I need a rule, but I don't know what...

eRacks Forums » support

I need a rule, but I don't know what...

(5 posts)

Started 2 years ago by kenneth2k1
Latest reply from kenneth2k1

kenneth2k1
Member

So we have the twinguard set up:

Twin1
re0: 24.120.60.58
re1: 172.20.1.1

Some computers have the re1 address of 172.20.1.1 as their gateway. those people do not work to get internet access, however I can still access network drives. I cannot ping the fw.

Twin2
re0: 24.120.60.59
re1: 172.20.255.1

Many of our servers and other PCs have the re1 address of 172.20.255.1 as their gateway. those computers DO work. I can ping 255.1.

My LAN does has one subnet. /16

We have two IPs assigned from our ISP. We use all static, there is no DHCP. It just had a different rule set. The rules were pulled from two watchguard fireboxes which we replaced with the Open BSD ones.

The default gateway for some machines is set to 255.1, but not all. The remaining machines use the default gateway of 1.1. The 255.1 works, but not the 1.1 to get to the Internet.

We also have a spam filter that sits at 172.20.1.3, and it does not appear to be working. I have set a rule to do rdr of incoming on port 25 to the spam filter, I think that's how it's already config'd.It has not received incoming mail since I switched over this morning. I suspect it also is using 1.1 as the default gateway.

So... in short.... what am I missing here? I need to be able to get those who have 172.20.1.1 set as their default gateway get to the Internet? My guess is something that needs to pass to the other gateway in order to get out?? Maybe??

Posted 2 years ago #
kenneth2k1
Member

Here are my rules. I had to type them out because I created them by modifying the pf.conf file, I didn't use pfw because it reports an old ruleset!!!!!

ruleset for 172.20.1.1

#Macros
ext_if="re0"
int_if="re1"
# ----
table <badnets> persist const { \
0/8 10/8 127/8 172.16/12 192.168/16 192.254/16 \
$ext_if:0 \
}
# ----
set state-policy if-bound
set skip on {lo0}
set block-policy drop
# ----
# NAT Rules
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0)
#
# RDR ATI_IN
rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_ATI -> 172.20.231.41
# RDR Filtered HTTP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 80 tag OK_RDR -> 172.20.99.6
# RDR Filtered SMTP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 25 tag OK_RDR -> 172.20.1.3
# RDR FTP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 21 tag OK_RDR -> 172.20.99.6
# RDR HTTPS_Synxis
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 443 tag OK_RDR -> 172.20.255.189
RDR TCPIP 20_UDP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 20 21 22 23 } tag OK_RDR_UDP -> 172.20.255.187
# ----
# Filter Rules
block log all
pass out log quick on $ext_if inet from self to any modulate state
#
pass out log quick on $ext_if inet tagged OKPKTS keep state
#
pass in log quick on $int_if inet from ($int_if:network) to any tag OKPKTS modulate state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_ATI flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_UDP keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_ATI keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_UDP keep state
# Allow admin of the firewall
pass in log quick on $ext_if inet proto tcp from any to ($ext_if:0) port {ssh https } flags S/SA keep state
# ----
# End of Ruleset

Posted 2 years ago #
kenneth2k1
Member

ruleset for 172.20.255.1

#Macros
ext_if="re0"
int_if="re1"
# ----
table <badnets> persist const { \
0/8 10/8 127/8 172.16/12 192.168/16 192.254/16 \
$ext_if:0 \
}
# ----
set state-policy if-bound
set skip on {lo0}
set block-policy drop
# ----
#NAT Rules
nat on $ext_if inet from ($int_if:network) to any -> ($ext_if:0)
# RDR ATI
on $ext_if inet proto tcp from any to (ext_if:0) tag OK_RDR_ATI -> 172.20.255.82
#RDR CIS
rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR -> 172.20.115.10
#RDR EXTS
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3389 tag OK_RDR -> 172.20.255.127
#RDR Filtered_SMTP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port { 25 } tag OK_RDR -> 172.20.1.3
#RDR FMT GreatPlains
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3391 tag OK_RDR -> 172.20.255.27
# RDR GreatPlains
rdr on $ext_if inet proto tcp from any to (#ext_if:0) tag OK_RDR -> 172.20.255.27
# RDR CIS_Telnet
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 23 tag OK_RDR -> 172.20.115.10
# RDR HTTP out of DNS server
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 80 tag OK_RDR -> 172.20.99.6
#RDR HTTPS_OWS
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 443 tag OK_RDR -> 172.20.255.188
#RDR INFOGENESIS_IN
rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_IG -> 172.20.99.200
# RDR LVSC_IN
rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_SC -> 172.20.10.100
# RDR POP3 ---- 127 is dead
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 110 tag OK_RDR -> 172.20.255.127
# RDR RDP
rdr on $ext_if inet proto tcp from any to ($ext_if:0) port 3389 tag OK_RDR -> 172.20.99.1
# RDR SAFLOK_IN
rdr on $ext_if inet proto tcp from any to ($ext_if:0) tag OK_RDR_SAFLOK -> 172.20.6.5
#
# ----
# Filter Rules
block log all
pass out log quick on $ext_if inet from self to any modulate state
#
pass out log quick on $ext_if inet tagged OKPKTS keep state
#
pass in log quick on $int_if inet from ($int_if:network) to any tag OKPKTS modulate state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_ATI flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_IG flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_SC flags S/SA synproxy state
#
pass in log quick on $ext_if inet proto tcp tagged OK_RDR_SAFLOK flags S/SA synproxy state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_ATI
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_IG keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_SC keep state
#
pass out log quick on $int_if inet proto tcp tagged OK_RDR_SAFLOK keep state
#
pass in log quick on $ext_if inet proto tcp from any to ($ext_if:0) port { ssh https } flags S/SA keep state #Allow admin of the firewall
# End of ruleset

Posted 2 years ago #
joe
Moderator

Firstly, you shouldn't type in your rules, which is of course very error-prone - use ftp and/or scp, a pastebin, etc.

Please also include the results of your "ifconfig -A" command. (redirect it to a file and ftp that as well).

This rule is not proper syntax and will not compile:
> # RDR ATI
> on $ext_if inet proto tcp from any to (ext_if:0) tag OK_RDR_ATI -> 172.20.255.82

I see other suspicious syntax errors which look like they may have been typos introduced by the manual copy.

Why are you not using the pass feature in your translation rules? ("rdr pass" feature, etc)? This would completely eliminate the need for all the tagging, and most of the pass out rules.

Why are you using synproxy?

Posted 2 years ago #
kenneth2k1
Member

Thanks for the reply. The typo on the ext_if should be $ext_if, sorry about that. using synproxy is because I saw it on another site, I assume I don't need it with my version of OpenBSD. The tags are because one other guy told me to do it that way, and I know you said it doesn't need to be like that. I can modify my rules to show rdr pass, eliminate the tags and... which pass out rules to get rid of? I am guessing all except pass out on $ext_if inet from self to any (should I get rid of modulate state also?

the big question....

will my RDR Filtered SMTP work? I really need the mail up.

Posted 2 years ago #

RSS feed for this topic

Reply

You must log in to post.