SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 05:06 AM
| ||||
| ||||
 pf isn't doing what i'd like it to this is what i've done so far. to check if my pf.conf is working properly, i tested to see if i could access my access server. unfortnately, i can't connect to it. i tried taking a look at tcpdump to get any indication of what's going on. however, nothing remarkable came to my attention. the same output is repeated constantly. i used 'tcpdump -vv -i hme3' and got the following output: ------------------ Dec 21 07:48:51.789877 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:48:53.788044 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:48:55.786211 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:48:57.784373 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:48:59.782541 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:01.780709 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:03.778872 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:05.777040 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:07.775203 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:09.773374 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:11.771536 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:13.769697 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:15.767868 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:17.766032 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 Dec 21 07:49:19.764199 802.1d config root=8000.0:e0:29:72:14:50 rootcost=0x0 bridge=8000.0:e0:29:72:14:50 port=0x8003 age=0/0 max=20/0 hello=2/0 fwdelay=15/0 ------------------ i'm sure there are certain things in my pf.conf that could be formatted a bit better, but at the moment, for the sake of a conceptual understanding, i've decided to be a bit more verbose with my rules. my pf.conf is as follows: ------------------ ################################### # $OpenBSD: pf.conf 11/9/2003 ################################### ##################################### ### macros ##################################### ### IP addresses ext_ip = "10.10.190.2" # external interface ip address int_ip = "192.168.175.253" # internal interface ip address pub_ip = "172.16.210.1" # public servers interface ip address pvt_ip = "192.168.50.1" # private servers interface ip address pod_ip = "172.16.150.1" # cisco router pod interface ip address ### physical interfaces int_if = "hme0" # internal interface pvt_srv_if = "hme1" # private server interface pub_svr_if = "hme2" # public server interface cisco_pod_if = "hme3" # router lab interface ext_if = "hme4" # external interface all_if = "{ hme0, hme1, hme2, hme3, hme4}" # all interfaces ### servers web_server = "172.16.210.2" # webserver PDC = "192.168.50.2" # primary domain server router = "10.10.190.1" # router access_server = "172.16.150.2" # cisco pod access server print_server = "192.168.175.251" # print server proxy_server = " 192.168.175.248" # proxy server ### internal network hosts venus = "192.168.175.242" # saturn = "192.168.175.243" # mercury = "192.168.175.249" # laptop uranus = "192.168.175.248" # backup server neptune = "192.168.175.253" # OpenBSD hosts = "{" $venus $saturn $mercury $uranus "}" ### Services www = "{ 80, 443}" # http/https ### Private addresses spoof_ips= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # private addresses ################################################## ################ ### Options: tune the behavior of pf ################################################## ################ ### Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ### Optimize PF for one of the following network environments ### packet is silently dropped set require-order yes set loginterface hme4 set optimization normal set block-policy drop set fingerprints "/etc/pf.os" ########################## #Packet Filtering Table ########################## ### Clean up fragmented packets and abnormal packets scrub in all fragment reassemble ### nat rule nat on $ext_if from $hosts to any -> $ext_ip ### # traffic rules # ### # default deny policy block in all block out all ### pass traffic on the loopback interface in either direction pass in on lo0 from $all_if to any modulate state ### activate spoofing protection for the internal interface # block in log quick on $ext_if from $spoof_ips to any # block out log quick on $ext_if from any to $spoof_ips antispoof for $ext_if inet ### allow ssh connections in on the external interface as long as they're NOT destined for the firewall (ie, they're ### destined for a machine on the local network). log the initial packet so that we can later tell who is trying to connect. pass in log on $ext_if proto tcp from any to { $uranus, !$ext_ip, !$int_if } port ssh flags S/SA synproxy state ### ### core ruleset ### ### pass tcp, udp, and icmp out on the external (Internet) interface. keep state on udp and icmp and modulate state on tcp. pass in on $int_if from $hosts proto tcp to $ext_ip modulate state pass in on $int_if from $hosts proto { udp, icmp } to $ext_ip keep state ### cisco pod network access # rdr on $ext_if proto tcp from $router to $ext_ip port 23 -> $access_server pass in log on $int_if from $hosts proto tcp to $access_server port telnet keep state flags S/SA pass in log on $ext_if from any proto tcp to $access_server port telnet keep state flags S/SA ### private server network access pass in on $int_if from $hosts proto tcp to $PDC keep state flags S/SA pass in on $int_if from $hosts proto { udp, icmp } to $PDC keep state pass in on $pvt_srv_if from $PDC proto tcp to $ext_ip keep state flags S/SA keep state pass in on $pvt_srv_if from $PDC proto { udp, icmp } to $ext_ip keep state ### public server network access #rdr on $ext_if proto tcp from $router to $ext_ip port $www -> $web_server pass in on $int_if from $hosts proto tcp to $web_server port $www keep state flags S/SA keep state pass in on $ext_if from any proto tcp to $web_server port $www keep state flags S/SA keep state      |
Linear Mode
