[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf default deny problem



Hi all,
I'm running quite a basic setup here.  On my firewall box, I have an 
external connection, "tun0" and two internal NIC's "$int_if_lan" 
and "$int_if_dmz", connected to my LAN and DMZ respectively.  The LAN 
subnet is 192.168.2/24 while the DMZ subnet is 10.0.0/24.  
I have NAT working for both networks, so connectivity from inside to 
outside is fine.  Also, I have a working redirect rule, pushing 
connections to port 80 from outside, through to the webserver in the 
DMZ.
Now, I'm wanting to block all requests coming in except:
1. Connections that I initiate from inside the LAN, to the outside 
world (no restrictions as of yet).
2. Connections initiated from the outside to the webserver in the DMZ.
I've been told that NAT and RDR rules imply "keep state" - meaning 
anything rdr'd doesn't need to have a filtering rule to allow 
connections in/out.  'man pf.conf' agrees.
However, as soon as I add a default deny rule, no matter what I try 
adding after it rule-wise, packets simply don't make it through (and 
I've tried a plethora of rules - all syntactically correct, in that 
they were allowed to be loaded by pfctl).
Below, is a copy of my pf.conf as currently stands, and any suggestions 
as to how to get this working would be appreciated.
begin pf.conf
########## VARIABLES ##########
## Interfaces ##
ext_if = "tun0"
int_if_lan = "sis0"
int_if_dmz = "dc0"
## Networks ##
network_lan = "192.168.2.0/24"
network_dmz = "10.0.0.0/24"
## Spoofed ##
no_go_ip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
###############################
#### NAT RULES ####
#LAN
nat on $ext_if from $network_lan to any -> ($ext_if)
#DMZ
nat on $ext_if from $network_dmz to any -> ($ext_if)
#### REDIRECT RULES ####
#HTTP
rdr on $ext_if proto tcp from any to ($ext_if) port www -> 10.0.0.2 
port www
##### FILTER RULES ####
## Spoofing ##
#Quickly block anyone spoofing loopback, as well as non-routeable 
addresses, in or out.
block in quick on $ext_if inet from $no_go_ip to $ext_if
block out quick on $ext_if inet from any to $no_go_ip
## IPv6  ##
#Drop and log _all_ IPv6 packets immediately
block in log quick on $ext_if inet6 all
## Default Deny ##
#Block in everything that isn't either allowed back in from an 
internally
#established connection, or allowed in from an externally established
#connection (below)
#block in log on $ext_if all
pass in quick on $ext_if inet proto tcp from any to any port 80
block in on $ext_if all
## Allow In ##
#HTTP
#pass in quick log on $ext_if inet proto tcp from any to ($ext_if) port 
80 keep state
#pass in quick on $ext_if inet proto tcp from any to any port 80
## Allow Out ##
#pass out on $ext_if all
end pf.conf
I am aware that some lines are commented and others aren't.. I've left 
all the things I've tried in there, and have tried them all in all 
combinations with no success.
Thanks
kremlyn
---------------------------------------------------------------------
Faxes delivered directly to any email address, new to mBox!
Find out more http://www.mbox.com.au/fax