pf - 1 firewall 2 wans

Johan L Wed, 25 Apr 2007 05:32:43 -0700

Hi,

We have two internet connection with 2 different firewalls that we wantto merge into a new single pf based firewall.Connection 1 (wan1) will be used for nat-ing the internal network (lan)to the outside world and access to a few internal servers.

Connection 2 (wan2) will be used for the dmz (dmz), public servers.


wan1 212.105.x.37/32 gw: 212.105.x.2 -----|----------------|
                                          |openbsd 4.1/pf  |
                                          |default gateway:|
                                          |213.106.x.2     |
wan2 213.115.x.x/25 gw: 213.249.x.33 -----|----------------|
                                              |     |
                                              |     |
                                             lan   dmz
                                   172.16.90.1/24  192.168.78.1/25

I guess we have to use route-to and reply-to, not sure how to do it, orif there's a more simple solution by using route.

Anyone out there running a similiar solution who can share your experience?

Thanks,
Johan Linner

pf.conf so far:

lan="em0"
dmz="em1"
wan1="em2"
wan2="em3"
tcpp="{21 22 80 443 3306}"
udpp="{53 123}"

table <www> const {213.115.x.5 213.115.x.6 213.115.x.7 213.115.x.11213.115.x.126}

table <authpf_users> persist
table <blacklist> persist file "/var/log/blacklist"

set skip on lo
set loginterface $wan2
set limit { states 256000, frags 64000 }
scrub in

nat on $wan1 from $lan:network to any -> $wan1:0
nat on $wan2 from 192.168.78.5 to any -> 213.115.x.5
binat on $wan2 from 192.168.78.2 to any -> 213.115.x.1
rdr on $wan2 proto tcp from any to <www> port 80 -> 192.168.78.5
rdr on $wan1 proto tcp to port 80 -> 172.16.90.2
rdr on $wan1 proto tcp to port 22 -> 127.0.0.1

block in log
pass out quick
antispoof log quick for {$lan lo} inet

# public servers
pass in quick on $wan2 proto tcp from any to 192.168.78.5 port 80

pass in quick on $wan2 proto tcp from any to 192.168.78.2 port {25, 26,110, 143, 443, 993}

pass in quick on $dmz proto {tcp udp} from $dmz:network to ! $lan:network
# access to internal servers

pass in quick on $wan1 inet proto tcp from <authpf_users> to 172.16.90.2port 80pass in log on $wan1 inet proto tcp from any to 127.0.0.1 port 22 flagsS/SA modulate state (max-src-conn-rate 4/40, overload <blacklist> flush)


#lan
pass in quick on $lan inet proto tcp from $lan:network to any port $tcpp
pass in quick on $lan inet proto udp from $lan:network to any port $udpp
pass in quick on $lan inet proto {tcp udp} from $lan:network to $dmz

# ping ping
pass in inet proto icmp all icmp-type echoreq code 0 keep state

# no logging:
block return in quick on {$wan1 $wan2} proto tcp from any to any port 113

block in on {$wan1 $wan2} proto {udp tcp} from any to any port {135:139445 1434}

pf - 1 firewall 2 wans

Reply via email to