[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dmz



hi folks! im currently seeting up my OpenBSD 3.2 as my network firewall. its now working fine but having a lil bit of problem right now. i hope you folks can help me with this. i have the box configured as follows .






|--------------| | |(internet)-----|OpenBSD 3.2 |---(LAN/192.168.9.0/24) |NAT/PF | | |---(DMZ/192.168.2.0/24) |--------------|


now my problem is this...


1.) i cant ssh to my server's on DMZ. ex. ssh [email protected]
so i can manage the mail server(192.168.2.3) from my workstation (192.168.9.23). I can ssh from 192.168.9.23 to 192.168.2.1 but i can't ssh from 192.168.2.1 to 192.168.2.. here's the error message... bash-2.05a# ssh [email protected]
ssh: connect to host 192.168.2.3 port 22: No route to host


is there something im missing? here's my routing table...


bash-2.05a# netstat -r Routing tables

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 203.177.19.201 UGS 0 94765 - fxp2
loopback localhost UGRS 0 0 33224 lo0
localhost localhost UH 2 319 33224 lo0
192.168.2/24 link#2 UC 0 0 - fxp1
192.168.2.1 0:d0:b7:af:9c:43 UHL 0 28 - lo0
192.168.2.3 0:50:da:b9:fc:d0 UHL 0 414 - fxp1
192.168.9/24 link#1 UC 0 0 - fxp0
192.168.9.1 0:d0:b7:e:ba:70 UHL 0 20 - lo0
192.168.9.3 0:60:8:52:dc:9c UHL 0 2 - fxp0
192.168.9.4 link#1 UHL 1 1481 - fxp0
192.168.9.230 0:1:3:44:fa:fc UHL 4 108430 - L fxp0
203.177.19/24 link#3 UC 0 0 - fxp2
fw localhost UGHS 0 0 33224 lo0
203.177.19.201 0:2:16:f2:f:51 UHL 1 5 - fxp2
203.177.19.202 0:d0:b7:b2:77:1a UHL 0 19 - lo0
203.177.19.203 0:1:2:89:8a:66 UHL 0 46 - fxp2
BASE-ADDRESS.MCAST localhost URS 0 0 33224 lo0



2.) Is it possible for my internal LAN (192.168.9.0/24) to access some servers on my DMZ (192.168.2.0/24) since i want my LAN users to access to smtp/pop server locally. (local users wont access it from the internet to retreive/receive email, but i also want it to be accessible to our remote/mobile users.


here's my pf.conf ...

#########################################################
# Variables
#
# PF supports variables expansion, modelled after
# that of the shell. We define some variables that
# we'll use later in the ruleset.
#
# Available Interfaces
EXT_IF= "fxp2"
INT_IF= "fxp0"
DMZ_IF= "fxp1"
# Configured Networks
EXT= "203.177.19.0/24"
INT= "192.168.9.0/24"
DMZ= "192.168.2.0/24"
# Firewall IP Address
FW= "203.177.19.202"
# DMZ Servers IP Addresses
WEB_DMZ= "192.168.2.2"
WEB_EXT= "206.177.19.206"
MAIL_DMZ= "192.168.2.3"
MAIL_EXT= "203.177.19.205"
DNS_DMZ= "192.168.2.3"
DNS_EXT= "203.177.19.205"
# Special Networks/Hosts
RESERVED= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }"
TRUSTED= "{ 192.168.9.0/24, 192.168.2.0/24 }"



######################################################### # Packets normalization # # Since some IP stacks don't correctly implement IP # packets defragmentation, OpenBSD PF provides the scrub # directive. For packets matching the rule, the PF # normalization component makes sure they are defragmented # and completely stripped of all abnormalities before they # are sent along to their final destination. # # NOTE: using the scrub directive uses quite an amount # of server resources, so its use should be limited to # protecting only the weak TCP/IP stack implementations # (or to prevent NIDS evasion through IP fragmentation). # scrub in all #scrub out all


######################################################### # NAT: IP Masquerading (many-to-one mapping) # # Masquerade the hosts in the Internal network, dynamically # changing packets as they traverse the external interface. # This allows a single IP address on the translating host # to support network traffic for a larger range of machines # on an inside network. # nat on $EXT_IF inet from $INT to any -> $FW


######################################################### # NAT: Bi-directional NAT (one-to-one mapping) # # The following rules publish the DMZ servers to # the external network. Remember that to be genuinely # useful, binat should be used in conjunction with # either proxy arp, or ifconfig(8) aliases. See the # pf.conf(5) man page for details. # # WEB Server in DMZ binat on $EXT_IF inet from $WEB_DMZ to any -> $WEB_EXT binat on $INT_IF inet from $WEB_DMZ to any -> $WEB_EXT # MAIL Server in DMZ binat on $EXT_IF inet from $MAIL_DMZ to any -> $MAIL_EXT binat on $INT_IF inet from $MAIL_DMZ to any -> $MAIL_EXT # DNS Server in DMZ binat on $EXT_IF inet from $DNS_DMZ to any -> $DNS_EXT binat on $INT_IF inet from $DNS_DMZ to any -> $DNS_EXT


#########################################################
# NAT: FTP Application Proxy
#
# The following rule activates the FTP proxy for the
# masqueraded hosts (note: the proxy should be disabled
# for traffic going to the hosts published by binat).
# With PF comes ftp-proxy(8), to run it with this
# configuration we need to put the following line
# (uncommented) in /etc/inetd.conf:
#
# 127.0.0.1:8081 stream tcp nowait root /usr/libexec/ftp-proxy ftp-proxy
#
rdr on $INT_IF inet proto tcp from any to !$EXT port 21 -> 127.0.0.1 port 8081


#########################################################
# PF: Default policy (very restrictive)
#
# Set the default policy for INBOUND and OUTBOUND traffic
# on every interface. Basically, block everything, logging
# incoming blocked packets. For TCP and UDP protocols,
# return the replies specified by the RFCs.
#
block in log all
block return-rst in log inet proto tcp all
block return-icmp in log inet proto udp all
block out all
block return-rst out inet proto tcp all
block return-icmp out inet proto udp all


######################################################### # PF: Trusted interfaces # # Take care of the trusted interfaces, allowing all # traffic to/from the specified networks: # # Allow all loopback traffic pass in quick on lo0 all pass out quick on lo0 all # Allow all internal traffic pass in quick on $INT_IF all pass out quick on $INT_IF all # Allow outgoing DMZ traffic (not to Internal Network!) pass in quick on $DMZ_IF inet from $DMZ to !$INT keep state


######################################################### # PF: EGRESS filtering # # Filter outbound traffic that doesn't have our address # as source: the packets are either spoofed or something # is misconfigured (i.e. NAT is disabled). We want to be # nice and don't send out garbage. # block out quick on $EXT_IF inet from !$EXT to any


######################################################### # PF: Anti-spoofing # Block IP spoofing attacks from the Evil Internet, # filtering all packets coming from reserved address # space (most likely spoofed or misconfigured). # Obviously, we can't reply to them. # block in quick on $EXT_IF inet from $RESERVED to any


######################################################### # PF: ICMP traffic # # Handle ICMP traffic. Allow everything directed to the # Internet from INT/DMZ and related replies. Allow ICMP # packets directed to the DMZ servers. Block all other # ICMP packets. # # Enable Internet Access pass out on $EXT_IF inet proto icmp from $EXT to any keep state # Enable DMZ Access pass in on $EXT_IF inet proto icmp from any to $DMZ keep state pass out on $DMZ_IF inet proto icmp from any to $DMZ keep state pass in on $DMZ_IF inet proto icmp from any to $DMZ keep state

#########################################################
# PF: UDP traffic
#
# Handle UDP traffic. Allow everything directed to the
# Internet from INT/DMZ and related replies. Allow DNS
# queries to the DNS server in DMZ. Block all other
# UDP packets.
#
# Enable Internet Access
pass out on $EXT_IF inet proto udp from $EXT to any keep state
# Enable DMZ DNS Server Access
pass in on $EXT_IF inet proto udp from any to $DNS_DMZ port 53 keep state
pass out on $DMZ_IF inet proto udp from any to $DNS_DMZ port 53 keep state


#########################################################
# PF: TCP traffic
#
# Handle TCP traffic. Allow everything directed to the
# Internet from INT/DMZ and related replies. Allow
# specific TCP traffic directed to WEB and MAIL servers
# in DMZ. Also allow the backchannel connections
# related to ftp-proxy(8) and incoming traffic to the
# SSH remote administration server coming from
# trusted addresses (see TRUSTED variable). All other
# TCP packets are blocked.
#
# NOTE: the specification of "flags S/SA" allow us to
# accept only TCP packets with SYN flag (and not ACK)
# set. This is more restrictive than "flags S/S".
#
# FTP Proxy
pass in on $EXT_IF inet proto tcp from any to $FW user proxy keep state
# Remote Management
pass in on $EXT_IF inet proto tcp from $TRUSTED to $FW port 22 flags S/SA keep state
# Enable Internet Access
pass out on $EXT_IF inet proto tcp from $EXT to any flags S/SA keep state
# Enable DMZ WEB Server Access
pass in on $EXT_IF inet proto tcp from any to $WEB_DMZ port {21,80} flags S/SA keep state
pass out on $DMZ_IF inet proto tcp from any to $WEB_DMZ port {21,80} flags S/SA keep state
# Enable DMZ MAIL Server Access
pass in on $EXT_IF inet proto tcp from any to $MAIL_DMZ port {25,110} flags S/SA keep state
pass out on $DMZ_IF inet proto tcp from any to $MAIL_DMZ port {25,110} flags S/SA keep state




TIA!!!


jeff...