[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Six interfaces...



Title: Six interfaces...

I believe I am fundamentally misunderstanding the way that pf functions.  The exellent man page and list archives I've veiwed have not been able to help me in my efforts understand what exactly it is that I'm doing.  Fortunately I know exactly what I want to do.

I have a machine running 3.2-stable, with six nics, three currently active, which I am using in an sqa environment.
In my sqa environment, I want to have knowledge of and the ability to control all aspects of what goes to and from each host or  interface.  So far, only my "from any to any" rules work (icmp, dns, samba, web, vnc).  My rules involving specific hosts and/or interfaces don't work.  For instance if I want to allow only port 42 open between a host on net2 and another host on net3, my rule does not generate a syntax error, but the WINS databases don't replicate.  I must use a "from any to any" rule on those interfaces to pass traffic.  I have used every combination of syntax that I could think of, with out the expected result (I will not include those many tries in the ruleset below); that is why I think I am missing something fundamental in my understanding of what is really going on.

 
Please see my ruleset below, and please excuse the tcp/udp and keep state redundancies unless they are causing problems;

I'll be cleaning those up.

I may have a somewhat unusual application for pf with 6 nics, and perhaps a discussion will be helpful for others.  This machine is named 6nix.

Thanks very much indeed,
Peter Gorsuch

# pf.conf

#"net_" numbers:
#inova = 2.5.55.0/24
#net2  = 2.2.0.0/16
#net3  = 3.3.0.0/16
#net4  = unused
#net5  = unused
#net6  = unused

#VARIABLES:
inova="xl0"
net2="fxp1"
net3="fxp0"
net4="fxp2"
net5="fxp3"
net6="fxp4"


#NAT:
nat on xl0 inet from 2.2.0.0/16 to any -> 12.5.55.230
nat on xl0 inet from 3.3.0.0/16 to any -> 12.5.55.230

#add more nat rules if needed as segments are added...

######################################################i
#Filter rules:

#block all by default:
block in all
block out all

###############################
#pass all for services as noted
###############################

#DNS:
pass out inet proto { tcp, udp } from any to any port 53 keep state
pass in inet proto { tcp, udp } from any to any port 53 keep state

#WEB:
pass in inet proto tcp from any to any port 80 keep state
pass out inet proto tcp from any to any port 80 keep state
pass in inet proto tcp from any to any port https keep state
pass out inet proto tcp from any to any port https keep state

#ICMP (ping, etc.):
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state

#Samba:
pass in proto { tcp, udp } from any to any port 135 keep state
pass out proto { tcp, udp } from any to any port 135 keep state
pass in proto  { tcp, udp } from any to any port 137 keep state
pass in proto  udp from any to any port 138 keep state
pass in proto  tcp from any to any port 139 keep state
pass out proto { udp, tcp } from any to any port 137 keep state
pass out proto udp from any to any port 138 keep state
pass out proto tcp from any to any port 139 keep state
pass in proto { tcp, udp } from any to any port 445 keep state
pass out proto { tcp, udp } from any to any port 445 keep state

#pass all: net2 and net 3 (currently for WINS - need port 42)
pass in on $net2 inet proto tcp from any to any keep state
pass out on $net2 inet proto tcp from any to any keep state
pass in on $net3 inet proto tcp from any to any keep state
pass out on $net3 inet proto tcp from any to any keep state

#Unix printing:
pass out inet proto { tcp, udp } from $inova to any port 515 keep state
pass in inet proto { tcp, udp } from any to $inova port 515 keep state
pass out inet proto { tcp, udp } from $inova to any port 9100 keep state
pass in inet proto { tcp, udp } from any to $inova port 9100 keep state

#REMOTE CONTROL
# allow VNC on all interfaces listening for a connection:
pass in inet proto { tcp, udp } from any to any port 5800 keep state
pass out inet proto { tcp, udp } from any to any port 5800 keep state
pass in inet proto { tcp, udp } from any to any port 5900 keep state
pass out inet proto { tcp, udp } from any to any port 5900 keep state