Kliman01
November 6th, 2004, 14:54
Wow...my first post.

I've been using OpenBSD for a couple of months now...really learning to love it, instead of the MS crap I got into this industry with.

So far, I've mostly just been building pf firewalls to replace POS linksys boxes at my client's sites, and I've always had this weird problem...I can't get to the internet FROM the firewall. All my nats, rdrs, and pass/block rules do their jobs perfectly...but for some reason I can't get to the internet from the firewall box.

I tend to keep a couple of "debug" lines commented out in my pf.conf:

pass in quick all
pass out quick all

and when I uncomment the pass in quick all rule, I can access fine...so I know it's just a packet filter that's causing my grief. Having said that, I can't really figure out what rule I would need to specify in order to get internet from this firewall, without leaving it's pants down facing the internet.

I'm going to post my pf.conf in the next part of this thread...

Thanks in advance...this was a great place to find!

Kliman01
November 6th, 2004, 14:55
# <<< Interface Macros >>>
radiant_if="xl0"
shaw_if="xl1"
wifi_if="xl2"
internal_if="xl3"

# <<< IP Macros >>>
radiant_ip185="69.36.99.185"
radiant_ip186="69.36.99.186"
radiant_ip187="69.36.99.187"
radiant_ip188="69.36.99.188"
radiant_ip189="69.36.99.189"
radiant_gw="69.36.99.190"

# <<< Host Macros >>>
megatron="192.168.1.10"
redstorm="192.168.1.22"
deepblue="192.168.1.12"
hal9000="192.168.1.69"

# <<< Tables >>>
table <blacklist> persist file "/etc/pf.blacklist"
table <nonroute> persist { 0/8, 10/8, 127/8, 172.16/12, 192.168/16, 255.255.255.255/32 }
# SpamD Tables
table <spamd> persist
table <spamd-white> persist
table <spamd-myblack> persist file "/var/spamd/blacklist"
table <spamd-mywhite> persist file "/var/spamd/whitelist"

# <<< Firewall Options >>>
set block-policy drop
set loginterface $radiant_if
set optimization aggressive
set require-order yes

# <<< Packet Normalization >>>
scrub in all
scrub out all no-df random-id

# <<< Network Address Translation >>>
nat on $shaw_if from $internal_if:network to !<nonroute> -> ($shaw_if)
nat on $shaw_if from $wifi_if:network to !<nonroute> -> ($shaw_if)
nat on $radiant_if from $deepblue to !<nonroute> -> $radiant_ip185
nat on $radiant_if from $redstorm to !<nonroute> -> $radiant_ip186
nat on $radiant_if from 192.168.1.22 to !<nonroute> -> $radiant_ip188

# <<< Port Redirection >>>
# Shaw
rdr on $shaw_if inet proto tcp from any to $shaw_if port 80 -> $deepblue
rdr on $shaw_if inet proto tcp from any to $shaw_if port 3389 -> $hal9000
rdr on $shaw_if inet proto tcp from any to $shaw_if port 49152 -> $hal9000
# Radiant - IP185
# SPAMD - Whitelist
rdr on $radiant_if inet proto tcp from <spamd-white> to $radiant_ip185 port 25 -> $deepblue port 25
rdr on $radiant_if inet proto tcp from <spamd-mywhite> to $radiant_ip185 port 25 -> $deepblue port 25
# SPAMD - Blacklist
rdr on $radiant_if inet proto tcp from <spamd> to $radiant_ip185 port 25 -> $radiant_ip185 port 8025
rdr on $radiant_if inet proto tcp from <spamd-myblack> to $radiant_ip185 port 25 -> $radiant_ip185 port 8025
# SPAMD - Greylist
rdr on $radiant_if inet proto tcp from !<spamd-white> to $radiant_ip185 port 25 -> $radiant_ip185 port 8025
rdr on $radiant_if inet proto tcp from !<spamd-mywhite> to $radiant_ip185 port 25 -> $radiant_ip185 port 8025
#
#rdr on $radiant_if inet proto tcp from any to $radiant_ip185 port 25 -> $deepblue
rdr on $radiant_if inet proto udp from any to $radiant_ip185 port 53 -> $deepblue
rdr on $radiant_if inet proto tcp from any to $radiant_ip185 port 53 -> $deepblue
rdr on $radiant_if inet proto tcp from any to $radiant_ip185 port 80 -> $deepblue
rdr on $radiant_if inet proto tcp from any to $radiant_ip185 port 110 -> $deepblue
# Radiant - IP188
# SPAMD - Whitelist
rdr on $radiant_if inet proto tcp from <spamd-white> to $radiant_ip188 port 25 -> $redstorm port 25
rdr on $radiant_if inet proto tcp from <spamd-mywhite> to $radiant_ip188 port 25 -> $redstorm port 25
# SPAMD - Blacklist
rdr on $radiant_if inet proto tcp from <spamd> to $radiant_ip188 port 25 -> $radiant_ip188 port 8025
rdr on $radiant_if inet proto tcp from <spamd-myblack> to $radiant_ip188 port 25 -> $radiant_ip188 port 8025
# SPAMD - Greylist
rdr on $radiant_if inet proto tcp from !<spamd-white> to $radiant_ip188 port 25 -> $radiant_ip188 port 8025
rdr on $radiant_if inet proto tcp from !<spamd-mywhite> to $radiant_ip188 port 25 -> $radiant_ip188 port 8025

# <<< Packet Filter Debug >>>
#pass in quick all
#pass out quick all

# <<< Baseline Security >>>
# Default Deny
block in on $shaw_if
block in on $radiant_if
block in on $wifi_if

# Kill the blacklisted
block in log quick on { $shaw_if, $radiant_if } inet from <blacklist>

# Keep non-routable addresses off the internet interfaces
block in log quick on { $shaw_if, $radiant_if } from <nonroute> to any
block out log quick on { $shaw_if, $radiant_if } from any to <nonroute>

# No IPV6 here, so kill it
block in log quick inet6

# Kill nmap-style port scanners
block in log quick on { $shaw_if, $radiant_if } from any os nmap

# <<< Service Packet Filtering >>>
# Shaw
pass in on $shaw_if inet proto tcp from any to $deepblue port 80 modulate state
pass in on $shaw_if inet proto tcp from any to $hal9000 port 3389 modulate state
pass in on $shaw_if inet proto tcp from any to $hal9000 port 49152 modulate state
# Radiant
# IP 185 - Primary Hosting DNS/SMTP/POP3
pass in on $radiant_if inet proto tcp from any to $deepblue port 25 modulate state
pass in on $radiant_if inet proto tcp from any to $deepblue port 53 modulate state
pass in on $radiant_if inet proto udp from any to $deepblue port 53
pass in on $radiant_if inet proto tcp from any to $deepblue port 80 modulate state
pass in on $radiant_if inet proto tcp from any to $deepblue port 110 modulate state
pass in on $radiant_if inet proto tcp from any to $radiant_ip185 port 8025 modulate state
# IP 186 - Primary Hosting FTP/HTTP
#pass in on $radiant_if inet proto tcp from any to $redstorm port 21 modulate state
#pass in on $radiant_if inet proto tcp from any to $redstorm port 80 modulate state
# IP 188 - Fortress Hosting SMTP Test
pass in on $radiant_if inet proto tcp from any to $radiant_ip188 port 8025 modulate state
pass in on $radiant_if inet proto tcp from any to $redstorm port 25 modulate state
pass in on $radiant_if inet proto tcp from any to $radiant_ip188 port 80 modulate state
pass in on $radiant_if inet proto tcp from any to $redstorm port 110 modulate state
# Outgoing stuff from hosting boxes (Radiant)
pass in on $internal_if route-to ($radiant_if $radiant_gw) from { $deepblue, $redstorm } to !<nonroute> keep state

bsdjunkie
November 6th, 2004, 16:20
You have no pass out rules listed in the configuration. Try adding some lines such as these with only the protocols you want outgoing allowed. The lines below will pretty much let out all outgoing connections:

pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SAFR
pass out on $ext_if proto { udp, icmp } all keep state

Kliman01
November 6th, 2004, 16:51
Well, that worked.

What's weird (to me) is that throwing in a "pass out quick all" in there to debug didn't seem to do the trick...it was the "pass in quick all" that let me browse.

Thanks for the quick reply.

elmore
November 6th, 2004, 18:01
Glad we could help you out Kliman! Welcome to S.E.! We're happy you found us as well. :)