Re: VLANs, bridge interface and PF

Chris Jones Tue, 07 Apr 2009 10:42:23 -0700

(private) HKS wrote:
> On Mon, Apr 6, 2009 at 2:27 PM, Chris Jones <cjo...@gdisoftware.com> wrote:
>> Good morning folks,
>>
>> I am a little bit stumped with my firewall config and need some
>> assistance. I have a Soekris net4501 with two interfaces connected. The
>> sis1 interface is connected to my macbook and the sis2 interface (vlan
>> trunk) is connected to my switch (see diagram below). I have a bridge
>> interface (bridge0) with with vlan100, sis1 and ral0 as members. I
>> assume this is the best way to have multiple physical interfaces in a vlan.
>>
>>                                   .-------.
>>                                  |         |
>>                                  | macbook |
>> .------.+ sis0        .---------+ |_________|
>> |      |             /             \_________\
>> |  fw  |+ sis1 +----*
>> |      |          802.1q trunk    .----------.  vlan99 (inet)
>> !______!+ sis2 +----------------+ |  switch  | +-------------
>>    |                             !__________!
>>    +ral0     .--------.               +
>>              |        |   vlan100    /
>>              | server | ------------*
>>              |        |
>>              !________!
>>
>> With no rules loaded in PF everything works just fine. From my Macbook I
>> am able to NAT outside the network and also access everything on
>> vlan100. When I load the rules into PF I am unable to access the
>> management IP on the switch or my server, both of which are in vlan100.
>> It's obviously an issue with pf and the bridge interface, I just can't
>> seem to figure it out (see config below).
>>
>> I appreciate any advice on this.
>>
>> Cheers,
>> -Chris
>>
>>
>> hostname.sis1
>> -------------
>>
>> up
>>
>> hostname.sis2
>> -------------
>>
>> up
>>
>> hostname.vlan99
>> ---------------
>>
>> dhcp NONE NONE NONE vlan 99 vlandev sis2
>>
>> hostname.vlan100
>> ----------------
>>
>> inet 192.168.1.1 255.255.255.0 NONE vlan 100 vlandev sis2
>>
>> bridgename.bridge0
>> ------------------
>>
>> add vlan100
>> add sis1
>> add ral0
>> up
>>
>> pf.conf
>> -------
>>
>> #################################################################
>> # Macros
>>
>> ext_if="vlan99"
>> int_if="vlan100"
>> int_bridge="bridge0"
>>
>> int_net="192.168.1.0/24"
>>
>> icmp_types="echoreq"
>>
>> #################################################################
>> # Options
>>
>> set block-policy return
>> set loginterface $ext_if
>> set skip on lo
>>
>> #################################################################
>> # Traffic Normalization
>>
>> scrub in
>>
>> #################################################################
>> # NAT Rules: "rdr", "nat", "binat"
>>
>> nat on $ext_if from !($ext_if) -> ($ext_if:0)
>> nat-anchor "ftp-proxy/*"
>> rdr-anchor "ftp-proxy/*"
>>
>> rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
>> rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \
>>        -> 192.168.1.200 port 21
>> rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 \
>>        -> 192.168.1.200 port 22
>> rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
>>        -> 192.168.1.200 port 80
>>
>>
>> #################################################################
>> # Filter Rules
>>
>> block in
>>
>> pass out
>>
>> anchor "ftp-proxy/*"
>>
>> antispoof quick for lo0
>>
>> pass  in log on $ext_if proto udp from any to ($ext_if:0) \
>>        port {500, 4500}
>> pass out log on $ext_if proto udp from ($ext_if:0) to any \
>>        port {500, 4500}
>>
>> pass  in log on $ext_if proto esp from any to ($ext_if:0)
>> pass out log on $ext_if proto esp from ($ext_if:0) to any
>>
>> pass  in log on enc0 proto ipencap from any to ($ext_if:0) \
>>        keep state (if-bound)
>> pass out log on enc0 proto ipencap from ($ext_if:0) to any \
>>        keep state (if-bound)
>>
>> pass  in on enc0 from 10.1.0.2/32 to any keep state (if-bound)
>> pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound)
>>
>> pass in inet proto icmp all icmp-type $icmp_types
>>
>> pass in  log on $ext_if proto udp from any to port 1194
>> pass in  log on $ext_if proto tcp to ($ext_if) port ssh
>> pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
>>        port 21
>> pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
>>        port 22
>> pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
>>        port 80
>> pass in  log on $ext_if proto tcp to ($ext_if) port smtp
>> pass out log on $ext_if proto tcp from ($ext_if) to port smtp
>>
>> pass quick on $int_if
>>
> 
> I don't know bridge interfaces, but for shits and giggles try adding:
> 
> pass quick on $int_bridge


Thanks to all that replied. I was able to fix the issue with the
following PF config.

#################################################################
# Macros

ext_if = "vlan99"
int_if = "vlan100"
int_ifs = "{" $int_if ral0 sis1 "}"

int_net = "192.168.1.0/24"

icmp_types = "echoreq"

#################################################################
# Options

set block-policy return
set loginterface $ext_if
set skip on lo

#################################################################
# Traffic Normalization

scrub in

#################################################################
# NAT Rules: "rdr", "nat", "binat"

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2121 \
        -> 192.168.1.200 port 21
rdr on $ext_if inet proto tcp from any to ($ext_if) port 2222 \
        -> 192.168.1.200 port 22
rdr on $ext_if inet proto tcp from any to ($ext_if) port 80 \
        -> 192.168.1.200 port 80


#################################################################
# Filter Rules

block in

pass out

anchor "ftp-proxy/*"

antispoof quick for lo0

pass  in log on $ext_if proto udp from any to ($ext_if:0) \
        port {500, 4500}
pass out log on $ext_if proto udp from ($ext_if:0) to any \
        port {500, 4500}

pass  in log on $ext_if proto esp from any to ($ext_if:0)
pass out log on $ext_if proto esp from ($ext_if:0) to any

pass  in log on enc0 proto ipencap from any to ($ext_if:0) \
        keep state (if-bound)
pass out log on enc0 proto ipencap from ($ext_if:0) to any \
        keep state (if-bound)

pass  in on enc0 from 10.1.0.2/32 to any keep state (if-bound)
pass out on enc0 from 192.168.1.0/24 to any keep state (if-bound)

pass in inet proto icmp all icmp-type $icmp_types
pass in  log on $ext_if proto udp from any to port 1194
pass in  log on $ext_if proto tcp to ($ext_if) port ssh
pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
        port 21
pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
        port 22
pass in  log on $ext_if proto tcp from any to 192.168.1.200 \
        port 80
pass in  log on $ext_if proto tcp to ($ext_if) port smtp
pass out log on $ext_if proto tcp from ($ext_if) to port smtp

pass quick on $int_ifs
> 
> -HKS
> 

--
Chris Jones

Re: VLANs, bridge interface and PF

Reply via email to