relay dhcp across openbsd pf

Tue Aug 22 05:45:48 PDT 2006

Hi everyone,
First, please excuse my upcoming cluelessness; I haven't used OpenBSD
in a long time now, I have never been anywhere near even halfway
knowledgable and have probably forgotten a lot of the basics.

I've got a Windows Server 2003 server in dire need of firewall protection.
I've now put an OpenBSD 3.9 box in front of it. The current setup is
(pls use fixed width font):

Network w/ Win clients <==> OpenBSD box <==> Win Srv 2003

Because the Windows Server logically is on the same subnet as the
Windows clients, I used bridging, as described at:
  http://www.openbsd.org/faq/faq6.html#Bridge

My network interfaces look like this:
# cat /etc/hostname.rl0
inet x.y.z.99 255.255.255.0 NONE
# cat /etc/hostname.rl1
up

So the OpenBSD box's external interface has an IP but the internal one
hasn't one.

My bridge looks like this:
# cat /etc/bridgename.bridge0
add rl0
add rl1
up

My /etc/sysctl.conf substantially looks like this:
net.inet.ip.forwarding=1

The OpenBSD firewall rules currently are extremely basic, they're
merely restricting access to the Windows server to the clients by IP.
(Yes, the rules need to be strengthened, but I need to understand
things better so I can do that.)

My /etc/pf.conf substantially looks like this:
--- begin quote ---
ext_if="rl0"
int_if="rl1"

table <goodoutsiders> const { x.y.z.70/31, x.y.z.72/29, x.y.z.80/
28, x.y.z.96/30, !x.y.z.79 }
# this table encompasses IPs x.y.z.70 through x.y.z.99 (the clients),
but excludes x.y.z.79, which is the Windows server's own IP

scrub in
#scrubbing

block all
#default deny

pass quick on $int_if all
#only filter on the external interface, pass everything on the
internal interface to reduce complexity, as recommended in the FAQ

pass on $ext_if from <goodoutsiders> to x.y.z.79 keep state
pass on $ext_if from x.y.z.79 to <goodoutsiders> keep state
--- end quote ---

Again, x.y.z.79 is the Windows server (yes, I should use a macro).
The Windows server is (currently still) running a DHCP server.
I need to ensure that the Windows clients can renew their leases with
the Windows server.
Will the above correctly forward all DHCP traffic?

As an additional question, I only wrote the above impressively broad
pass rules out of desparation. I'm a bit insecure if my understanding
of pf is correct: The way I understand things, passing IN on $ext_if
means passing packets from the network that $ext_if is attached to
into the OpenBSD box. Since that's set up as a bridge to the $int_if
interface and since I quickly pass everything on $int_if, I thought
that passing IN should be enough. However if I recall correctly, this
earlier attempt didn't seem to work:

pass in on $ext_if from <goodoutsiders> to x.y.z.79 keep state
pass out on $ext_if from x.y.z.79 to <goodoutsiders> keep state

Should these latter two rules really work the same as the ones
currently in my pf.conf? (I.e.did I screw up somewhere else?) Or is my
understanding of pf incorrect?

Finally, I initially tried using just one rule:
  pass in on $ext_if from <goodoutsiders> to x.y.z.79 keep state
which didn't seem to work. Does anyone have any ideas why a
from-server-to-client rule should be required? I should add that the
Windows server is a domain controller.

I have to admit that I have limited testing opportunities (on
weekends), because this is part of a small production network and I'm
currently lacking the means for setting up a similar test/lab network
elsewhere/at home. (I am however hopeful that I will eventually
scrounge together a test network.) So this may lead to me asking more
stupid questions than usual, because I currently can't simply test
things out.

All comments and any help very welcome!
Many thanks in advance,
Jens

-- 
www.ropersonline.com