silly pf config issues

Jens Ropers ropers at ropersonline.com
Sun Sep 10 04:14:21 PDT 2006 

I copied the list back in. Always cc the list. These things get
archived on TEH Intrreb, Wintar, ahem, I mean Wide-Webs, err...
...well, let's just call it the tubes thing. These thing get archived
in these tubes, okay? This information is here for everybody. It is
not a truck.

On 09/09/06, Bulk Mail <bulk at szmidt.org> wrote:
> > Also, you don't seem to be passing proto tcp, port 80 traffic from
> > <managers> (ie. 192.168.0.2) to the 10.1.0.34 box on the $WAN
> > interface?  Keep in mind that <http-managers> contains only google.com
>
> Ah, an out of date note I forgot to update during my testing.
>
> > and <admins> is empty.
>
> I also added proper data to all table files to ensure it does not mess things
> up. Though the persist command should allow for empty files.
>
> > You're passing traffic from 10.1.0.34 to any
> > port 80 on the $LAN interface, but not on the $WAN one. I think
> > there's your reason you can't websurf to 10.1.0.34.
>
> That's what "pass out log on $WAN proto tcp from <managers> to <http-managers>
> port $Web keep state" is supposed to do.
>

I'm confused here.
Again, are you trying to websurf from 192.168.0.2 to 10.1.0.34 and to
the Internet?
IMveryHO surfing from 192.168.0.2 to 10.1.0.34 might not work because:
- Your firewall sits between 192.168.0.2 and 10.1.0.34.
- For traffic from 192.168.0.2 to reach 10.1.0.34, that traffic has to
pass in on the $LAN interface and out on the $WAN interface, in that
order.
- You're not blocking on the $LAN interface (yea, you were right
there; what I said before about my preferred default deny stuff would
just have made things more explicit to uneducted pf.conf readers such
as myself).
- You are however blocking on the $WAN interface.
- That means you need to pass traffic from 192.168.0.2 to 10.1.0.34 on
the $WAN interface.
- You're currently passing traffic from 192.168.0.2 to
google.com/openbsd.org, but not to 10.1.0.34. So any traffic coming
from 192.168.0.2 and destined for 10.1.0.34 would be blocked at the
$WAN interface.

If passing port 80 tcp traffic from 192.168.0.2 to 10.1.0.34 is NOT
what you were trying to do (I see no reference to that anymore in your
below new pf.conf), then (a) I'll refer you to my previous express
request for clarification:

> I'm assuming you're sitting in front of 192.138.0.2 and you're trying
> to reach 10.1.0.34 and google.com both with icmp and tcp 80 traffic.
> If not please clarify and disregard what I'm saying below.

...and (b) --just to rub it in-- I'll send you a mail from another
email account. That other account is utw at my phukk.eu domain, and my
alter ego there is "Phukk Yu Yutvat".

;-P

> Managers contain 192.168.0.2, which I'm testing from, and http-managers
> contain google.com. If I replace the <manager> statement with 192.168.0.2 it
> works.
>

"it works".
Hmm, let my try to pull a 20q.net on you:
You mean that surfing to google works? Mkay, I'd double check the
/etc/tManagers file then, to see if that was the problem. Keep in mind
that the file system is case sensitive.

> > As for google.com, I'm not sure, but I think it might have something
> > to do with the fact that google.com resolves to multiple IPs in a
> > round robin fashion -- and your <http-managers> only resolves to just
>
> Nah, that does not seem to be a problem. But I added openbsd.com.
>

cheerio,
;o)
Jens


> -- UPDATED --
>
> ## Macros
> # Interfaces
> WAN="bge0"
> LAN="xl0"
> LANip="192.168.0.0/24"
> RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"
> #RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8  }"
>
> Web="{ 80, 443 }"
> Web-server="192.168.0.10"
> Ftp="21"
> Ftp-server="192.168.0.11"
>
> ## Tables
> table <admins> persist file "/etc/tAdmins"
> #table <managers> persist file "/etc/tManagers"
> table <managers> { 192.168.0.2 }
> table <operators> persist file "/etc/tOperators"
> #table <http-managers> persist file "/etc/tHttp-managers"
> table <http-managers> { google.com, openbsd.com }
> table <http-operators> persist file "/etc/tHttp-operators"
> table <customers> persist file "/etc/tCustomers"
> table <extadmin> persist file "/etc/tExtadmin"
>
> ## Options
>
> ## Traffic Normalization
> scrub in all
>
> ## Bandwidth Management
> # External Queues we usually have 1000Mb internal, 4Mb on cable, and 3Mb on
> DSL
> altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in,
> mail, dns, ftp, misc }
> #queue LOCAL bandwidth 98456Kb cbq(borrow)
>
> queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
> queue http-in bandwidth 13% priority 4 cbq(borrow red)
> queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers,
> normalusers }
> queue  develusers bandwidth 50% cbq(borrow)
> queue  normalusers bandwidth 50% cbq(borrow)
> queue mail bandwidth 10% priority 1 cbq(borrow ecn)
> queue dns bandwidth 5% priority 5 cbq(borrow ecn)
> queue ftp bandwidth 15% priority 2 cbq(borrow ecn)
> queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
> queue  ssh_interactive bandwidth 50% cbq(borrow)
> queue  ssh_bulk bandwidth 50% cbq(borrow)
> queue misc bandwidth 10% cbq(borrow,default)
>
> ## Translations
> #special = "{ 10.2.1.10 }"
> #no nat on $WAN from $special to any
> #nat on $WAN from $LAN to any -> $WAN
> #binat on $WAN from $special to any -> $WAN
> nat on $WAN from $LAN:network to any -> $WAN
>
> ## Redirection
>
> ## Packet Filtering
> # Allow all loopback traffic.
> pass quick on lo0
> pass quick   on $LAN
>
> # Allow all loopback traffic.
> pass quick on lo0
>
> # Pass all on LAN i/f
> pass quick on $LAN
>
> # Default deny.
> block in  log quick on $WAN from $RFC1918
> block in  log on $WAN
> block out log on $WAN
>
> # Allow basic networking communication
> pass in  log on $WAN proto icmp from any to any keep state
> pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state
>
> # Allow dns and ntp out
> pass out log on $WAN proto udp from any to any port 53 keep state
> pass out log on $WAN proto udp from any to any port 123 keep state
>
> # Allow ssh in and out
> pass in  log on $WAN proto tcp from any to any port 22 keep state
> pass out log on $WAN proto tcp from any to any port 22 keep state
>
> # Allow web out based on tables
> pass out log on $WAN proto tcp from <admins> to any port $Web keep state
> pass out log on $WAN proto tcp from <managers> to <http-managers> port $Web
> keep state
> pass out log on $WAN proto tcp from <operators> to <http-operators> port $Web
> keep state
>
> # Allow web and ftp in based on table
> #pass in log on $WAN proto tcp from <customers> to $Web-server port $Web
> #pass in log on $WAN proto tcp from <customers> to $Ftp-server port $Ftp
>
> --
>
>


-- 
www.ropersonline.com

More information about the Openbsd-newbies mailing list