[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Dual transparent bridge configuration problem with pf.


I am trying to work out this configuration.

|INTERNET|<------->|bridge0|<---->|WAN SWITCH|<--->|NAS DEVICE|<--->|bridge1|<--->|WIFI SWITCH|<-->Clients through AP's.

As you can see I have bridge0 to protect our servers from Internet attacks, the configuration is working preety well, my problem was that users entering through WIFI AP's could enter the servers without any filtereing done and this was quite dangerous so I installed bridge1 on the same server as bridge0 (one OpenBSD with 5 NIC's, 2 for bridge0, 2 for bridge1 and 1 for remote acces to firewall).

My bridge0 configuration works nicely, my problem comes with bridge1 (I dont know if bridge0 has something to do with this..) what I need to do is let pass anything that is comming from WIFI Switch without restriction EXCEPT the traffic destined for several machines in the WAN Switch

My configuration looks something like this:

|NAS DEVICE|<---> xl2 <-- BRIDGE--> fxp0 <--> |WIFI_SWITCH|

wifi_ext_if = "xl2"
wifi_int_if = "fxp0"

# Pass all traffic from wifi_ext_if to wifi_int_if to filter in that one.
pass in quick on $wifi_ext_if all
pass out quick on $wifi_ext_if all

pass in on $wifi_int_if all
pass out on $wifi_int_if all

servidores = "{,, }"

block out log on $wifi_int_if proto tcp from any to $servidores port { 135, 137, 138, 139, 1443 }
block out log on $wifi_int_if proto udp from any to $servidores port { 135, 137, 138, 139 }
block return out log on $wifi_int_if proto tcp from any to port= 110

What I intendt to do is limit only the traffic to $servidores on those ports leaving the rest of the services intact.

What am I doing wrong?.


Mario Lopez <[email protected]>