[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Very Annoying problem... blocks everything...



Yeah, I'll post them up on a webpage real quick.
and to answer someone's question earler, yes, I'm using "quick" rules.  I'm wanting to try and keep the
latency down as low as I can.  And I figured that would be the best way to keep it down.
> Shawn,
>
> Multi-interface packet filtering can be tricky.  Could you post your rules?
>
> Without that, all we can probably say is that you have a
> misconfiguration somewhere.
>
> IIRC, creating stateful inspection on one interface does not allow the packets to go through other
> interfaces.  This is my first guess as to your problem.
>
> ==ml
>
> On Mon, Dec 16, 2002 at 03:03:53PM -0600, shawnm@iodamedia.net wrote:
>> Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it.
>>
>> Here's my setup:
>>
>> AMD 2300 w/ 512mb DDR ram
>> 512mb flash drive
>> 5 10/100 network cards
>>
>> I have 4 networks right now, one of them is the internet.  So let's call them, Inet, A, B,and C.
>>
>> Network C is the network with all mail/web/dns/etc servers on it.
>>
>> A and B are networks, I could really care less what traffic goes to them, and from them, going to/from
>> the internet and each other.
>>
>> I want networks A and B to be able to only access the mail servers on ports 25/110/80/443, dns servers
>> on port 53, webservers on ports 80/443, and a couple of other servers via ftp.
>>
>> Should be very simple, I setup some rules to allow all traffic from Inet going to A and B.  I then
>> allowed all traffic from A and B going to Inet to pass through.
>> I then setup some holes on C, to allow those ports to those servers that I want open.  I also allowed
>> network C to access http/https/ftp/dns/mail outside of it's network. I have a "catch all" in the bottom
>> of my script, to just block everything that doesn't fit into anything else.
>>
>> I enable it.. what happens.. I loose connectivity to all the networks.  Nothing can see anything outside
>> of their network.
>> do a ping from the firewall, and you get:
>>
>> ping: sendto: No route to host
>> ping: wrote 192.168.3.250 64 chars, ret=-1
>>
>>
>> Anyone have any ideas?
>>
>>
>
> --
> Michael Lucas		mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org
> http://www.oreillynet.com/pub/q/Big_Scary_Daemons
>
>           Absolute BSD:   http://www.AbsoluteBSD.com/