On Tue, Nov 15, 2005 at 04:59:50PM -0800, Christian Petro wrote:
> > What is the rest of the pf.conf? Without that, I can only guess.
> >
> > -jon
> >
>
>
>
> set loginterface fxp1
> set limit { states 90000, frags 90000 }
> set optimization conservative
> set block-policy drop
> scrub in all
>
>
> ###############
> # DEFINE MACROS
> ###############
>
> # list of interfaces
> LoIf="lo0"
> IntIf="fxp0"
> ExtIf="fxp1"
>
> OutTcp=" some ports"
> OutIcmp=" some types"
> OutUdp=" some ports"
> OutIm=" some ports"
>
> table <AllAccess> persist { some ips }
> table <LimitedAccess> persist { 192.168.1.16, 192.168.1.17 }
>
> table <private> persist { some ips }
>
> table <SitesAllowed> persist { some sites }
>
> ##################################
> # RULES IN/OUT for lo0, fxp0, fxp1
> ##################################
>
>
>
> # default policy
> block in log all
> block out log all
>
> # trusted interfaces
> pass in quick on $LoIf all
> pass out quick on $LoIf all
> pass in quick on $IntIf all
> pass out quick on $IntIf all
>
> # anti-spoofing rool
> block drop in quick on $ExtIf inet from <private> to any
>
> # outbound traffic
> pass out quick on $ExtIf inet proto icmp from <AllAccess> to any
> icmp-type $OutIcmp keep state
>
> pass out quick on $ExtIf inet proto udp from <AllAccess> to any port
> $OutUdp keep state
>
> pass out quick on $ExtIf inet proto tcp from <AllAccess> to any keep state
>
> block out quick on $ExtIf inet proto { tcp, udp } from <LimitedAccess>
> to any port $OutIm
>
> pass out quick on $ExtIf inet proto tcp from <LimitedAccess> to
> <SitesAllowed> port $OutWeb keep state
>
> block out on $ExtIf inet proto { icmp, udp, tcp } from <LimitedAccess>
> to any
>
> #pass out on $ExtIf inet proto tcp from any to any port $OutTcp keep state
Your problem is likely your use of 'quick' on most of your rules,
specifically the section labeled "trusted interfaces". Read pf.conf(5)
and search the archives
(http://marc.theaimsgroup.com/?l=openbsd-misc&r=1&w=2) for more
information about quick.
What is likely happening, assuming a normal routed setup, is those first
2 quick rules that pass in/out on $IntIf are allowing all traffic on
$IntIf in and out. Any traffic that comes in or out on $IntIf matches
that rule and that is the last rule that is evaluated, thanks to quick.
Your packets from <LimitedAccess> come in on $IntIf and are allowed.
Your state-policy is (by default) floating so the packets are in turn
allowed to pass out on $ExtIf. The bulk of your rules after the
4 "trusted interfaces" rules are likely rarely (if ever) evaluated.
I say "likely" because I am not 100% sure about your mixture of "quick"
and your first two default block in/out rules.
My suggestion? Get rid of quick, get a solid default block stance
in/out on all interfaces, and then selectively allow traffic. You are
close.
-jon
