[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Ruleset Problem



I am having a odd problem and I am hoping someone one the list can point out
my error,
Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.
#OpenBSD 3.3
#macros
#interfaces
eth0="fxp0"
eth1="fxp1"
eth2="fxp2"
#lan segment ips
lan1="10.0.0.0/24"
lan2="10.0.1.0/24"
loc="127.0.0.1/8"
#ip's to block
badip="0.0.0.0/8, 169.254.0.0/16, 172.16.0.0/12, 172.31.0.0/16,
192.168.0.0/16, 224.0.0.0/3, 255.255.255.255/32"
lanip="10.0.0.0/8"
# Normalize: reassemble fragments and resolve or reduce traffic ambiguities
scrub in all
scrub out all
# nat rules for both lan segments
nat on $eth0 from $lan1 to any -> $eth0
nat on $eth0 from $lan2 to any -> $eth0
# rdr port mapping rules if needed
# rdr on eth0 proto tcp from any to 192.168.1.1/32 port 1234 -> 10.1.1.1
port 5678
# filter rules
#block all in-out
block in log all
block out log all
block in on $eth0 inet proto {tcp, udp} from any to any port 136 >< 140
#allow for dchp
pass in on $eth0 inet proto {tcp, udp} from any to $eth0 port 67
#allow outgoing traffic from Internet nic to internet if initiated from
Internet Nic.
pass out on $eth0 inet proto tcp from $eth0 to any 	modulate state
pass out on $eth0 inet proto udp from $eth0 to any 	keep state
pass out on $eth0 inet proto icmp from $eth0 to any icmp-type 8 code 0	keep
state
#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any		modulate
state
pass out on $eth0 inet proto udp from $lan1 to any		keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0
keep state
pass out on $eth0 inet proto tcp from $lan2 to any		modulate
state
pass out on $eth0 inet proto udp from $lan2 to any		keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0
keep state
#allow requests from segment 1 to segment 2 or internet only if segment 1
requests it.
pass in on $eth1 inet proto tcp from $lan1 to any		modulate
state
pass in on $eth1 inet proto udp from $lan1 to any 		keep state
pass in on $eth1 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0	keep state
#allow requests from segment 2 to segment 1 or internet only if segment 2
requests it.
pass in on $eth2 inet proto tcp from $lan2 to any		modulate
state
pass in on $eth2 inet proto udp from $lan2 to any 		keep state
pass in on $eth2 inet proto icmp from { $lan1, $loc } to any icmp-type 8
code 0   keep state
#denie requests Out to internet for bad ip's
block out on $eth0 inet from any to { $badip, $lanip, $loc }
block out on $eth1 inet from any to { $badip }
block out on $eth2 inet from any to { $badip }
Amir Seyavash Mesry 
[email protected] 
LSI Logic Corporation 
http://www.lsilogic.com/ 
Raid Support Test Technician 
6145-D Northbelt Parkway 
Norcross, GA 30071 
678-728-1211 
NOTICE: This communication may contain privileged or other confidential
information. If you are not the intended recipient, or believe that you have
received this communication in error, please do not print, copy, retransmit,
disseminate, or otherwise use the information. Also, please indicate to the
sender that you have received this communication in error, and delete the
copy you received. Thank you.