bridged ipf & return-rst
Tillman
* Short version:
Is there a known issue with using return-rst in ipf in a bridgd configuration
where the external interface has no IP? If not, how is it supposed to work?
* Long version:
I'm using ipf with 2 interfaces in a bridged configuration as a sort of
drop-in transparent firewall. The firewall works, but there's a few things
(all related) that aren't working. Basically, I can't seem to get return-rst
or return-icmp-as-dest to work, thus making the firewall far less than
"transparent" (the massive time outs in incoming connections give away the
filter) and traceroutes don't work on the last hop (the IP's behind the
firewall), so the same reason.
The network looks like this:
Internet <---> Cable modem <---> Moria* <---> workstations w/ext IP's
<---> workstations w/int IP's
*Moria is the OpenBSD firewall, and it has an int IP address (192.168.23.254)
on it's internal interface in order to spit a copy of syslog to another
internal machine where it's easier to monitor. No other services exist on the
box, and no external IP exists.
Are there any issues with using return-rst or return-icmp-as-dest in a bridged
configuration with no external IP? A URL to the archives where this has been
discussed would be great, although I wasn't able to find anything there.
A whole whack of possibly useful information follows the end of this email.
should probably mention that I work for the ISP in question, so I can answer
questions specific to that network as well, though I can't see it being a
factor.
Best regards,
- Tillman
# uname -a
OpenBSD moria 2.7 GENERIC#25 i386
# dmesg
OpenBSD 2.7 (GENERIC) #25: Sat May 13 18:04:26 MDT 2000
der...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Cyrix 486DLC (486-class)
WARNING: CYRIX 486DLC CACHE UNCHANGED.
real mem = 20561920 (20080K)
avail mem = 14483456 (14144K)
using 276 buffers containing 1130496 bytes (1104K) of memory
mainbus0 (root)
bios0 at mainbus0: AT/286+(00) BIOS, date 06/06/92
isa0 at mainbus0
isadma0 at isa0
wdc0 at isa0 port 0x1f0/8 irq 14
wd0 at wdc0 channel 0 drive 0: <Maxtor 71626 AP>
wd0: can use 16-bit, PIO mode 4
wd0: 32-sector PIO, LBA, 1554MB, 3158 cyl, 16 head, 63 sec, 3184170 sectors
ep0 at isa0 port 0x300/16 irq 5: address 00:a0:24:b8:e7:9e, utp (default utp)
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
sysbeep0 at pcppi0
npx0 at isa0 port 0xf0/16: using exception 16
pccom0 at isa0 port 0x3f8/8 irq 4: ns16450, no fifo
vt0 at isa0 port 0x60/16 irq 1: vga 80 col, color, 8 scr, mf2-kbd
pms0 at vt0 irq 12
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
fd0 at fdc0 drive 0: density unknown
isapnp0 at isa0 port 0x279: read port 0x203
ne3 at isapnp0 "ALN-101TB Plug and Play Etherne, ANX3101, PNP80D6, " port 0x280/32 irq 3
ne3: NE2000 (RTL8019) Ethernet
ne3: address 00:60:67:25:c0:1e
biomask 4040 netmask 4068 ttymask 506a
pctr: no performance counters in CPU
dkcsum: wd0 matched BIOS disk 80
root on wd0a
rootdev=0x0 rrootdev=0x300 rawdev=0x302
(IP's are obfuscated)
# cat ipf.rules
# Note: ep0 is internal int, ne3 is external int
block in log all
block in log quick on ne3 all head 100
block in quick from any to 255.255.255.255 group 100
# This next line is in for testing. Doesn't appear to work.
block return-rst in quick proto tcp from any to any port = 23 group 100
pass in quick from 127.0.0.0/8 to 127.0.0.0/8 group 100
pass in quick proto icmp from any to any group 100
pass in quick proto tcp from any to 1.2.3.0/24 port = 113 keep state keep frags group 100
pass in quick proto tcp from any to 1.2.3.0/24 port = 22 keep state keep frags group 100
pass in quick proto udp from any to 1.2.3.1 port = 53 keep state keep frags group 100
pass in quick proto tcp from any to 1.2.3.1 port = 80 keep state keep frags group 100
pass in quick proto tcp from any to 1.2.3.1 port = 25 keep state keep frags group 100
# Incoming from Internal Network
block in log quick on ep0 all head 200
pass in quick from 192.168.23.0/24 to 192.168.23.254 group 200
pass in quick proto tcp from 1.2.3.1 to any keep state keep frags group 200
pass in quick proto tcp from 1.2.3.2 to any keep state keep frags group 200
pass in quick proto tcp from 1.2.3.3 to any flags S keep state keep frags group 200
pass in quick proto tcp from 1.2.3.4 to any keep state keep frags group 200
pass in quick proto udp from 1.2.3.1 to any keep state keep frags group 200
pass in quick proto udp from 1.2.3.2 to any keep state keep frags group 200
pass in quick proto udp from 1.2.3.3 to any keep state keep frags group 200
pass in quick proto udp from 1.2.3.4 to any keep state keep frags group 200
pass in quick from 1.2.3.1 to any group 200
pass in quick from 1.2.3.2 to any group 200
pass in quick from 1.2.3.3 to any group 200
pass in quick from 1.2.3.4 to any group 200
# ifconfig -a
lo0: flags=8009<UP,LOOPBACK,MULTICAST> mtu 32972
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet6 ::1 prefixlen 128
inet 127.0.0.1 netmask 0xff000000
lo1: flags=8008<LOOPBACK,MULTICAST> mtu 32972
ep0: flags=8963<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet 10baseT
inet 192.168.23.254 netmask 0xffffff00 broadcast 192.168.23.255
inet6 fe80::2a0:24ff:feb8:e79e%ep0 prefixlen 64 scopeid 0x1
ne3: flags=8b63<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> mtu 1500
media: Ethernet autoselect (10baseT)
inet6 fe80::260:67ff:fe25:c01e%ne3 prefixlen 64 scopeid 0x2