Hi misc@,
I finaly had some time to rearrange my network, and split it into 3
parts: LAN, DMZ, WAN.
Basicly, the LAN (172.20) may not access the DMZ (172.16), but host
172.20.1.10 can. the DMZ may not access the LAN, and both can go to the
WAN.
But for some reason, when I create state from 172.20.1.10 to 172.16.x.x;
the packet comming back gets blocked which should not happen because the
state would be checked first and the state really is created?!
I tried setting 'set state-policy floating' explicit, but no advance.
Someone who knows what the problem is here? I had a ruleset with a bunch
of 'quick' rules before instead of this, but had the same problem.
tcpdump on pflog:
18:12:16.483526 rule 12/(match) pass in on sis2: 172.20.1.10.57132 >
172.16.0.5.ssh: [|tcp]
18:12:16.483960 rule 21/(match) block in on sis1: 172.16.0.5.ssh >
172.20.1.10.57132: [|tcp]
grep on state:
# pfctl -s state|grep 172.16.0.5
all tcp 172.16.0.5:22 <- 172.20.1.10:57132 CLOSED:SYN_SENT
kernel:
OpenBSD 3.8 (GENERIC) #138: Sat Sep 10 15:41:37 MDT 2005
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
rules:
scrub in all no-df fragment reassemble
scrub out all no-df random-id fragment reassemble
block drop in log all
block drop log inet6 all
block drop in log quick on sis0 from any to (sis0:broadcast)
block drop in log quick on sis0 from <intruders> to any
pass log quick on lo0 inet from 127.0.0.0/8 to any
pass log quick on lo0 inet6 from ::1 to any
pass in log on sis2 inet proto tcp from 172.20.0.0/16 to any modulate state
pass in log on sis2 inet proto udp from 172.20.0.0/16 to any keep state
pass in log on sis2 inet proto icmp from 172.20.0.0/16 to any keep state
block drop in log on sis2 inet proto tcp from any to 172.16.0.0/16
block drop in log on sis2 inet proto udp from any to 172.16.0.0/16
block drop in log on sis2 inet proto icmp from any to 172.16.0.0/16
pass in log on sis2 inet proto tcp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass in log on sis2 inet proto udp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass in log on sis2 inet proto icmp from 172.20.1.10 to 172.16.0.0/16 keep
state
pass out log on sis2 inet proto tcp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass out log on sis2 inet proto udp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass out log on sis2 inet proto icmp from 172.20.0.1 to 172.20.0.0/16 keep
state
pass in log on sis1 inet proto tcp from 172.16.0.0/16 to any modulate state
pass in log on sis1 inet proto udp from 172.16.0.0/16 to any keep state
pass in log on sis1 inet proto icmp from 172.16.0.0/16 to any keep state
block drop in log on sis1 inet proto tcp from any to 172.20.0.0/16
block drop in log on sis1 inet proto udp from any to 172.20.0.0/16
block drop in log on sis1 inet proto icmp from any to 172.20.0.0/16
pass out log on sis1 inet proto tcp from 172.16.0.1 to 172.16.0.0/16 keep
state
pass out log on sis1 inet proto udp from 172.16.0.1 to 172.16.0.0/16 keep
state
pass out log on sis1 inet proto icmp from 172.16.0.1 to 172.16.0.0/16 keep
state
[sis0 rules snipped]
Kind regards,
Jimmy Scott
--
The Four Horsemen of the Apocalypse: Death, Famine, War, and SNMP
[demime 1.01d removed an attachment of type application/pgp-signature]
