pf.conf in OpenBSD

[Schotty]

I got a pf.conf file I put together for my gateway. It isnt letting any traffic thru if I have the rules set. I was hoping someone could see the error and clue me in on it.

I have three NICs, ne4 (lan) ne3 (wan) and xl0(wan) to deal with. IIRC only xlo and ne4 are mentioned.

Code:

# Setup a variable for who IS allowed to go online
FullInternetIPs="{206.190.6.3/32,206.190.6.8/32, 206.190.6.11/32,206.190.6.211/3
2,206.190.6.243/32,206.190.6.56/32}"
WAN="xl0"
LAN="ne4"
# Normalize all incoming traffic
scrub in on $WAN all

#Block and log everything by default
block out log on $LAN all
block in log on $LAN all

# Silently drop broadcasts
block in quick on $WAN from any to 255.255.255.255/32

# Filter Internet connections

# Allow Toolbar access
pass out on $LAN from any to 209.184.193.164/32
pass in on $LAN from 209.184.193.164/32 to any

# Allow Mapquest
pass out on $LAN from any to 64.12.37.89/32
pass out on $LAN from any to 64.12.51.56/32
pass out on $LAN from any to 64.12.37.57/32
pass in on $LAN from 64.12.37.89/32 to any
pass in on $LAN from 64.12.51.56/32 to any
pass in on $LAN from 64.12.37.57/32 to any

# Allow full access for the chosen ones
pass out on $LAN from $FullInternetIPs to any
pass in on $LAN from any to $FullInternetIPs

The basic idea here is to allow access only to the Mapquest and Toolbar IP's. And for the chosen ones, full access. This is basically so customer service cant surf the web while working (like I am doing right now)

Thanks much!!

[Schotty]

Bump...

I take it that there are not many OpenBSD gurus here anymore..... :-[

Update :: I now have this configuration. I also feel that this looks cleaner. At this point I have been trying to figure out some of my logs. Stuff isn't getting back to the user's machine.

/etc/pf.conf

Code:

####################################################
# Setup a variable for who IS allowed to go online #
####################################################

FullInternetIPs="{192.168.254.2/32,
                  192.168.1.2/32,
                  206.190.6.3/32,
                  206.190.6.8/32,
                  206.190.6.11/32,
                  206.190.6.32/32,
                  206.190.6.56/32,
                  206.190.6.222/32,
                  206.190.6.243/32,
                  206.190.6.247/32,
                  206.190.6.249/32}"
DNS="{206.141.239.126/32,
      206.141.251.2/32,
      209.253.113.118/32,
      209.253.113.2/32}
WAN="xl0"
LAN="ne4"

pass out on $LAN all

# Block and log everything by default
block in log on $LAN all

# Allow loopback adpater traffic full reign
pass in quick on lo0 all
pass out quick on lo0 all

# Silently drop broadcasts
block in quick on $WAN from any to 255.255.255.255/32

###############################
# Filter Internet connections #
###############################

# Allow DNS queries
pass in quick on $LAN from 206.190.6.0/24 to $DNS keep state
pass out quick on $LAN from $DNS to 206.190.6.0/24 keep state

# Allow Toolbar access
pass out quick on $LAN from 206.190.6.0/24 to 209.184.193.164/32 keep state
pass in quick on $LAN from 209.184.193.164/32 to 206.190.6.0/24 keep state

# Allow Mapquest
pass out quick on $LAN from 206.190.6.0/24 to 64.12.37.89/32 keep state
pass out quick on $LAN from 206.190.6.0/24 to 64.12.51.56/32 keep state
pass out quick on $LAN from 206.190.6.0/24 to 64.12.37.57/32 keep state
pass in quick on $LAN from 64.12.37.89/32 to 206.190.6.0/24 keep state
pass in quick on $LAN from 64.12.51.56/32 to 206.190.6.0/24 keep state
pass in quick on $LAN from 64.12.37.57/32 to 206.190.6.0/24 keep state

# Allow full access for the chosen ones
pass out quick log on $LAN from $FullInternetIPs to any keep state
pass in quick log on $LAN from any to $FullInternetIPs keep state

# Allow SSH sessions from LAN
pass in quick log on 206.190.6.0/24 to 206.190.6.222/32 port = 22 keep state
pass out quick log on 206.190.6.222/32 to 206.190.6.0/24 keep state

[Ashcrow]

What do you mean trying to figure out some of your logs? What is it dropping?

[noblestknight]

I sent the thread to GNU/Vince and here is what he said.

Hey,

from what I can see, he only has one rule for $WAN, and it's a
silent
block (block in quick). Tell him to try to have a rule that lets
through other in/out traffic on $WAN. Of course, I have no knowledge
of
his network disposal, so I can't help much I'm afraid.

Vince

I hope it gives you a place to start

[Schotty]

[quote author=Ashcrow link=board=10;threadid=1834;start=0#36989 date=1023425316]
What do you mean trying to figure out some of your logs? What is it dropping?
[/quote]

Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.

Thanks much Ash!!

[Schotty]

[quote author=noblestknight link=board=10;threadid=1834;start=0#37047 date=1023454695]
I sent the thread to GNU/Vince and here is what he said.

Hey,

from what I can see, he only has one rule for $WAN, and it's a
silent
block (block in quick). Tell him to try to have a rule that lets
through other in/out traffic on $WAN. Of course, I have no knowledge
of
his network disposal, so I can't help much I'm afraid.

Vince

I hope it gives you a place to start



[/quote]

Thanks for whipping it his way for me

I know he is good with OpenBSD, and it always helps to have an intelligent group of minds attacking a problem.

As far as the LAN configuration :

2 DSL lines coming in. The one I am using here is the generic internet browsing one (the other is for email). Those two and the LAN are connected to the gateway. The DSL lines are on the 192.168.254.0/24 and 192.168.1.0/24 (this is the one that is for the internet browsing). The LAN is on 206.190.6.0/24 with the gateway on 206.190.6.222. As I have got it, I know for a fact that this probably is the messiest, slopped up pile of puke you guys have seen -- but this is my frist whack at it


Thanks much!!

[Ashcrow]

[quote author=Schotty link=board=10;threadid=1834;start=0#37059 date=1023458323]
Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.
[/quote]

So your logs state that people can send out traffic but the traffic is not allowed back in but in practice the traffic is comming back in?

I am still a bit confused here

GnuVince and I use to be the boards OpenBSD Duo Zelot Bregade!

[noblestknight]

Where in the rules is the part about allowing stuff to come back in?

[Schotty]

[quote author=Ashcrow link=board=10;threadid=1834;start=0#37120 date=1023473419]
[quote author=Schotty link=board=10;threadid=1834;start=0#37059 date=1023458323]
Everything coming in at the current (the second post) configuration. I can see that the stuff is going out, but the logs state that the stuff isnt alowed back in.
[/quote]

So your logs state that people can send out traffic but the traffic is not allowed back in but in practice the traffic is comming back in?

I am still a bit confused here

GnuVince and I use to be the boards OpenBSD Duo Zelot Bregade!
[/quote]

To Ashcrowe : For the confusion -- how do you think I feel -- I have barely a clue what the hell I am doing ;D

To all : And yes, it was you and GnuVince that got me hooked on OpenBSD. And I am glad too... Too bad GnuVince had to quit... I liked his sense of humor.

To noblestknight: You arent alone.

To all : Yeah, well -- here Ill make a free website somewhere and post the logs. Its about time I do that anyhow. Ill upate my post here with the URL.


UPDATE!!:

http://www.geocities.com/rammstein_schotty/index2.htm

[GnuVince]

2 things:
1. It's nice to know someone liked me :-[
2. How does it work now Schotty?
3. Did I just make a GnuVince's 2?