pf not working properly even with only "pass in all" and "pass out all" rules

xyyz · December 24, 2003, 7:20pm

i have two rules in my pf.conf file, "pass in all" and "pass out all"

i was having issues with getting pf working to begin with, so i went with
starting from nothing and working on up.

i have an ultrasparc ultra1 200e, with an added 4-port fast ethernet sbus
card, running "3.4 GENERIC#85 sparc64"

i have my access server on one and my workstation on two separate ports that
are different networks.

i can ping the access server from my workstation and my OBSD box, however, i
can't telnet to the access server from my workstation. i can telnet to the
access server through the OBSD box.

my pf.conf is as follows:

###################################
# $OpenBSD: pf.conf 11/9/2003
###################################

#####################################
### macros
#####################################

### IP addresses
ext_ip = "10.10.110.2"                          # external interface ip
address
int_ip = "192.168.110.253"                      # internal interface ip
address
pub_ip = "172.16.210.1"                         # public servers interface
ip address
pvt_ip = "192.168.210.1"                        # private servers interface
ip address
pod_ip = "172.16.110.1"                         # cisco router pod interface
ip address

### physical interfaces
int_if = "hme0"                                 # internal interface
pvt_srv_if = "hme1"                             # private server interface
pub_svr_if = "hme2"                             # public server interface
cisco_pod_if = "hme3"                           # router lab interface
ext_if = "hme4"                                 # external interface
all_if = "{ hme0, hme1, hme2, hme3, hme4}"      # all interfaces

### networks
int_net = "192.168.110.240/28"                  # internal LAN
ext_net = "10.10.110.0/30"                      # external LAN
pvt_net = "192.168.210.0/30"                    # private server network
pub_net = "172.16.210.0/30"                     # public server network
pod_net = "172.16.110.0/30"                     # cisco router pod network

### servers
web_server = "172.16.210.2"                     # webserver
PDC = "192.168.210.2"                           # primary domain server
router = "10.10.110.1"                          # router
access_server = "172.16.110.2"                  # cisco pod access server
print_server = "192.168.100.251"                # print server
proxy_server = " 192.168.100.248"               # proxy server

### internal network hosts
venus = "192.168.110.242"                       # ami's system
saturn = "192.168.110.243"                      # my system
mercury = "192.168.110.249"                     # laptop
uranus = "192.168.110.248"                      # backup server
neptune = "192.168.110.253"                     # OpenBSD
hosts = "{" $venus $saturn $mercury $uranus "}"

### Private addresses
spoof_ips= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# private addresses

### Services
www = "{ 80, 443}"                              # http/https

##################################################################
### Options: tune the behavior of pf
##################################################################

### Sets the interface for which PF should gather statistics such as bytes
in/out and packets passed/blocked
### Optimize PF for one of the following network environments
### packet is silently dropped

# default options
#set require-order yes
#set optimization normal
#set block-policy drop
#set fingerprints "/etc/pf.os"
set loginterface hme4

##########################
###Packet Filtering Table
##########################

### Clean up fragmented packets and abnormal packets
scrub in all fragment reassemble

### redirect/nat rules
nat on $ext_if from any to any -> $ext_ip

###
### traffic rules ###
###

pass in all
pass out all

i'd appreciate any and all help

added code tags for readability --oombera

jsilva · December 25, 2003, 4:09am

Hi,

Are you sure that it's packet filter fault ? If you try to disable PF, are you able to telnet to the box ?
The machines are on different networks, the problem might be a gateway issue too... check the default gateway...

xyyz · December 30, 2003, 4:06am

actually... the gateway was the issue.

i didn't have a default gateway set on the access server... you were only the second person to catch this... noone else had a clue.

xyyz · December 30, 2003, 4:13am

here's another question about pf...

simple diagram:

WAN-----(hme4)-----*OBSD*-----(hme0)-----LAN

now if you're going from the LAN to the WAN do you need to have a separate pass in rule on hme0, and then a corresponding pass out rule on hme4? or... does the "keep state" allow you to only have a pass in statement involving hme0, where the OBSD box will have the intelligence to know that the outbound traffic will be sent out of hme4 and return on hme and then be sent to hme0, which will then take it to a workstation?

example of what i mean...do you have to have,

pass in on $int_if proto tcp from $hosts to $ext_ip modulate state
pass out on $ext_if proto tcp from $hosts to $ext_ip modulate state

or can you work with only:

pass in on $int_if proto tcp from $hosts to $ext_ip modulate state

jsilva · December 30, 2003, 4:33am

Hi,

I don't know if I understood your question...
If your default rule is to block everything, then you have to specify exactly what you want to access ( or what you want to access you ! )... so, if your default rule is to block all, then you have to specify that you want to allow traffic in and out... otherwise, you don't need any of them, all traffic will be allowed...

Let me try to explain the "keep state" and see if it fits on your solution...
You have SSHd ( for example ), running on the server A and you want all clients to be able to use it... you only need to specify one rule, the "in" rule, and the filter will be able to detect that the connection that goes out, belongs to the same connection that was started before... you have to specify on the server that you want to allow port 22 in, keeping state... instead of specifing that you want to allow connection in and out on that port...
If it doesn't look simple, it's because english is not my first language, because it is simple...

Good luck !