Home » Mailing list archives » openbsd-misc » 2009 » December » 23

Re: What stupid mitake am I making?

Previous thread: Claro te ofrece las mejores tarifas by envios on Tuesday, December 22, 2009 - 5:52 am. (1 message)

Next thread: DVD burn error: No space left on device by James Hozier on Tuesday, December 22, 2009 - 12:05 pm. (2 messages)
[view original message]
From: stan
Subject: What stupif mitake am I making?
Date: Tuesday, December 22, 2009 - 9:35 am

I have a redundnat pair of firewalls (4.6) and I am trying to block access
from outside to the subet set up fr pfsync. I have the following rules 
in pf.conf

ext_if = "bge0"
int_if = "eme0"

match in all scrub (no-df)

pass            # to establish keep-state

block in quick from 10.209.128.20 to any
block in on ! lo0 proto tcp to port 6000:6010
# Block telnet from outside the powerhouse network
block in  on $ext_if proto tcp from any to any port 23

block out on $ext_if from 192.168.254.0/24 to any
block out on $int_if from 192.168.254.0/24 to any
block in on $ext_if from any to 192.168.254.0/24
block in on $int_if from any to 192.168.254.0/24

But I can still ping 192.168.254.253, which is the IP for one side of that
link

What stupid mistake am I making?

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


[ message continues ]
[view original message]
From: Steve Shockley
Subject: Re: What stupif mitake am I making?
Date: Tuesday, December 22, 2009 - 10:51 am

?


[ message continues ]
[view original message]
From: stan
Subject: Re: What stupif mitake am I making?
Date: Tuesday, December 22, 2009 - 12:32 pm

Good catch. 

But the test is from the outsiide, so I don't think this mistake is what's
causing my problems.

What I want to do is block all tarffic relate to the pfsync link from
leaving eiither the internal, or the external interface, and block all
traffic bound to this interface. 

Can anyone give me an example?

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


[ message continues ]
[view original message]
From: stan
Subject: Re: What stupid mitake am I making?
Date: Tuesday, December 22, 2009 - 12:51 pm

OK now I have this:

set skip on lo
ext_if = "bge0"
int_if = "em0"
pfsync_if = "em1"

match in all scrub (no-df)

block out quick from $pfsync_if to $ext_if
block out quick from $pfsync_if to $int_if
block in quick from $int_if to $pfsync_if
block in quick from $int_if to $pfsync_if

And I can still pint the pfsync interface.

What basic mistake am I making ?

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


[ message continues ]
[view original message]
From: Jussi Peltola
Subject: Re: What stupid mitake am I making?
Date: Tuesday, December 22, 2009 - 1:18 pm

State. Blocking outgoing traffic will not prevent replies being allowed
out.


[ message continues ]
[view original message]
From: stan
Subject: Re: What stupid mitake am I making?
Date: Tuesday, December 22, 2009 - 1:38 pm

OK, but pfctl -s rules includes the following:'

block drop in quick inet from any to 192.168.254.0/24

Which I think is an expansion of this rule I have in pf.conf

block in quick from any to 192.168.254.0/24

So,, why does that not stop it?

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


[ message continues ]
[view original message]
From: Aaron Mason
Subject: Re: What stupid mitake am I making?
Date: Tuesday, December 22, 2009 - 5:02 pm

-- 
Aaron Mason - Programmer, open source addict
I've taken my software vows - for beta or for worse


[ message continues ]
[view original message]
From: stan
Subject: Re: What stupif mitake am I making?
Date: Tuesday, December 22, 2009 - 1:02 pm

OK. pfctl -s rules shows:

root@phfw2:etc# pfctl -s rule 
match in all scrub (no-df)
block drop out quick inet from 192.168.254.0/24 to any
block drop in quick inet from any to 192.168.254.0/24
pass all flags S/SA keep state
block drop in quick inet from 10.209.128.20 to any
block drop in on ! lo0 proto tcp from any to any port 6000:6010
block drop in on bge0 proto tcp from any to any port = telnet
block drop out quick on bge0 inet from 192.168.254.0/24 to any
block drop in quick on bge0 inet from 192.168.254.0/24 to any
block drop out quick on em0 inet from 192.168.254.0/24 to any
block drop in quick on em0 inet from 192.168.254.0/24 to any
block drop out on bge0 inet proto carp from 192.168.254.0/24 to any
block drop out on bge0 inet proto pfsync from 192.168.254.0/24 to any
block drop out on bge0 inet proto icmp from 192.168.254.0/24 to any
block drop out on em0 inet proto carp from 192.168.254.0/24 to any
block drop out on em0 inet proto pfsync from 192.168.254.0/24 to any
block drop out inet from 192.168.254.254 to 10.209.142.153
block drop out inet from 192.168.254.254 to 170.85.106.145
block drop in inet from 170.85.106.145 to 192.168.254.254


But I can still ping 192.168.254.253 from the outside. What don't I
understand!

-- 
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?


[ message continues ]
[view original message]
From: Duncan Patton a Campbell
Subject: Re: What stupif mitake am I making?
Date: Wednesday, December 23, 2009 - 6:49 pm

On Tue, 22 Dec 2009 11:35:31 -0500



[ message continues ]
Previous thread: Claro te ofrece las mejores tarifas by envios on Tuesday, December 22, 2009 - 5:52 am. (1 message)

Next thread: DVD burn error: No space left on device by James Hozier on Tuesday, December 22, 2009 - 12:05 pm. (2 messages)