[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Config file weirdness



Hello,
I'm rather new to pf :-) having just upgraded our firewall from obsd
3.9 to 3.2.  The firewall was configured by a previous admin with five
interfaces, one each to the Internet, web server, student quarters,
administrative LAN, and proxy server - all the public addresses are
bound to the fxp0 (internet) interface  and are rdr'd and/or natted to
the outside world.
In the ipf ruleset, we had a setup similar to the following (the full
configfile is *much* too long to list here...)
block in quick on fxp3 all head 40
  block in quick on fxp3 from !172.16.3.4/30 to any group 40
  pass in quick on fxp3 proto tcp/udp from 172.16.3.6 to 10.10.1.2 port
= 53 keep state group 40
  pass out quick on fxp3 proto tcp/udp from any to 172.16.3.6 port =
137 keep state group 40
  pass out quick on fxp3 proto tcp/udp from any to 172.16.3.6 port =
138 keep state group 40
  pass out quick on fxp3 proto tcp/udp from any to 172.16.3.6 port =
139 keep state group 40
  pass out quick on fxp3 proto tcp/udp from any to 172.16.3.6 port = 80
keep state group 40
  pass out quick on fxp3 proto tcp/udp from any to 172.16.3.6 port =
445 keep state group 40
  pass in quick on fxp3 proto tcp from 172.16.3.6 to 172.16.1.6 port =
3128 flags S keep state group 40
  pass in quick on fxp3 proto tcp from 172.16.3.6 to any port = 25
flags S keep state group 40
I know from reading that the head/group syntax has gone away, and to
order the rules in such a way as to allow skip step to most of the heavy
lifting for me.  This gives me a ruleset that (for the same interface)
looks like this:
# web server segment - fxp3
block in quick on fxp3 from !172.16.3.4/30 to any
pass in quick on fxp3 proto { tcp, udp } from 172.16.3.6 to 10.10.1.2
port = 53 keep state
pass out quick on fxp3 proto { tcp, udp } from any to 172.16.3.6 port =
137 keep state
pass out quick on fxp3 proto { tcp, udp } from any to 172.16.3.6 port =
138 keep state
pass out quick on fxp3 proto { tcp, udp } from any to 172.16.3.6 port =
139 keep state
pass out quick on fxp3 proto { tcp, udp } from any to 172.16.3.6 port =
80 keep state
pass out quick on fxp3 proto { tcp, udp } from any to 172.16.3.6 port =
445 keep state
pass in quick on fxp3 proto tcp from 172.16.3.6 to 172.16.1.6 port =
3128 flags S/SA keep state
pass in quick on fxp3 proto tcp from 172.16.3.6 to any port = 25 flags
S/SA keep state
# block in quick on fxp3 all
However, if I uncomment the last line (block in quick...) then all
traffic to this segment stops.  I'm specifically allowing in traffic
from the internal LAN on ports 137-139, but it won't go through if I
have a "default deny" rule in the bottom of the interface section, or at
the bottom of the config file.  What have I missed?
(BTW - I'm willing to post or e-mail the full config file, if that
helps...)
--Greg