Thanks for the advice...
I think I have discovered the problem...
bond0 is a virtual interface that consists of two LACP bonded NICs.
All rules targeting the bond0 interface are ignored by pf, (I have no idea why), and only rules targeting the physical NICs that are members of
bond0 get applied...
...so
man_if="bond0" #our Management vNIC is bond0 (bond bnx0, bnx1)
pass quick on $man_if all keep state
...fails without error and is not listed with a pfctl -vf /etc/pf.conf
pass quick on { bnx0, bnx1 } all keep state
...actually loads rules, as seen by pfctl -vf /etc/pf.conf
Any idea why this is the case? Is this a bug in pf? I can't think of a reason
why this strangeness would be by design...
I think I can just work around this by creating a table and changing my rule:
table <fw> { bnx0, bnx1 }
pass quick on <fw> all keep state
ideas or comments? Anyone have a better way?
Thanks,
John Nyhuis
IT Manager, Stam Lab
2211 Elliott Avenue
6th Floor, 6S139
Seattle, WA 98121
O: (206)-267-1097 ext 220
F: (206)-441-3033
-------- Forwarded Message --------
Subject: Re: Q: Assistance with pf.conf rules
Date: Mon, 22 Jun 2015 18:42:25 -0500
From: Edgar Pettijohn <ed...@pettijohn-web.com>
To: John Nyhuis <jnyh...@uw.edu>
I am by no means an expert, but using
# pfctl -vf /etc/pf.conf
will show you how the rules are loaded and may help you spot the error.
I know it has helped me before.
On 06/18/15 19:33, John Nyhuis wrote:
I am building and OpenBSD 5.7 +pf +pfsync +stp bridging firewall.
It's 90% working great, but I have a mistake in my pf.conf, and I've
been staring at it for days, and have not spotted my error.
Would anyone be willing to review my rules and point out my mistake?
----------- ix0 ------------- ix1 ----------
| world |---------| pf bridge |------| switch |
----------- ------------- ----------
\ /
\ ____ /
$man_if
ix0 connects from the WAN and is filtered and bridged to ix1, which is
connected to the LAN switch
bond0 = $man_if (bnx0 + bnx1) is connected from the management
interface on the bridge to the switch
My problem: ssh connections from the world to the management
interface of the bridge are being blocked. ssh connections from the
world to the switch are not, implying that my mistake is in my
management interface rule block.
cat /etc/pf.conf
##JN general rules that apply to all interfaces and this specific server
set skip on lo #ignore local interface
man_if="bond0" #our Management vNIC is bond0 (bond: bnx0, bnx1)
br="ix0" # This is a bridge, so only filter on one
bridge interface
int_if="ix1" #internal interface of bridge
#set block-policy drop #drop packets rather then send
rejections.
set block-policy return #means we refuse packets, sending back a
response
match in all scrub (no-df) #means we reassemble all incoming
packets to fix any overflows, etc.
block in log on $br all #Default deny all in, exceptions must
be listed below
pass out on $br all #We trust ourselves, don't block outgoing
pass in quick on $int_if all #don't filter on internal interface,
only external
pass out quick on $int_if all #don't filter on internal interface,
only external
pass quick on pfsync0 proto pfsync keep state #Allow pfsync to sync
firewall states
#ICMP: allow ping from any network -JN
pass in on $br inet proto icmp from any icmp-type echoreq
#SSH: ssh ports protected from brute force by fail2ban, allow ssh into
DMZ by default
pass in on any proto tcp from any to any port 22 keep state
pass out on any proto tcp from any to any port 22 keep state
##JN Rules for Firewalls
table <fw> { 140.142.217.141, 140.142.217.140 } #JN Lister and Rimmer
pass out quick on $man_if all keep state #We trust ourselves
##SSH: allow in from world, should be redundant, but SSH is being
blocked -JN
pass in on $man_if proto tcp from any to <fw> port 22 keep state
##Block brute force attacks
table <bruteforce> persist
block quick log from <bruteforce>
pass log on $man_if inet proto tcp from any to any port ssh flags S/SA
keep state (max-src-conn 100, \
max-src-conn-rate 15/5, overload <bruteforce> flush global)
##JN Rules for Switch 140.142.217.135, the DMZ switch
table <sw135> { 140.142.217.135 }
#pass out on $br proto { tcp, udp, icmp } from <sw135> to any keep state
##SSH: allow in from world, already allowed by default -JN
#pass in on $br proto tcp from any to <sw135> port 22 keep state
##Hacker IP Addresses [LEAVE THIS RULE LAST]
table <bad> { 202.131.227.252, 220.231.54.232, 200.118.119.48 }
#addresses of known hackers
block drop in log quick on $br from <bad> to any
If anyone could point out why I can ssh into the LAN, but get blocked
by sshing to the management interface of the firewall, you have my
gratitude.
