[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Six interfaces...



I believe I am fundamentally misunderstanding the way that pf functions.
The excellent man page and list archives I've viewed have not been able to
help me in my efforts to understand what exactly it is that I'm doing.
Fortunately I know exactly what I want to do.
I have a machine running 3.2-stable, with six nics, three currently active,
which I am using in an sqa environment. In my sqa environment, I want to
have knowledge of and the ability to control all aspects of what goes to and
from each host or  interface.  So far, only my "from any to any" rules work
(icmp, dns, samba, web, vnc).  My rules involving specific hosts and/or
interfaces don't work.  For instance if I want to allow only port 42 open
between a host on net2 and another host on net3, my rule does not generate a
syntax error, but the WINS databases don't replicate.  I must use a "from
any to any" rule on those interfaces to pass traffic.  I have used every
combination of syntax that I could think of, with out the expected result (I
won't include any of those many tries in the rule set below); that is why I
think I am missing something fundamental in my understanding of what is
really going on.  
How would the readers of this list approach this situation?
Any advice is welcome.  
Please see my rule set below, and please excuse the tcp/udp and keep state
redundancies unless they are causing problems; I'll be cleaning those up.
I may have a somewhat unusual application for pf with 6 nics, and perhaps a
discussion will be helpful for others.  This machine is affectionately named
6nix.
Thanks very much indeed,
Peter Gorsuch
# pf.conf
#"net_" numbers:
#inova = 2.5.55.0/24
#net2  = 2.2.0.0/16
#net3  = 3.3.0.0/16
#net4  = unused
#net5  = unused
#net6  = unused
#VARIABLES:
inova="xl0"
net2="fxp1"
net3="fxp0"
net4="fxp2"
net5="fxp3"
net6="fxp4"
#NAT:
nat on xl0 inet from 2.2.0.0/16 to any -> 12.5.55.230 
nat on xl0 inet from 3.3.0.0/16 to any -> 12.5.55.230 
#add more nat rules if needed as segments are added...
######################################################i
#Filter rules:
#block all by default:
block in all
block out all
###############################
#pass all for services as noted
###############################
#DNS:
pass out inet proto { tcp, udp } from any to any port 53 keep state pass in
inet proto { tcp, udp } from any to any port 53 keep state
#WEB:
pass in inet proto tcp from any to any port 80 keep state
pass out inet proto tcp from any to any port 80 keep state
pass in inet proto tcp from any to any port https keep state pass out inet
proto tcp from any to any port https keep state
#ICMP (ping, etc.):
pass in proto icmp from any to any keep state
pass out proto icmp from any to any keep state
#Samba:
pass in proto { tcp, udp } from any to any port 135 keep state pass out
proto { tcp, udp } from any to any port 135 keep state pass in proto  { tcp,
udp } from any to any port 137 keep state pass in proto  udp from any to any
port 138 keep state pass in proto  tcp from any to any port 139 keep state
pass out proto { udp, tcp } from any to any port 137 keep state pass out
proto udp from any to any port 138 keep state pass out proto tcp from any to
any port 139 keep state pass in proto { tcp, udp } from any to any port 445
keep state pass out proto { tcp, udp } from any to any port 445 keep state
#pass all: net2 and net 3 (currently for WINS - need port 42) pass in on
$net2 inet proto tcp from any to any keep state pass out on $net2 inet proto
tcp from any to any keep state pass in on $net3 inet proto tcp from any to
any keep state pass out on $net3 inet proto tcp from any to any keep state
#Unix printing:
pass out inet proto { tcp, udp } from $inova to any port 515 keep state pass
in inet proto { tcp, udp } from any to $inova port 515 keep state pass out
inet proto { tcp, udp } from $inova to any port 9100 keep state pass in inet
proto { tcp, udp } from any to $inova port 9100 keep state
#REMOTE CONTROL
# allow VNC on all interfaces listening for a connection:
pass in inet proto { tcp, udp } from any to any port 5800 keep state pass
out inet proto { tcp, udp } from any to any port 5800 keep state pass in
inet proto { tcp, udp } from any to any port 5900 keep state pass out inet
proto { tcp, udp } from any to any port 5900 keep state