Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 04 Jul 2006 09:44:04 +0200
From:      Erik Norgaard <norgaard@locolomo.org>
To:        Mark Moellering <mark@msen.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: 3 NIC firewall help
Message-ID:  <44AA1C44.7000209@locolomo.org>
In-Reply-To: <200607031842.27083.mark@msen.com>
References:  <200607031842.27083.mark@msen.com>

next in thread | previous in thread | raw e-mail | index | archive | help
Mark Moellering wrote:

> 	I have a problem which I think must be simple, I just can't figure out 
> exactly what I need to do.  I have a gateway / firewall (freebsd 6.1) with 3 
> nic cards.  I just added the third card, rl1, which I have attached to a 
> wireless access point.  
> 	I can ping the access point from the firewall, but not from the rest of the 
> internal (wired) network!!??  My wired network is 192.168.1 and the wireless 
> access point is currently the default 192.168.0.229.  rl1 is set to 
> 192.168.0.210

Just one thing: have you checked the netmask on the hosts on your wired 
network?

> 	Attached are netstat -r, my pf.conf and rc.conf from the firewall/gateway.  
> Any and all help is appreciated.

comments on your ruleset:

> #
> # Firewall for Home or Small Office
> # http://www.openbsd.org/faq/pf/example1.html
> #
> # macros
> int_if = "bge0"
> ext_if = "rl0"
> wint_if = "rl1"
> 
> tcp_services = "{ 22, 113 }"
> icmp_types = "echoreq"
> 
> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
> 
>         
> # options
> set block-policy return
> set loginterface $ext_if
> 
> # scrub
> scrub in all
> 
> # nat/rdr
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> nat on $ext_if from $wint_if:network to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

You will probably like to replace "any" by !$priv_nets since only 
traffic to non private networks should exit on your external interface 
anyway.

> # filter rules
> block all

log what you block, so you can see what rule catches the missing traffic.

> #pass in all
> 
> pass quick on lo0 all
> 
> block drop in on $ext_if from $priv_nets to any
> block drop out on $ext_if from any to $priv_nets

You want to be quick here - right?

> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>    port $tcp_services flags S/SA keep state
> 
> #allow access to web server
> #pass in on $ext_if inet proto tcp from $XXX to 192.168.1.5 port 80 \
>    flags S/SA keep state

Syntax error - you have a "flags ... " line with no rule.

> pass in inet proto icmp all icmp-type $icmp_types keep state

Ok, so you allow icmp from anywhere to anywhere on any interface?

> pass in  on $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state

In this and the following, the out rule only match traffic originating 
from the firewall since you have keep state on you in-rules.

> pass in on $wint_if from $wint_if:network to any keep state
> pass out on $wint_if from any to $wint_if:network keep state
> 
> pass in on $wint_if from $int_if:network to any keep state
> pass in on $int_if from $wint_if:network to any keep state

These two rules will NEVER match - you can't have traffic with origin 
your wired network coming in on your wireless interface.

> pass out on $wint_if from any to $int_if:network keep state
> pass out on $int_if from any to $wint_if:network keep state

Same as above - you can't have traffic out on your wireless network 
interface when it's destined to a network block on the wired network.

> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> pass in on $ext_if inet proto tcp from any to ($ext_if) \
>    user proxy keep state

Some general stuff:

- Allways add "log" to your block rules to see where things are caught.

- Allways use quick when you decide on an action opposite of default,
   in this case "pass", or you may have other rules messing up.

- Organize your ruleset as follows: per direction, per interface,
   per protocol, (per origin this is normally given by the interface),
   per destination. Doing so will make it easier to read and check that
   you have all combinations. This organization also makes the firewall
   faster.

- Avoid use of the "any/all" keyword in rules with the "quick" keyword.
   Rules using "any/all" should be placed last since these will catch any
   remaining packets. The only exception is the default action which
   doesn't have the "quick" keyword - I like to have it explicit at top.

However, I don't see any rules that should block traffic between your 
two networks.

Cheers, Erik



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44AA1C44.7000209>