I've got a problem where I have a couple of OpenBSD firewalls
running in a redundant configuration using carp, and have found
that CentOS 5.5 (Linux) boxes running on a protected network, if
they have avahi-daemon running, will cause the OpenBSD kernels to lock
up hard. This is very reproducable.
While I can avoid the problem by not running avahi-daemon on the
Linux machines, I'd really prefer to find the source of the problem
on the OpenBSD side and fix it. From my perspective, there is nothing
that a remote host should be able to do that should lock up a
an OpenBSD kernel. (And lest anyone be offended by my calling it a
problem on the OpenBSD side, I'm quite willing to believe that there
is bad ju-ju in my config and am not necessarily blaming OpenBSD per se.)
If anyone has suggestions on how I can proceed to diagnose the problem,
I would appreciate it.
Details follow.
======================================================================
Okay, the short version is that I noticed the problem weeks back that
whenever I booted or shut down a new CentOS 5.5 box, it would cause one
of the two redundant firewalls to lock up. The firewalls are Soekris
net5501-70 machines, with the hardware watchdog enabled. So eventually
the watchdog would kick the firewall and it would come back.
Over a period of time I worked on elimination of various potential
problem areas, such as doing memory checks, checking for bad power,
power overloads, etc. Without going into the details, I was able to
narrow it down to the point that the lockup was reproducable *every*
time avahi-daemon on the Linux box was started or stopped, *and* both
firewalls in the carp cluster were running. If avahi-daemon is
disabled or if the secondary firewall is shut down, there is no problem.
There is no kernel panic on the OpenBSD side; it just locks up hard.
There are no interesting diagnostics in either the OpenBSD or Linux
logs. Running tcpdump shows that the avahi multicast traffic is the
last thing that occurs on the DMZ before the kernel locks up.
Most of the time, shutting down the CentOS host will kill the firewall
that is normally the backup, and starting up the CentOS host will kill
the firewall that is normally the primary, however I've seen the shutdown
kill the primary on occasion although I cannot definitively say that
the nominal primary was in fact the current master on the carp devices
on these occasions.
I have verified that this occurs with a bare-bones 64 bit CentOS
installation; although the original machine that triggered this is
a xen server, I've verified that it can happen with a non-xen server.
Interestingly, though, not all CentOS boxes will trigger this behavior;
there are CentOS 5.5 machines on both the DMZ and the internal network
that can be rebooted without affecting the firewall, and I've verified
that they also have avahi-daemon running.
I provide more details on the topology and environment below.
I *could* simplify my topology to see if that eliminates the problem,
but wanted to see if anyone has any ideas first in case a config change
causes the problem to go away without knowing why; I'd rather fix the
problem than avoid it.
I've attached various config files below, sanitized by running them
through perl (so the substitutions are at least self-consistent). If someone
is willing to look at this in depth and needs the raw configs, contact me
directly.
Description of Environment
==========================
The topology is too ugly for ascii art, so I'll just describe it. Both
soekris boxes use the following config:
vr0: switch to dmz
vr1: switch to upstream 1 demarc
vr2: switch to upstream 2 demarc
vr3: switch to guest network
fxp0: switch to internal network
Until I get a two-port lan card, pfsync is occuring via vr0 (the dmz link).
All switches are consumer grade non-managed DLink DGS-1005G or DGS-1008G
10/100/1000 Mb switches. I've tried other non-managed switches and the
problem persists.
I have seen the problem with "clean install" CentOS 5.5 servers in
the DMZ, both 64 bit, with slightly different hardware. One has a
Intel Pro/1000 NIC, the other uses an RTL8168b/8111b. However, I also
have other CentOS 5.5 machines both in the DMZ and on the internal
net which do *not* trigger the problem. These others are mix of 32 and
64 bit machines.
Both upstreams use static IPs. Upstream 1 has been in operation for
a few years with an older single-host non-Soekris OpenBSD firewall,
and everything including the DMZ used NAT (with RFC-1918 IPs).
With the introduction of upstream 2, the DMZ will be moved to routable
IPs. Currently the DMZ is mixed, with most hosts being private IPs
and one (not yet production) host having a routable address. The CentOS
boxes that trigger the problem are both using routable addresses (I
don't know if that's relevant). The pf config is such that
traffic for the routable IPs will be via upstream 2 and traffic for the
NAT'd IPs will be via upstream 1.
The DMZ host and the firewalls are on separate UPSes (three in total).
The switches in question are distributed between the two firewall UPSes.
The firewalls are OpenBSD 4.7 (GENERIC) with patches 001 through 006
applied.
Temps on the Soekris boxes are warm but not hot. The primary's are:
hw.sensors.nsclpcsio0.temp0=87.00 degC (Remote)
hw.sensors.nsclpcsio0.temp1=127.00 degC (Remote)
hw.sensors.nsclpcsio0.temp2=69.00 degC (Local)
The backup's are:
hw.sensors.nsclpcsio0.temp0=88.00 degC (Remote)
hw.sensors.nsclpcsio0.temp1=127.00 degC (Remote)
hw.sensors.nsclpcsio0.temp2=65.00 degC (Local)
primary /etc/hostname.vr0:
inet alias CCC.CCC.CCC.2 255.255.255.0
inet alias 192.168.FFF.2 255.255.255.0
primary /etc/hostname.vr1:
inet BBB.BBB.BBB.FW1 255.255.255.248
!/sbin/route -qn add -host -mpath default BBB.BBB.BBB.GW
primary /etc/hostname.vr2:
up
primary /etc/hostname.vr3:
inet 192.168.EEE.2 255.255.255.0
primary /etc/hostname.fxp0:
inet 192.168.DDD.2 255.255.255.0
primary /etc/hostname.carp0:
inet CCC.CCC.CCC.1 255.255.255.0 NONE vhid 1 pass PASSWORD1
inet alias 192.168.FFF.1 255.255.255.0
primary /etc/hostname.carp1:
inet BBB.BBB.BBB.CRP 255.255.255.248 NONE vhid 2 pass PASSWORD2
primary /etc/hostname.carp2:
inet AAA.AAA.AAA.C1 255.255.252.0 NONE vhid 3 pass PASSWORD5 carpdev vr2
inet alias AAA.AAA.AAA.C2 255.255.252.0
!/sbin/route -qn add -host -mpath default AAA.AAA.AAA.GW
primary /etc/hostname.carp3:
inet 192.168.EEE.1 255.255.255.0 NONE vhid 4 pass PASSWORD3
primary /etc/hostname.carp4:
inet 192.168.DDD.1 255.255.255.0 NONE vhid 5 pass PASSWORD4
primary sysctl.conf (stripped of comments):
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.carp.preempt=1
ddb.panic=0
kern.watchdog.period=32
kern.watchdog.auto=1
primary /etc/rc.conf.local:
ntpd_flags=-s
watchdogd_flags=
ftpproxy_flags="-r -A -p 8022 -R 192.168.FFF.12"
dhcpd_flags="-y CCC.CCC.CCC.2 -Y CCC.CCC.CCC.3 vr0 vr3 fxp0"
spamd_flags="-v"
spamd_black=YES
named_flags=""
secondary /etc/hostname.vr0:
inet alias CCC.CCC.CCC.3 255.255.255.0
inet alias 192.168.FFF.3 255.255.255.0
secondary /etc/hostname.vr1:
inet BBB.BBB.BBB.FW2 255.255.255.248
!/sbin/route -qn add -host -mpath default BBB.BBB.BBB.GW
secondary /etc/hostname.vr2:
up
secondary /etc/hostname.vr3:
192.168.EEE.3 255.255.255.0
secondary /etc/hostname.fxp0:
inet 192.168.DDD.3 255.255.255.0
secondary /etc/hostname.carp0:
inet CCC.CCC.CCC.1 255.255.255.0 NONE vhid 1 pass PASSWORD1 advskew 100
inet alias 192.168.FFF.1 255.255.255.0
secondary /etc/hostname.carp1:
inet BBB.BBB.BBB.CRP 255.255.255.248 NONE vhid 2 pass PASSWORD2 advskew
100
secondary /etc/hostname.carp2:
inet AAA.AAA.AAA.C1 255.255.252.0 NONE vhid 3 pass PASSWORD5 advskew
100 carpdev vr2
inet alias AAA.AAA.AAA.C2 255.255.252.0
!/sbin/route -qn add -host -mpath default AAA.AAA.AAA.GW
secondary /etc/hostname.carp3:
inet 192.168.EEE.1 255.255.255.0 NONE vhid 4 pass PASSWORD3 advskew 100
secondary /etc/hostname.carp4:
inet 192.168.DDD.1 255.255.255.0 NONE vhid 5 pass PASSWORD4 advskew 100
secondary sysctl.conf (stripped of comments):
net.inet.ip.forwarding=1
net.inet6.ip6.forwarding=1
net.inet.carp.preempt=1
ddb.panic=0
kern.watchdog.period=32
kern.watchdog.auto=1
secondary /etc/rc.conf.local:
ntpd_flags=-s # enabled during install
watchdogd_flags=
ftpproxy_flags="-r -A -p 8022 -R 192.168.FFF.12"
dhcpd_flags="-y CCC.CCC.CCC.3 -Y CCC.CCC.CCC.2 vr0 vr3 fxp0"
spamd_flags="-v"
spamd_black=YES
/etc/pf.conf (primary and secondary) is at the end of the email
primary dmesg:
, rev. 3: OUI 0x004063, model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x10, i82551: irq 10, address
00:07:e9:08:8c:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <Crucial CT32GBFAB0>
wd0: 1-sector PIO, LBA48, 31472MB, 64454656 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e1c7 netmask ffe7 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp2: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp4: state transition: BACKUP -> MASTER
OpenBSD 4.7 (GENERIC) #1: Thu Jul 8 21:36:29 MDT 2010
r...@fw1.example.com:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 536440832 (511MB)
avail mem = 511062016 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
io address conflict 0x6100/0x100
io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:00:24:cb:a8:cc
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x10, i82551: irq 10, address
00:07:e9:08:8c:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <Crucial CT32GBFAB0>
wd0: 1-sector PIO, LBA48, 31472MB, 64454656 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e1c7 netmask ffe7 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp2: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp4: state transition: BACKUP -> MASTER
OpenBSD 4.7 (GENERIC) #1: Thu Jul 8 21:36:29 MDT 2010
r...@fw1.example.com:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 536440832 (511MB)
avail mem = 511062016 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
io address conflict 0x6100/0x100
io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:00:24:cb:a8:cc
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x10, i82551: irq 10, address
00:07:e9:08:8c:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <Crucial CT32GBFAB0>
wd0: 1-sector PIO, LBA48, 31472MB, 64454656 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e1c7 netmask ffe7 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp2: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp4: state transition: BACKUP -> MASTER
OpenBSD 4.7 (GENERIC) #1: Thu Jul 8 21:36:29 MDT 2010
r...@fw1.example.com:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 536440832 (511MB)
avail mem = 511062016 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
io address conflict 0x6100/0x100
io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:00:24:cb:a8:cc
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x10, i82551: irq 10, address
00:07:e9:08:8c:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <Crucial CT32GBFAB0>
wd0: 1-sector PIO, LBA48, 31472MB, 64454656 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e1c7 netmask ffe7 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
WARNING: / was not properly unmounted
carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp2: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp4: state transition: BACKUP -> MASTER
syncing disks... done
OpenBSD 4.7 (GENERIC) #1: Thu Jul 8 21:36:29 MDT 2010
r...@fw1.example.com:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Geode(TM) Integrated Processor by AMD PCS ("AuthenticAMD" 586-class) 500
MHz
cpu0: FPU,DE,PSE,TSC,MSR,CX8,SEP,PGE,CMOV,CFLUSH,MMX
real mem = 536440832 (511MB)
avail mem = 511062016 (487MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 20/70/03, BIOS32 rev. 0 @ 0xfac40
pcibios0 at bios0: rev 2.0 @ 0xf0000/0x10000
pcibios0: pcibios_get_intr_routing - function not supported
pcibios0: PCI IRQ Routing information unavailable.
pcibios0: PCI bus #0 is the last bus
bios0: ROM list: 0xc8000/0xa800
cpu0 at mainbus0: (uniprocessor)
amdmsr0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (bios)
io address conflict 0x6100/0x100
io address conflict 0x6200/0x200
pchb0 at pci0 dev 1 function 0 "AMD Geode LX" rev 0x33
glxsb0 at pci0 dev 1 function 2 "AMD Geode LX Crypto" rev 0x00: RNG AES
vr0 at pci0 dev 6 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 11, address
00:00:24:cb:a8:cc
ukphy0 at vr0 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr1 at pci0 dev 7 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 5, address
00:00:24:cb:a8:cd
ukphy1 at vr1 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr2 at pci0 dev 8 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 9, address
00:00:24:cb:a8:ce
ukphy2 at vr2 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
vr3 at pci0 dev 9 function 0 "VIA VT6105M RhineIII" rev 0x96: irq 12, address
00:00:24:cb:a8:cf
ukphy3 at vr3 phy 1: Generic IEEE 802.3u media interface, rev. 3: OUI 0x004063,
model 0x0034
fxp0 at pci0 dev 14 function 0 "Intel 8255x" rev 0x10, i82551: irq 10, address
00:07:e9:08:8c:ec
inphy0 at fxp0 phy 1: i82555 10/100 PHY, rev. 4
glxpcib0 at pci0 dev 20 function 0 "AMD CS5536 ISA" rev 0x03: rev 3, 32-bit
3579545Hz timer, watchdog, gpio
gpio0 at glxpcib0: 32 pins
pciide0 at pci0 dev 20 function 2 "AMD CS5536 IDE" rev 0x01: DMA, channel 0
wired to compatibility, channel 1 wired to compatibility
wd0 at pciide0 channel 0 drive 1: <Crucial CT32GBFAB0>
wd0: 1-sector PIO, LBA48, 31472MB, 64454656 sectors
wd0(pciide0:0:1): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 ignored (disabled)
ohci0 at pci0 dev 21 function 0 "AMD CS5536 USB" rev 0x02: irq 15, version 1.0,
legacy support
ehci0 at pci0 dev 21 function 1 "AMD CS5536 USB" rev 0x02: irq 15
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "AMD EHCI root hub" rev 2.00/1.00 addr 1
isa0 at glxpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com0: console
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
nsclpcsio0 at isa0 port 0x2e/2: NSC PC87366 rev 9: GPIO VLM TMS
gpio1 at nsclpcsio0: 29 pins
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "AMD OHCI root hub" rev 1.00/1.00 addr 1
biomask e1c7 netmask ffe7 ttymask ffff
mtrr: K6-family MTRR support (2 registers)
vscsi0 at root
scsibus0 at vscsi0: 256 targets
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
carp0: state transition: BACKUP -> MASTER
carp1: state transition: BACKUP -> MASTER
carp2: state transition: BACKUP -> MASTER
carp3: state transition: BACKUP -> MASTER
carp4: state transition: BACKUP -> MASTER
Finally, /etc/pf.conf:
# $OpenBSD: pf.conf,v 1.3 2010/09/03 04:40:53 root Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
set require-order yes
set block-policy return
set skip on lo
set limit table-entries 200000
dsl_gw="BBB.BBB.BBB.GW/32"
cable_gw="AAA.AAA.AAA.GW/32"
dmz_if="vr0"
dsl_if="vr1"
cable_if="vr2"
guest_if="vr3"
int_if="fxp0"
# for pfsync; change this to a dedicated link once we get a dual NIC
syncdev="vr0"
cable_ip1="AAA.AAA.AAA.C1/32"
cable_ip2="AAA.AAA.AAA.C2/32"
int_ip="192.168.DDD.1/32"
guest_ip="192.168.EEE.1/32"
# dmz_ip="192.168.FFF.1/32"
int_net="192.168.DDD.0/24"
guest_net="192.168.EEE.0/24"
dmzR_net="CCC.CCC.CCC.0/24"
dmzN_net="192.168.FFF.0/24"
dmz_nets="{ CCC.CCC.CCC.0/24, 192.168.FFF.0/24 }"
hosta_ip="192.168.FFF.14/32"
backup_srv_ip="192.168.FFF.14/32" # hosta
hostb_ip="192.168.FFF.10/32"
hostc_ip="192.168.FFF.12/32"
ldap_ip="192.168.FFF.10/32"
hostd_ip="CCC.CCC.CCC.15/32"
webapp1_ip="192.168.FFF.40/32"
hostg_ip="192.168.FFF.13/32"
hoste_ip="192.168.FFF.81/32"
hostf_ip="192.168.DDD.4/32"
# IPs of fw1 and fw2 on the DMZ network
table <fw_dmz_ips> const { CCC.CCC.CCC.1/32, CCC.CCC.CCC.2/32, \
CCC.CCC.CCC.3/32 }
table <fw_ips> const { \
$cable_ip1, $cable_ip2, \
CCC.CCC.CCC.1/32, CCC.CCC.CCC.2/32, CCC.CCC.CCC.3/32, \
192.168.DDD.1/32, 192.168.DDD.2/32, 192.168.DDD.3/32, \
192.168.EEE.1/32, 192.168.EEE.2/32, 192.168.EEE.3/32, \
192.168.FFF.1/32, 192.168.FFF.2/32, 192.168.FFF.3/32, \
BBB.BBB.BBB.CRP/32, BBB.BBB.BBB.FW1/32, BBB.BBB.BBB.FW2/32 \
}
table <martians> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }
table <cable_ips> { $cable_ip1, $cable_ip2 }
table <internal_nets> { $int_net, $dmzR_net, $dmzN_net, $guest_net }
table <ldap_ips> { 192.168.FFF.12/32, 192.168.FFF.10/32 }
table <mail_ips> { 192.168.FFF.12/32, 192.168.FFF.10/32 }
table <hp_printers> { 192.168.DDD.10/32 }
table <backup_monitors> { $hostf_ip }
table <time_servers> { $hosta_ip, $hostd_ip }
# Various external networks and hosts that are allowed to get the named-related
# rsync data
table <secondary_servers> { GGG.GGG.GGG.GGG/32, HHH.HHH.HHH.HHH/32,
III.III.III.III/24 }
table <bruteforce> persist
table <spamd> persist
table <spamd-white> persist
table <blackhole> persist { 192.24.28.2 }
# Crap Microshit ports that we want to block without logging:
# 135 pop-ups used by spammers to attack windoze systems
# 137 netbios
# 138 netbios
# 139 netbios
# 445 netbios
# 1433 MS-SQL
# 1434 MS-SQL
# 4899 radmin (remote admin)
# 17300 kuang2
# 27374 (?)
#
ms_ports="{ 135, 137, 138, 139, 445, 1433, 1434, 4899, 17300, 27374 }"
# filter rules and anchor for ftp-proxy(8)
#anchor "ftp-proxy/*"
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
# anchor for relayd(8)
#anchor "relayd/*"
set loginterface $cable_if
set loginterface $dmz_if
#anchor "ftp-proxy/*"
# scrub and NAT; don't use <internal_nets> here
match in all scrub (no-df random-id max-mss 1440)
match out on $cable_if from { $int_net, $dmzN_net, $guest_net } nat-to
$cable_ip1
# general "pass out" rule
pass out all keep state
# except that we don't want to egress certain things
block out on { $dsl_if, $cable_if } proto udp from any to 255.255.255.255/32 \
port 3483
block out on { $dsl_if, $cable_if } proto udp from any to 239.255.255.250 \
port 1900
# route packets from any IPs on $dsl_if to $cable_gw and the same
# for $cable_if and $dsl_gw
pass out quick on $dsl_if from <cable_ips> route-to ($cable_if $cable_gw) \
keep state
pass out quick on $cable_if from $dsl_if route-to ($dsl_if $dsl_gw) \
keep state
#antispoof log quick for { lo0, $dmz_if, $int_if, $guest_if }
block in log quick from <bruteforce>
# carp traffic (password protected) & pfsync traffic
pass quick proto carp keep state
pass quick on $syncdev proto pfsync
# no egress/ingress for reserved blocks
block quick on { $cable_if, $dsl_if } from <martians> to any
# hack attempts
block in quick from <blackhole> to any
# log most things that are blocked, but make some exceptions
block in log all
block in proto {tcp, udp} from any to any port $ms_ports
block in quick on {$cable_if, $dsl_if} proto udp \
from any to 255.255.255.255/32 port 68
#block in proto udp from any to 255.255.255.255/32 port 3483
#block in proto udp from any to 239.255.255.250 port 1900
# block but don't log ident, however *do* return an answer so that we
# get a quick timeout
block return-rst in on { $cable_if, $dsl_if } proto tcp \
from any to any port auth
# FTP. We have two ftp-proxy processes. Inbound on the cable connection
# goes through a reverse proxy listening on 127.0.0.1:8022. Connections going
# from our internal networks elsewhere go through a forward proxy
# listening on 127.0.0.1:8021.
# TODO: This is ugly enough that we may just have to avoid the proxy.
#pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
pass in quick on { $dmz_if, $int_if, $guest_if } proto tcp to port ftp \
rdr-to 127.0.0.1 port 8021
pass in quick on $cable_if proto tcp to $cable_ip1 port ftp \
rdr-to 127.0.0.1 port 8022 \
keep state reply-to ($cable_if $cable_gw)
#pass # to establish keep-state
# rules for spamd(8)
#table <spamd-white> persist
#table <nospamd> persist file "/etc/mail/nospamd"
#pass in on egress proto tcp from any to any port smtp \
# rdr-to 127.0.0.1 port spamd
#pass in on egress proto tcp from <nospamd> to any port smtp
#pass in log on egress proto tcp from <spamd-white> to any port smtp
#pass out log on egress proto tcp to any port smtp
#block in quick from urpf-failed to any # use with care
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
# let the DMZ have arbitrary outbound access, but not to internal
pass in on $dmz_if proto tcp from $dmz_nets to { $dmz_nets, $guest_net } \
flags S/SAFR modulate state
pass in on $dmz_if proto tcp from $dmzR_net to ! <internal_nets> \
flags S/SAFR modulate state route-to ($dsl_if $dsl_gw)
pass in on $dmz_if proto tcp from $dmzN_net to ! <internal_nets> \
flags S/SAFR modulate state route-to ($cable_if $cable_gw)
pass in on $dmz_if proto { udp, esp } from $dmz_nets \
to { $guest_net, $dmz_nets } keep state
pass in on $dmz_if proto { udp, esp } from $dmzR_net to ! <internal_nets> \
keep state route-to ($dsl_if $dsl_gw)
pass in on $dmz_if proto { udp, esp } from $dmzN_net to ! <internal_nets> \
keep state route-to ($cable_if $cable_gw)
# Let the internal network have arbitrary outbound access, but not to the
# DMZ unless otherwise specified.
pass in on $int_if proto tcp from $int_net to { $int_net, $guest_net } \
flags S/SAFR modulate state
pass in on $int_if proto tcp from $int_net to ! <internal_nets> \
flags S/SAFR modulate state route-to ($cable_if $cable_gw)
pass in on $int_if proto { udp, esp } from $int_net \
to { $int_net, $guest_net } keep state
pass in on $int_if proto { udp, esp } from $int_net to ! <internal_nets> \
keep state route-to ($cable_if $cable_gw)
# let guest_net have arbitrary outbound access, but not to the DMZ or
# int_net unless otherwise specified
pass in on $guest_if proto tcp from $guest_net to $guest_net \
flags S/SAFR modulate state
pass in on $guest_if proto tcp from $guest_net to ! <internal_nets> \
flags S/SAFR modulate state route-to ($cable_if $cable_gw)
pass in on $guest_if proto { udp, esp } from $guest_net \
to $guest_net keep state
pass in on $guest_if proto { udp, esp } from $guest_net to ! <internal_nets> \
keep state route-to ($cable_if $cable_gw)
anchor "ftp-proxy/*"
#
# DNS to the firewall
#
pass in on $cable_if proto tcp from any to <cable_ips> port domain \
flags S/SAFR modulate state reply-to ($cable_if $cable_gw)
pass in on $cable_if proto udp from any to <cable_ips> port domain \
keep state reply-to ($cable_if $cable_gw)
pass in on { $dmz_if, $int_if, $guest_if } proto tcp from any \
to <fw_ips> port domain flags S/SAFR keep state
pass in on { $dmz_if, $int_if, $guest_if } proto udp from any \
to <fw_ips> port domain keep state
# DHCP *sync* protocol
pass in on $dmz_if proto udp from any to $dmz_if port dhcpd-sync keep state
pass out on $dmz_if proto udp from any to any port dhcpd-sync keep state
# DHCP
# - permit clients on internal, guest, and DMZ nets to get IPs
block in log proto udp from any port 68 to any port 67
pass in on { $int_if, $dmz_if, $guest_if } proto udp from 0.0.0.0/32 port 68 \
to 255.255.255.255/32 port 67 keep state
pass in on $int_if proto udp from $int_net port 68 \
to $int_if port 67 keep state
pass in on $dmz_if proto udp from $dmz_nets port 68 \
to $dmz_if port 67 keep state
pass in on $guest_if proto udp from $guest_net port 68 \
to $guest_if port 67 keep state
#
# NTP
#
pass in on { $int_if, $dmz_if, $guest_if } proto udp from any to \
<time_servers> port ntp keep state
pass in on { $int_if, $dmz_if, $guest_if } proto tcp from any to \
<time_servers> port ntp flags S/SAFR modulate state
#
# Inbound services to the firewall itself:
# SSH (any external IP on DSL side)
# SSH (the canonical DMZ IP)
# SSH (first external IP only on cable side)
# (NOT CURRENTLY ACTIVE; SEE hostc SSH RULE)
#
#pass in on $dsl_if proto tcp from any to { $dsl_if, <fw_dmz_ips> } \
# port { ssh } \
# flags S/SAFR keep state \
# (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush
global) \
# reply-to ($dsl_if $dsl_gw)
# if we're the standby router, then packets to us from the outside world
# may come via internal interfaces
pass in proto tcp from !<internal_nets> to { $dsl_if, <fw_dmz_ips> } \
port { ssh } \
flags S/SAFR keep state \
(max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush
global) \
reply-to ($dsl_if $dsl_gw)
#
# We currently don't allow inbound SSH to gwc via cable
#pass in on $cable_if proto tcp from any to $cable_ip1 \
# port { ssh } \
# flags S/SAFR modulate state \
# (max-src-conn 50, max-src-conn-rate 15/5, overload <bruteforce> flush
global) \
# reply-to ($cable_if $cable_gw)
# rsync to firewall from selected servers
pass in on $cable_if proto tcp from <secondary_servers> to $cable_ip2 \
port { rsync } \
flags S/SAFR modulate state \
reply-to ($cable_if $cable_gw)
#
# SMTP:
# If the originator is on the spamd blacklist, then redirect to spamd.
# Otherwise, redirect to the mail server.
pass in on $cable_if proto tcp from <spamd> to <cable_ips> \
port smtp rdr-to 127.0.0.1 port spamd \
flags S/SAFR modulate state reply-to ($cable_if $cable_gw)
pass in on $dsl_if proto tcp from <spamd> to any \
port smtp rdr-to 127.0.0.1 port spamd \
flags S/SAFR modulate state reply-to ($dsl_if $dsl_gw)
pass in on $cable_if proto tcp from ! <spamd> to <cable_ips> \
port smtp rdr-to $hostc_ip \
flags S/SAFR modulate state reply-to ($cable_if $cable_gw)
#
# Inbound services to hostc
#
# cable IP1: SSH, IMAPS, HTTP, HTTPS, RSYNC
# (smtp is handled above, separately)
pass in on $cable_if proto tcp from any to $cable_ip1 \
port {ssh, imaps, http, https, rsync } \
rdr-to $hostc_ip \
flags S/SAFR modulate state reply-to ($cable_if $cable_gw)
# cable IP2: GnuDIP (3495/tcp)
pass in on $cable_if proto tcp from any to $cable_ip2 \
port {3495} \
rdr-to $hostc_ip \
flags S/SAFR modulate state reply-to ($cable_if $cable_gw)
# Non-NAT networks get the union of the above, plus:
# ftp (21 and 50000-60000)
pass in on { $int_if, $guest_if, $dmz_if } \
proto tcp from any to $hostc_ip \
port { ssh, imaps, http, https, rsync, smtp, 3495 \
ftp, 50000:60000 } \
flags S/SAFR modulate state
pass in on $dmz_if proto tcp from $hostc_ip port ftp-data to any \
flags S/SAFR modulate state
# traffic to hostd:
# ssh
pass in on { $int_if, $dmz_if } proto tcp from any to $hostd_ip \
port { ssh } \
flags S/SAFR modulate state
# traffic to webapp1:
# ssh, tomcat (8080)
pass in on { $int_if, $dmz_if } proto tcp from { $hostf_ip } to $webapp1_ip \
port { ssh, 8080 } \
flags S/SAFR modulate state
# traffic to hostg:
# ssh, http, https
pass in on { $int_if, $dmz_if } proto tcp from { $hostf_ip } to $hostg_ip \
port { ssh, http, https } \
flags S/SAFR modulate state
# music server
pass in on { $int_if, $guest_if } proto tcp from any to $hosta_ip \
port { 3483, 9000 } flags S/SAFR modulate state
pass in on { $int_if, $guest_if } proto udp from any to $hosta_ip \
port 3483 keep state
# database for hosth
pass in on $int_if proto tcp from $hostf_ip to $hoste_ip \
port 3306 flags S/SAFR modulate state
# permit netfff machines access to the printer
# 9100 - jetdirect
# 161 - snmp
# 2207 - hpssd
# 2208 - hpiod
pass in on $dmz_if proto tcp from $dmz_nets to <hp_printers> \
port { 9100, 2207, 2208, 161 } flags S/SAFR modulate state
pass in on $dmz_if proto udp from $dmz_nets to <hp_printers> \
port { 9100, 2207, 2208, 161 } keep state
#
# traceroute: allow internal networks to traceroute anywhere
# base+nhops*nqueries-1 = 33434+64*3-1
#
pass in on $int_if inet proto udp from $int_net to any \
port 33433 >< 33626 keep state route-to ($cable_if $cable_gw)
pass in on $int_if inet proto udp from $int_net to <internal_nets> \
port 33433 >< 33626 keep state
pass in on $dmz_if inet proto udp from $dmzR_net to any \
port 33433 >< 33626 keep state route-to ($dsl_if $dsl_gw)
pass in on $dmz_if inet proto udp from $dmzN_net to any \
port 33433 >< 33626 keep state route-to ($cable_if $cable_gw)
pass in on $dmz_if inet proto udp from $dmz_nets to <internal_nets> \
port 33433 >< 33626 keep state
pass in on $guest_if inet proto udp from $guest_net to any \
port 33433 >< 33626 keep state route-to ($cable_if $cable_gw)
pass in on $guest_if inet proto udp from $guest_net to <internal_nets> \
port 33433 >< 33626 keep state
#
# pings:
# - permit pings to our external interfaces from anywhere
# - permit pings to the public IP DMZ net from anywhere via the dsl if
# - permit internal net to ping anywhere
# - permit dmz and guest nets to ping only the outside world
#
block in log quick on $guest_if inet proto icmp from any \
to { $int_net, $dmz_nets } icmp-type echoreq
block in log quick on $dmz_if inet proto icmp from any \
to { $int_if, $guest_if } icmp-type echoreq
pass in quick on $dmz_if inet proto icmp from any \
to { <internal_nets>, $cable_ip1, $cable_ip2, $dsl_if } \
icmp-type echoreq keep state
pass in on $cable_if inet proto icmp from any to { $cable_ip1, $cable_ip2 } \
icmp-type echoreq keep state reply-to ($cable_if $cable_gw)
pass in on $dsl_if inet proto icmp from any to { $dsl_if, $dmzR_net } \
icmp-type echoreq keep state reply-to ($dsl_if $dsl_gw)
pass in on $dmz_if inet proto icmp from $dmzR_net to ! <internal_nets> \
icmp-type echoreq keep state route-to ($dsl_if $dsl_gw)
pass in on $dmz_if inet proto icmp from $dmzN_net to ! <internal_nets> \
icmp-type echoreq keep state route-to ($cable_if $cable_gw)
pass in on $dmz_if inet proto icmp from {$dmzR_net, $dmzN_net} \
to <internal_nets> icmp-type echoreq keep state
pass in on { $int_if, $guest_if } inet proto icmp all \
icmp-type echoreq keep state route-to ($cable_if $cable_gw)
pass in on { $int_if, $guest_if } inet proto icmp from any to <internal_nets> \
icmp-type echoreq keep state
Devin
--
Friends may come and go, but enemies just accumulate.
