 3
pass in on $wlif inet proto icmp all icmp-type 3
pass in on $wlif inet proto icmp all icmp-type 11
pass out on $wlif inet proto icmp all icmp-type 0
# ssh for management and authpf
pass in on $wlif inet proto tcp from $wl to $wlip port = 22 keep state
# WL SSN DHCP to firewall
pass in on $wlif inet proto udp from any to any port = 67
pass out on $wlif inet proto udp from $ssnif to any port = 68


# ipsec interface 
#
pass in on enc0 from { $tiswan, $argus, $hal, $snapgear, $snaplan,
$ttrlan } to { $mywan, $extip }
pass out on enc0 from { $mywan, $extip } to { $tiswan, $argus, $hal,
$snapgear, $snaplan, $ttrlan }


# pass in ip6 to ssn
pass in log on $extif inet6 from any to $ssn6
pass out log on $extif inet6 from any to any

--bridgename.bridge0
add xl1
add wi0
up

--nat.conf
nat on tl0 from 10.1.1.0/24 to any -> 1.1.184.5
nat on tl0 from 10.1.10.0/24 to any -> 1.1.184.5

rdr on tl0 from any to 1.1.184.5/32 port 80 -> 10.1.10.3 port 80
rdr on tl0 from any to 1.1.184.5/32 port 6667 -> 10.1.10.3 port 6667
rdr on tl0 from any to 1.1.184.5/32 port 25 -> 10.1.10.3 port 25

---
Follow-Ups:
- Re: pf / bridge question
  - From: Christoph Schneeberger
- Re: pf / bridge question
  - From: Philipp Buehler
Prev by Date: Re: filtering tool
Next by Date: Re: pf / bridge question
Previous by thread: Re: filtering tool
Next by thread: Re: pf / bridge question
Index(es):
- Date
- Thread
Visit your host, monkey.org