[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf between two lans and passing dhcp through



Hi all.

I've got two networks setup.  10.10.11.x and 10.10.10.x.  I have an obsd 3.3 firewall between the two, and I am blocking:
255.255.255.255, 10.10.10.255, 10.10.11.255, bootps, bootpc, and even tried blocking all udp.

But, dhcp is still being passed through which it should not be doing.  So people on the 10.10.11.x net are getting 10.10.10.x addressess and  10.10.10.x network people are getting 10.10.11.x addresses.


Does anyone have any ideas why this is happening? And how to stop it?

I've attached my pf.conf.  If you need more info, please let me know.  If you would like log files, then let me know what kind, and how to obtain them, as I'm new to playing with tcpdump and the like.


Thanks!
-- Steve

#       $OpenBSD: pf.conf,v 1.19 2003/03/24 01:47:28 ian Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.
# Macros: define common values, so they can be referenced and changed easily.
lan_if="rl0"  # replace with actual external interface name i.e., dc0
wan_if="rl1"  # replace with actual internal interface name i.e., dc1
lan_addr="10.10.10.1"
lan_net="10.10.10.0/24"
wan_addr="10.10.11.2"
wan_net="10.10.11.1/24"
wan_license_server="10.10.11.14"
lan_license_server="10.10.10.13"
table <lan_nat_addr> { 10.10.10.129/25 }
table <wan_nat_addr> { 10.10.11.29/25 }
#table <license_ports> { 27000, 2013 }
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 30, frag 10 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
nat on $wan_if from $lan_net to any -> ($wan_if)
rdr inet proto tcp from any to 10.10.11.2 port smtp -> 10.10.10.2
rdr inet proto tcp from any to 10.10.11.2 port 1723 -> 10.10.10.10
#rdr inet proto tcp from $wan_net to $wan_license_server port <license_ports> -> $lan_license_server
# Filtering: the implicit first two rules are
pass out all
pass in all
block out log on $lan_if from 10.10.10.10 to any
block out log on $wan_if from 10.10.10.10 to any
block in log on $lan_if from any to 255.255.255.255 
block out log on $wan_if from any to 255.255.255.255
block in log on $wan_if from any to 255.255.255.255 
block out log on $lan_if from any to 255.255.255.255
block in log on $wan_if from any to 10.10.10.255
block in log on $lan_if from any to 10.10.10.255
block out log on $wan_if from any to 10.10.10.255
block out log on $lan_if from any to 10.10.10.255
block in log on $wan_if from any to 10.10.11.255
block in log on $lan_if from any to 10.10.11.255
block out log on $wan_if from any to 10.10.11.255
block out log on $lan_if from any to 10.10.11.255
block out on $lan_if proto tcp from any to any port 137
block out on $lan_if proto tcp from any to any port 138
block out on $lan_if proto tcp from any to any port 139
block in on $wan_if proto tcp from any to any port 137
block in on $wan_if proto tcp from any to any port 138
block in on $wan_if proto tcp from any to any port 139
block out on $lan_if proto udp from any to any port 137
block out on $lan_if proto udp from any to any port 138
block out on $lan_if proto udp from any to any port 139
block in on $wan_if proto udp from any to any port 137
block in on $wan_if proto udp from any to any port 138
block in on $wan_if proto udp from any to any port 139
#block in on $wan_if from 10.10.11.5 to $lan_addr port smtp