[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Filtering two seperate networks



On 4/22/05, Lyle Worthington <[email protected]> wrote:
> Hey All,
> 
> We are soon to have 2 seperate lines coming into our office each with
> a seperate set of IPs and restrictions (One full class C each).  They
> will be handled by one router, and we would like to firewall both of
> them with just one box running pf.  Our router will be plugging
> straight into the external interface on the box (ext_if) and then we
> have two other interfaces which will each go to seperate switches to
> keep the networks completely separate.  So far I have tried to add all
> three interfaces to the bridge but something in the current ruleset
> was preventing anything from getting out so I have decided to start
> from scratch and was hoping someone could just point me in the right
> direction - we'd like traffic between the two networks to just be
> bridged through the pf box rather than having to go through our
> router.  Of course wed like to place restrictions on what would be
> bridged and also each network would have its own distinct rules for
> getting out of the network as well.
> 
> So basically im looking for something like:
> ext_if - interface plugged directly into router
> int1_if - interface to network1
> int2_if - interface to network2
> 
I have almost a similar setup but its like
int_if       - to LAN switch
ext_ifdsl  - to Internet connection1( DSL Router)
ext_ifcm  - to Internet connection2 ( cable Modem )
> network 1 has full access to network2, but network2 has no access to network1
> network1 has full outgoing access to the internet, network2 is allowed
> only port 80 out.
> all external traffic origionating from outside is blocked to both.
> 
> If i could get that working im sure I could get the rest of the rules
> working.  The external interface has no ip for security, and each of
> the internal interfaces is assigned address .2 on the associated ip
> range.  The bridge files looks like this "add em0 add em1 add fxp0 up"
>  is that correct?
> 
On 4/23/05, Lyle Worthington <[email protected]> wrote:
> So there is no way for me to do this with openbsd and use PF?  I dont
> know anything about configuring routing in openbsd.
> 
I don't know how you can use bridging for your particular setup :-(
but if you want to do it with OpenBSD then you can do it very easily.
especially please look into the "route-to" option in PF if you want to
learn more about routing in OpenBSD.
Some other helpful resources are.
http://www.aei.ca/~pmatulis/pub/obsd_pf.html
http://www.openbsd.org/faq/pf/
do you need a sample ruleset?
kind regards
Siju