[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf with many interfaces?



Hi,
(this is a resend --- I didn't see it show up on [email protected] within ~12 hours, 
so I thought I would give it a whirl)
I am a new pf user.  My previous experience includes the following
firewalling products (in case this helps to explain something to me,
or understand what I'm thinking about):
- checkpoint firewall 1
- cisco's crappy ACLs
- linux iptables
- sunscreen (both layer 2 and layer 3)
I am currently replacing a SunScreen firewall with an OpenBSD pf
firewall.  SunScreen does not deal with the concept of interfaces in
rules.  Instead, the interfaces have addresses associated with them
(ie addresses that are allowed to show up on an interface), and the
rules just have proto/port + src/dst ip address.  It also has a rather
gimpy (but functional, sort of) policy editor.  It is also very much a
dead product.  It also has weird bugs that make it a pain in the butt.
But I digress.
My pf firewall has about 18 or so interfaces (10 physical interfaces,
and a bucket of VLANs).   It is layer 3, and routes packets.   This,
combined with my previous experience not requiring interface names in
rules makes me want to do:
em0: 10.1.0.0/24
em1: 10.1.1.0/24
em2: 10.1.2.0/24
em3: internet connected, say, 65.1.1.0/24 for the purposes of this
example.
table <internal_subnets> { 10.1.1.0/24, 10.1.2.0/24, 10.1.0.0/24 }
.. tables for rfc1918, classD, classE, etc.
table <outsideworld> { *, !<internal_subnets>, !<rfc1918>, !<classD>, !<classE> }  (can I use * or should it be 0.0.0.0/0?)
table <notoutside> { <internal_subnets>, <rfc1918>, <classD>, <classE> }
antispoof quick for em0
antispoof quick for em1
antispoof quick for em2
block in quick on em3 from <notoutside>
pass quick from 10.1.1.2 to 10.1.2.3 proto tcp port 80 flags S/SA keep state  (internal web connection between two machines)
pass quick to 10.1.2.4 proto tcp port 25 flags S/SA synproxy state (connections to SMTP server that is reachable from the internet, for example)
pass quick from 10.1.1.0/24 to <outsideworld> proto tcp port 80 flags S/SA modulate state (allow connections from the 10.1.1.0/24 subnet to the outside world on port 80)
pass quick from <internal_subnets> proto icmp icmp_type echoreq keep state (allows internal subnets to ping to everywhere)
..
(obviously, I would implement this using tags and more lists to make
it cleaner, but i didn't want to get it too confusing as a first pass)
Please do let me know if I'm totally on crack and should not be doing
things like the above.  It just seems to me that specifying interfaces
and all that is a lot of extra work.  ie:
pass in on em2 from 10.1.2.0/24 proto tcp port 80 flags S/SA keep state  (gets into fw)
pass out on em3 from 10.1.2.0/24 proto tcp port 80 flags S/SA keep state (gets out of fw, post routing decision)
pass in on em1 from 10.1.1.0/24 proto tcp port 80 flags S/SA keep state (gets into fw)
pass out on em3 from 10.1.1.0/24 proto tcp port 80 flags S/SA keep state (gets out of fw, post routing decision)
is much more work than:
pass quick from 10.1.2.0/24 to <outsideworld> proto tcp port 80 flags S/SA keep state
pass quick from 10.1.1.0/24 to <outsideworld> proto tcp port 80 flags S/SA keep state
which is still less work than:
pass in on em2 from 10.1.2.0/24 to <outsideworld> proto tcp port 80 tag G-web-access flags S/SA keep state
pass in on em1 from 10.1.1.0/24 to <outsideworld> proto tcp port 80 tag G-web-access flags S/SA keep state
pass out on em3 tagged G-web-access keep state
Effectively, I'm trying to figure out if it's "okay" to dump the whole
"on <int>" part of rules, because:
# ls -1 /etc/hostname.* |wc -l
      21
And there is a *lot* of traffic going between the interfaces.  I'm sort
of looking for examples of pf configurations with large (>4) numbers of
interfaces.
Thanks in advance,
-- 
adam