SEO

Hi,
I have an OpenBSD 3.3 i386 box set up as a firewall for a NetComm
NB1300 ADSL modem in bridge mode (see below). Is my 192.168.1.0/24
DMZ invisible to the the WAN traffic passing on the tun0 pseudo-device
when the physical device used by tun0 (fxp0) is used for DMZ LAN traffic?

Do I need to disable the DMZ network because it is a security risk?

I have included the output from ifconfig for the relevant devices and
have appended the route table and pf.conf below.

TIA
Chris
--------------------------------------------------------------------
tun0
203.194.30.234 <- - - - - - - - - 220.240.195.37
|
|
|
192.168.1.0/24 |
ADSL crossover |
enabled +--------+ cable +----------+ internal
phone --| NB1300 |----------------| firewall |-- 192.168.2.0/24
line +--------+ +----------+ network
| | |
| | |
192.168.1.1 192.168.1.2 192.168.2.1
fxp0 fxp1

The modem has default address 192.168.1.1.
The firewall has addresses 192.168.1.2, & 192.168.2.1.
The tun0 pseudo-device uses the fxp0 physical device to communicate
via PPPOE.
------------------------------------------------------------------------
The relevant output from the "ifconfig -a" command is:

fxp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:02:b3:30:f0:19
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.2 netmask 0xffffff00 broadcast 192.168.1.255
fxp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
address: 00:90:27:8e:56:6e
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.2.1 netmask 0xffffff00 broadcast 192.168.2.255
tun0: flags=8011<UP,POINTOPOINT,MULTICAST> mtu 1500
inet 220.240.195.37 --> 203.194.30.234 netmask 0xffffffff
------------------------------------------------------------------------
The relevant portion of the routing table is:

Internet:
Destination Gateway Flags Refs Use Mtu Interface
default 203.194.30.234 UGS 1 41785 1500 tun0
127/8 127.0.0.1 UGRS 0 0 33224 lo0
127.0.0.1 127.0.0.1 UH 2 6 33224 lo0
192.168.1/24 link#1 UC 0 0 - fxp0
192.168.2/24 link#2 UC 4 0 - fxp1
192.168.2.10 0:a0:c9:21:99:a1 UHL1 1 15126 - fxp1
192.168.2.12 0:a0:c9:d7:21:99 UHL1 1 55 - fxp1
192.168.2.250 0:90:27:bd:59:9 UHL1 0 3 - fxp1
192.168.2.251 0:a0:c9:b3:46:71 UHL1 0 974 - fxp1
203.194.30.234 220.240.195.37 UH 1 0 1500 tun0
224/4 127.0.0.1 URS 0 0 33224 lo0
-----------------------------------------------------------------------
# pf.conf
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Required order: options, normalization, queueing, translation, filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are last match.

# Macros & tables
#
PPP = "tun0"
EXT = "fxp0"
INT = "fxp1"

icmp_types = "{ echorep unreach timex }"
tcp_services = "{ ssh auth }"
udp_services = "{ ntp }"

# Stratum 1 time servers: ntp0.cs.mu.OZ.AU = 128.250.37.2
# ntp1.cs.mu.OZ.AU = 128.250.36.3
# Stratum 2 time servers: ntp.saard.net = 203.21.37.18
# time.deakin.edu.au = 128.184.1.1
table <ntp> { 128.250.37.2 128.250.36.3 203.21.37.18 128.184.1.1 }
table <rfc1918> const { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }
table <illegal> const { 127.0.0.0/8, 0.0.0.0/32, 255.255.255.255/32 }

# Options
#
set block-policy return
set loginterface $PPP

# Scrub
#
scrub in all

# NAT/RDR
#
nat on $PPP from $INT:network to any -> ($PPP)
nat on $EXT from $INT:network to any -> ($EXT)
rdr on $INT proto tcp from any to any port 21 -> 127.0.0.1 port 8021

##
## Filter rules
##

# Default deny
#
block all

# Allow all traffic on loopback interface
#
pass quick on lo0 all

# Antispoofing for the internal interface
#
#antispoof log quick for $INT inet

# Block all traffic to/from bad addresses
#
block drop in quick on $PPP from <illegal> to any
block drop out quick on $PPP from any to <illegal>

# Block incoming RFC1918 addresses. But allow traffic to/from the modem
#
pass in on $EXT from $EXT:network to any
pass out on $EXT from any to $EXT:network
block drop in quick on $PPP from <rfc1918> to any
#block drop out quick on $PPP from any to <rfc1918>

# Allow some incoming tcp service connections
#
pass in on $PPP inet proto tcp from any to ($PPP) \
port $tcp_services flags S/SA keep state

# Pass some incoming icmp traffic types
#
#pass in quick on $PPP inet proto icmp all icmp-type $icmp_types keep state

# Pass traffic to/from local network
#
pass in on $INT from $INT:network to any
pass out on $INT from any to $INT:network

# Pass tcp traffic out on external interface.
# Randomise initial sequence number
#
pass out on $PPP proto tcp all modulate state flags S/SA

# Pass udp, icmp out on external interface
#
pass out on $PPP proto { udp, icmp } all keep state