Hi,
In a previous message (about a week ago?) I mentioned plans
to replace a current firewall with a pf-based one. I gave
a little outline of things I'd jot down on "paper". Well,
this weekend, I spent some time putting the actual pf.conf
together, and debugging some mistakes (oversights).
Anyway, I got it to a point where I felt confident to do a
test run in production. I swapped out the production firewall
box with the pf-based one.
I've been monitoring the traffic to see any anomalies, or things
that I may have missed. Kinda QA-ing if you will. One thing
I did notice is that my ibook is spewing lots of crap, but this
message isn't about that :)
While monitoring pflog0 I noticed a blocked packet from one of
my web-servers to 68.142.250.133. I didn't understand why that
was. So I ran:
# tcpdump -n -e -ttt -r /var/log/pflog host 68.142.250.133
tcpdump: WARNING: snaplen raised from 96 to 116
Apr 23 19:59:26.010917 rule 2/(match) block out on de2: 68.142.250.133.45648 >
a.b.c.d.80: S 3164412190:3164412190(0) win 5840 <mss 1460,sackOK,timestamp
103193913[|tcp]> (DF)
Apr 23 20:00:59.803910 rule 2/(match) block in on de1: a.b.c.d.80 >
68.142.250.133.45648: S 873225897:873225897(0) ack 3164412191 win 5792 <mss
1460,sackOK,timestamp 431195378[|tcp]> (DF)
Here is my set-up from my earlier post:
# /Internet/
# |
# [DSL Router]
# .1 |
# |
# __WIFI__ (de0) ___DMZ___
# +----+----+ .2 www1
# --X--(b)| PF |(de1)--- .3 www2
# (down) +----+----+ .4 dns1
# (de2) .5 mail1
# |
# |
# __LAN__
# .11 .12 .13 .14
What I'm confused about is why did the original packet
from 68.142.250.133 try to out on de2 interface and not
on de1 as it should have?
pf-based box is running a 'cvs up -rOPENBSD_3_9 -dP'
build.
All my pf filtering are using pass with tag on entry
interface, then using pass tagged on out-going interfaces.
Blocking by default. I'm not using any rdr, no nat, etc.
e.g.,
pass in on de0 from any to $web_server port www \
flags S/SA keep state tag NET2DMZ
pass out quick on de1 all keep state tagged NET2DMZ
Nothing is accepted on de0 destined for anything other
than <dmz_grp>.
Is there more info I can provide? What else should I
look for?
I obviously have ip forwarding enabled. All four
interfaces are bridged together, though currently the
wifi interface is disabled.
Is this something I need to use route-to to "force"
traffic to proper "internal" interface containing
destination host address?
Any thoughts on the matter are appreciated!
--patrick
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
