On Saturday 09 September 2006 15:21, you wrote:
> I would only filter traffic on ONE interface, as is often recommended
> in applicable documentation -- e.g. just filter traffic on your $WAN
> interface. It's very hard to get things right when filtering on two
> interfaces.
Agreed. Oops, the pass in on $LAN was just a test to see if it made a
difference. It's not there anymore.
> So I would default deny (block all), then pass quick on
> $LAN and then pass on $WAN as required.
Since I'm not blocking on LAN I did not bother, but I included it to see if it
helps. It does not.
> Also, you don't seem to be passing proto tcp, port 80 traffic from
> <managers> (ie. 192.168.0.2) to the 10.1.0.34 box on the $WAN
> interface? Keep in mind that <http-managers> contains only google.com
Ah, an out of date note I forgot to update during my testing.
> and <admins> is empty.
I also added proper data to all table files to ensure it does not mess things
up. Though the persist command should allow for empty files.
> You're passing traffic from 10.1.0.34 to any
> port 80 on the $LAN interface, but not on the $WAN one. I think
> there's your reason you can't websurf to 10.1.0.34.
That's what "pass out log on $WAN proto tcp from <managers> to <http-managers>
port $Web keep state" is supposed to do.
Managers contain 192.168.0.2, which I'm testing from, and http-managers
contain google.com. If I replace the <manager> statement with 192.168.0.2 it
works.
> As for google.com, I'm not sure, but I think it might have something
> to do with the fact that google.com resolves to multiple IPs in a
> round robin fashion -- and your <http-managers> only resolves to just
Nah, that does not seem to be a problem. But I added openbsd.com.
>
> cheers,
> Jens
-- UPDATED --
## Macros
# Interfaces
WAN="bge0"
LAN="xl0"
LANip="192.168.0.0/24"
RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"
#RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
Web="{ 80, 443 }"
Web-server="192.168.0.10"
Ftp="21"
Ftp-server="192.168.0.11"
## Tables
table <admins> persist file "/etc/tAdmins"
#table <managers> persist file "/etc/tManagers"
table <managers> { 192.168.0.2 }
table <operators> persist file "/etc/tOperators"
#table <http-managers> persist file "/etc/tHttp-managers"
table <http-managers> { google.com, openbsd.com }
table <http-operators> persist file "/etc/tHttp-operators"
table <customers> persist file "/etc/tCustomers"
table <extadmin> persist file "/etc/tExtadmin"
## Options
## Traffic Normalization
scrub in all
## Bandwidth Management
# External Queues we usually have 1000Mb internal, 4Mb on cable, and 3Mb on
DSL
altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in,
mail, dns, ftp, misc }
#queue LOCAL bandwidth 98456Kb cbq(borrow)
queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
queue http-in bandwidth 13% priority 4 cbq(borrow red)
queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers,
normalusers }
queue develusers bandwidth 50% cbq(borrow)
queue normalusers bandwidth 50% cbq(borrow)
queue mail bandwidth 10% priority 1 cbq(borrow ecn)
queue dns bandwidth 5% priority 5 cbq(borrow ecn)
queue ftp bandwidth 15% priority 2 cbq(borrow ecn)
queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive bandwidth 50% cbq(borrow)
queue ssh_bulk bandwidth 50% cbq(borrow)
queue misc bandwidth 10% cbq(borrow,default)
## Translations
#special = "{ 10.2.1.10 }"
#no nat on $WAN from $special to any
#nat on $WAN from $LAN to any -> $WAN
#binat on $WAN from $special to any -> $WAN
nat on $WAN from $LAN:network to any -> $WAN
## Redirection
## Packet Filtering
# Allow all loopback traffic.
pass quick on lo0
pass quick on $LAN
# Allow all loopback traffic.
pass quick on lo0
# Pass all on LAN i/f
pass quick on $LAN
# Default deny.
block in log quick on $WAN from $RFC1918
block in log on $WAN
block out log on $WAN
# Allow basic networking communication
pass in log on $WAN proto icmp from any to any keep state
pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state
# Allow dns and ntp out
pass out log on $WAN proto udp from any to any port 53 keep state
pass out log on $WAN proto udp from any to any port 123 keep state
# Allow ssh in and out
pass in log on $WAN proto tcp from any to any port 22 keep state
pass out log on $WAN proto tcp from any to any port 22 keep state
# Allow web out based on tables
pass out log on $WAN proto tcp from <admins> to any port $Web keep state
pass out log on $WAN proto tcp from <managers> to <http-managers> port $Web
keep state
pass out log on $WAN proto tcp from <operators> to <http-operators> port $Web
keep state
# Allow web and ftp in based on table
#pass in log on $WAN proto tcp from <customers> to $Web-server port $Web
#pass in log on $WAN proto tcp from <customers> to $Ftp-server port $Ftp
--
Steve Szmidt
"To enjoy the right of political self-government, men must be
capable of personal self-government - the virtue of self-control.
A people without decency cannot be secure in its liberty.
From the Declaration Principles
