Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 18 Jun 2009 12:38:24 -0600
From:      Tim Judd <tajudd@gmail.com>
To:        Mike Sweetser - Adhost <mikesw@adhost.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: PF Routing to VPN Device
Message-ID:  <ade45ae90906181138t6bcaf869q32edd9e64e27c220@mail.gmail.com>
In-Reply-To: <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan>
References:  <17838240D9A5544AAA5FF95F8D5203160638ABE2@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help 
On 6/17/09, Mike Sweetser - Adhost <mikesw@adhost.com> wrote:
> Hello,
>
> We have a network with a VPN device sitting beside a PF server, both
> connected to an internal network.
>
> PF Server: 10.1.4.1
> VPN Device: 10.1.4.200
>
> The VPNs are set up for 10.1.1.0/24 and 10.1.2.0/24, so any traffic to
> these networks should be routed to 10.1.4.200.  We've set up routes on
> the PF server as such.
>
> We've set up the following rules:
>
> block in log
> pass in on $int_if route-to 10.1.4.200 from 10.1.4.0/24 to { 10.1.1.0/24
> 10.1.2.0/24)
>
> However, the block in log is catching the return traffic.  From pflog
> when somebody on the VPN (10.1.2.105) tries to connect to 10.1.4.25 on
> port 80:
>
> 000000 rule 28/0(match): block in on bge1: 10.1.4.25.80 >
> 10.1.2.105.3558: [|tcp]
>
> If we remove the block in log, the traffic works.
>
> What are we missing?
>
> Thanks,
> Mike



Mike,

I know the typical firewall rules that are googleable are one of two
basic starting policies..

-- 1.
  block in all
  pass out all


-- 2.
  block all



They've become a headache to me to configure a firewall and I now
start with this base.  In this example, fxp0 is facing the Internet,
and xl0 is facing the trusted network.

-- 3.
  block in on fxp0 all
  pass out

This adds the benefit that VPN connections, TUNs, GIFs, and all other
ethernet devices aren't blindly evaluated to a simple block in rule,
rather it's just the fxp0 interface public Internet traffic that is
being blocked, while TUNs, GIFs, and the like are exempt from that
rule entry line.



Might you try by editing your rules to just block your public IP
firewall interface?



Good luck.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ade45ae90906181138t6bcaf869q32edd9e64e27c220>