cod3fr3ak
August 27th, 2008, 08:21
Hey guys - been a while. But I'm back.
Hope everything is good with everyone.
Now to business:
I am deploying a small enclosed network to do some squid cache testing. I need to totally isolate this network from my primary net, no leaks. i know OpenBSD is up to this, but I'd like some of the vets to review my pf.conf file.
#
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Macros
external="gem0"
internal="hme0"
IOM="{ 10.7.10.121, 10.7.10.84 }"
vlans="{ 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24 }"
# Optimization
set block-policy drop
set limit { frags 5000, states 2500, src-nodes 2000 }
set loginterface $external
set optimization aggressive
set timeout { interval 10, frag 30 }
# Normalization
scrub in on $external all fragment reassemble min-ttl 15 max-mss 1400
scrub on $external reassemble tcp
# NAT
nat on $external from !($external) to any -> $external
# Rules
block in log on $external all
# Shawn's vpn traffic - inbound
#pass in quick on $external inet proto udp from <CHANGEME> to $external port = 500 keep state
#pass in quick on $external inet proto udp from <CHANGEME> to $external port = 4500 keep state
#pass in quick on $external inet proto esp from <CHANGEME> to $external keep state
pass in log quick on $external proto tcp from $IOM to $external port = 22 flags S/SA keep state
block in log on $internal all
pass in log quick on $internal inet proto tcp from $internal port = 22 to any keep state
pass in quick on $internal inet proto tcp from $vlans to any keep state
pass in quick on $internal inet proto udp from $vlans to any keep state
pass in quick on $internal inet proto icmp from $vlans to any keep state
# Shawn's vpn traffic - outbound
#pass out quick on $external inet proto udp from $external to <CHANGEME> port = 500 keep state
#pass out quick on $external inet proto udp from $external to <CHANGEME> port = 4500 keep state
#pass out quick on $external inet proto esp from $external to <CHANGEME> keep state
pass out quick on $external inet proto tcp from $external to any flags S/SA keep state
pass out quick on $external inet proto udp from $external to any keep state
pass out quick on $external inet proto icmp from $external to any keep state
pass out quick on $internal inet proto tcp from $internal to any flags S/SA keep state
pass out quick on $internal inet proto udp from $internal to any keep state
pass out quick on $internal inet proto icmp from $internal to any keep state
I was unable to get traffic between the vlans without adding the last few lines, and I could not figure out why.
Hope everything is good with everyone.
Now to business:
I am deploying a small enclosed network to do some squid cache testing. I need to totally isolate this network from my primary net, no leaks. i know OpenBSD is up to this, but I'd like some of the vets to review my pf.conf file.
#
# cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.37 2008/05/09 06:04:08 reyk Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
# Macros
external="gem0"
internal="hme0"
IOM="{ 10.7.10.121, 10.7.10.84 }"
vlans="{ 10.1.1.0/24, 10.1.2.0/24, 10.1.3.0/24, 10.1.4.0/24 }"
# Optimization
set block-policy drop
set limit { frags 5000, states 2500, src-nodes 2000 }
set loginterface $external
set optimization aggressive
set timeout { interval 10, frag 30 }
# Normalization
scrub in on $external all fragment reassemble min-ttl 15 max-mss 1400
scrub on $external reassemble tcp
# NAT
nat on $external from !($external) to any -> $external
# Rules
block in log on $external all
# Shawn's vpn traffic - inbound
#pass in quick on $external inet proto udp from <CHANGEME> to $external port = 500 keep state
#pass in quick on $external inet proto udp from <CHANGEME> to $external port = 4500 keep state
#pass in quick on $external inet proto esp from <CHANGEME> to $external keep state
pass in log quick on $external proto tcp from $IOM to $external port = 22 flags S/SA keep state
block in log on $internal all
pass in log quick on $internal inet proto tcp from $internal port = 22 to any keep state
pass in quick on $internal inet proto tcp from $vlans to any keep state
pass in quick on $internal inet proto udp from $vlans to any keep state
pass in quick on $internal inet proto icmp from $vlans to any keep state
# Shawn's vpn traffic - outbound
#pass out quick on $external inet proto udp from $external to <CHANGEME> port = 500 keep state
#pass out quick on $external inet proto udp from $external to <CHANGEME> port = 4500 keep state
#pass out quick on $external inet proto esp from $external to <CHANGEME> keep state
pass out quick on $external inet proto tcp from $external to any flags S/SA keep state
pass out quick on $external inet proto udp from $external to any keep state
pass out quick on $external inet proto icmp from $external to any keep state
pass out quick on $internal inet proto tcp from $internal to any flags S/SA keep state
pass out quick on $internal inet proto udp from $internal to any keep state
pass out quick on $internal inet proto icmp from $internal to any keep state
I was unable to get traffic between the vlans without adding the last few lines, and I could not figure out why.