[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf default deny problem



Laurent,
I have done exactly as you suggested, and it does not work.  pf.conf 
indicates that rdr rules imply keeping state through drop rules.. which 
is why I did not have an allow outbound keep state rule.  I've also 
tried with such a rule with no luck.
Also, as far as I can tell there is no need for a pass all rule for the 
internal interfaces of the firewall - they aren't being blocked. 
Correct me if I am wrong.
Here is my configuration with your suggestions:
########## VARIABLES ##########
## Interfaces ##
ext_if = "tun0"
int_if_lan = "sis0"
int_if_dmz = "dc0"
## Networks ##
network_lan = "192.168.2.0/24"
network_dmz = "10.0.0.0/24"
## Spoofed ##
no_go_ip = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
###############################
#### NAT RULES ####
#LAN
nat on $ext_if from $network_lan to any -> ($ext_if)
#DMZ
nat on $ext_if from $network_dmz to any -> ($ext_if)
#### REDIRECT RULES ####
#HTTP
rdr on $ext_if proto tcp from any to ($ext_if) port www -> 10.0.0.2 
port www
##### FILTER RULES ####
## Spoofing ##
#Quickly block anyone spoofing loopback, as well as non-routeable 
addresses, in or out.
block in quick on $ext_if inet from $no_go_ip to $ext_if
block out quick on $ext_if inet from any to $no_go_ip
## IPv6  ##
#Drop and log _all_ IPv6 packets immediately
block in log quick on $ext_if inet6 all
## Default Deny ##
#Block in everything that isn't either allowed back in from an 
internally
#established connection, or allowed in from an externally established
#connection (below)
block in on $ext_if all
pass in on $int_if_lan all
pass out on $int_if_lan all
pass in on $int_if_dmz all
pass out on $int_if_dmz all
## Allow In ##
#HTTP
pass in log on $ext_if inet proto tcp from any to ($ext_if) port 80 
keep state
## Allow Out ##
pass out on $ext_if all keep state
Cheers..
> 
> Fisrt, add 2 rules to allow all trafic on your LAN internal if :
> 
> pass in on $int_if_lan all
> pass out on $int_if_lan all
> 
> Then, modify your last rule to allow outbound trafic with TCP 
> connection tracking :
> 
> pass out on $ext_if all keep-state
> 
> Without this rule, all your incoming trafic is blocked by 'block 
> in on $ext_if
> all' rule.
> 
> Read more carefully 'man pf.conf' and "STATEFULL INSPECTION" 
> section to
> understand 'keep-state' option.
---------------------------------------------------------------------
Would you like to receive faxes to your personal email address?
You can with mBox.  Visit http://www.mbox.com.au/fax