On Mon, Apr 6, 2009 at 2:27 PM, Chris Jones <cjo...@gdisoftware.com> wrote:
> Good morning folks,
>
> I am a little bit stumped with my firewall config and need some
> assistance. I have a Soekris net4501 with two interfaces connected. The
> sis1 interface is connected to my macbook and the sis2 interface (vlan
> trunk) is connected to my switch (see diagram below). I have a bridge
> interface (bridge0) with with vlan100, sis1 and ral0 as members. I
> assume this is the best way to have multiple physical interfaces in a vlan.
>
> .-------.
> | |
> | macbook |
> .------.+ sis0 .---------+ |_________|
> | | / \_________\
> | fw |+ sis1 +----*
> | | 802.1q trunk .----------. vlan99 (inet)
> !______!+ sis2 +----------------+ | switch | +-------------
> | !__________!
> +ral0 .--------. +
> | | vlan100 /
> | server | ------------*
> | |
> !________!
>
> With no rules loaded in PF everything works just fine. From my Macbook I
> am able to NAT outside the network and also access everything on
> vlan100. When I load the rules into PF I am unable to access the
> management IP on the switch or my server, both of which are in vlan100.
> It's obviously an issue with pf and the bridge interface, I just can't
> seem to figure it out (see config below).
>
> I appreciate any advice on this.
>
> Cheers,
> -Chris
>
>
> hostname.sis1
> -------------
>
> up
>
> hostname.sis2
> -------------
>
> up
>
> hostname.vlan99
> ---------------
>
> dhcp NONE NONE NONE vlan 99 vlandev sis2
>
> hostname.vlan100
> ----------------
>
> inet 192.168.1.1 255.255.255.0 NONE vlan 100 vlandev sis2
>
> bridgename.bridge0
> ------------------
>
> add vlan100
> add sis1
> add ral0
> up
>
> pf.conf
> -------
>
> #################################################################
> # Macros
>
> ext_if="vlan99"
> int_if="vlan100"
> int_bridge="bridge0"
>
> int_net="192.168.1.0/24"
>
> icmp_types="echoreq"
>
> #################################################################
> # Options
>
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>
> #################################################################
> # Traffic Normalization
>
> scrub in
>
> #################################################################
> # NAT Rules: "rdr", "nat", "binat"
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
> rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \
> -> 192.168.1.200 port 21
> rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 \
> -> 192.168.1.200 port 22
> rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
> -> 192.168.1.200 port 80
>
>
> #################################################################
> # Filter Rules
>
> block in
>
> pass out
>
> anchor "ftp-proxy/*"
>
> antispoof quick for lo0
>
> pass in log on $ext_if proto udp from any to ($ext_if:0) \
> port {500, 4500}
> pass out log on $ext_if proto udp from ($ext_if:0) to any \
> port {500, 4500}
>
> pass in log on $ext_if proto esp from any to ($ext_if:0)
> pass out log on $ext_if proto esp from ($ext_if:0) to any
>
> pass in log on enc0 proto ipencap from any to ($ext_if:0) \
> keep state (if-bound)
> pass out log on enc0 proto ipencap from ($ext_if:0) to any \
> keep state (if-bound)
>
> pass in on enc0 from 10.1.0.2/32 to any keep state (if-bound)
> pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound)
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> pass in log on $ext_if proto udp from any to port 1194
> pass in log on $ext_if proto tcp to ($ext_if) port ssh
> pass in log on $ext_if proto tcp from any to 192.168.1.200 \
> port 21
> pass in log on $ext_if proto tcp from any to 192.168.1.200 \
> port 22
> pass in log on $ext_if proto tcp from any to 192.168.1.200 \
> port 80
> pass in log on $ext_if proto tcp to ($ext_if) port smtp
> pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>
> pass quick on $int_if
>
I don't know bridge interfaces, but for shits and giggles try adding:
pass quick on $int_bridge
-HKS
