Perhaps I'm confused, but it doesn't look (from your diagram) that
your pf machine is acting as a firewall for anything but itself.
If you want to filter traffic to your public machines, then you'll
have to either:
1) Use the pf-machine as a bridge between the "internet" ethernet
segment, and the ethernet segment with your publicly available
machines
2) Place your public machines into a DMZ, and filter/NAT/rdr traffic
to/from them via the pf machine.
On 5/5/06, Sparc <[EMAIL PROTECTED]> wrote:
Hello everyone,
INTERNET
^
|
x - - - - - [SWITCH] - - - - - - - - - - x
[PF firewall] [Several publicIPs]
I am running a network with several public IP addresses that are used for
different services and I used PF with a dedicated box (see illustrated) to
control incoming and outgoing packets onto and from these public IPs. I have
not been able to notice until such time that they were exposed to a different
types of probes such as ping, use of port scanner, etc from the Internet. Below
are the rules I used to supposedly block incoming packets to my public IPs.
Just for info, I used the gateway address provided by my ISP not the IP on my
PF box. I havent tried using the PF as a gateway. I dont think its going to
work.
----------------------------
# M A C R O S
ext_if="sis0"
int_if="xl0"
serversPUB="{ my.pub.lic.1, my.pub.lic.2, my.pub.lic.3, etc... }"
www_virt="my.pub.lic.1"
# O P T I O N S
set optimization normal
set block-policy drop
set loginterface $ext_if
set skip on lo0
# N O R M A L I Z A T I O N
scrub in all
# N A T / R D R
#xlation gateway
# F I L T E R
#protect public and local address [ incoming, outgoing ]
block all
pass quick on lo0 all
antispoof log quick for { $ext_if, $int_if } inet
block drop in on $ext_if inet from any to $serversPUB # I tried to tweak
with different scenario,
# doesnt work
pass in on $ext_if proto tcp from any to $www_virt port { www, https } \
flags S/SA synproxy state
--------------------------------------
As you can see only a few rules are put here above just to give you an
idea how I did the blocking. The other rules with my services so far
are continuously going well. I just don't want to permit incoming
packets directly to my publicIPs that is why I have the PF as my
firewall to centrally manage incoming and outgoing.
On the above BLOCK rule, i supposed it blocks all incoming packets on
$ext_if through $serversPUB. Unfortunately it doesn't. I have bought
openbsd books including the Building firewall with OpenBSD pf by Jacek
and read lots of articles about rules in pf but haven't find one that
is similar to my setup, everything uses NAT / RDR to access services
(e.g. webserver, etc). Here, I didn't use rdr because it uses a public
IP as stated in MACROS.
I appreciate your help so much.
Thanks,
-Sparc
