OpenBsdRulez
Technical User
Old Situation
to internet
^
|
|
ADSL Router/Modem(Bridged)
|
V
ip ext from isp
OPENBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
New Situation:
to internet
^
|
|
ip ext from isp
Davolink DV-201AMR----->to VOIP telephone
ip 192.168.1.1
^
|
| (DMZ 192.168.1.7)
V
ip 192.168.1.7
OPENBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
The prefered settings for NAT on the would be like mentioned with a DeMilitartized Zone to just let OpenBSD take care
of the secrurity issues.
It is not possible to set the router to a bridged-setting because:
-fist the web-interface doesnot allow this and I found no way to telnet into the router for different settings
-second I don't think this will work in combination with the VOIP (the Davolink should have the extern ip from the isp)
Further more I have a packet filter installed on the BSD machine, the following rule set used to work in the old situation:
# /etc/pf.conf
# Macros
EXT_IF="rl0"
INT_IF="rl1"
LOCAL_IF="lo0"
LAN="192.168.0.0/24"
NO_ROUTE=" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } "
# Options
set optimization normal
set block-policy drop
set require-order yes
# Traffic Normalization
scrub in all
# Translation
# General rdr to a port
#rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> $DEST_IP port $DEST_PORT
# Network Adress Translation
nat on $EXT_IF inet from $LAN to any -> $EXT_IF
# Packet Filtering
block in log all
block out log all
antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state
antispoof log quick for $INT_IF inet
pass in on $INT_IF inet all keep state
pass out on $INT_IF inet all keep state
antispoof log quick for $EXT_IF inet
block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
block return-rst in log quick on $EXT_IF inet proto tcp from any to $EXT_IF port 113
pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code 0 keep state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags S/SA modulate state
block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
pass out on $EXT_IF inet from $EXT_IF to any keep state
Now I think there is probably a problem in the NO_ROUTE statements because the NO_ROUTE 192.168.0.0/16 section
includes the address range 192.168.1.0/24 but since the DMZ forwards all the incoming trafic to 192.168.1.7
and if I make a statment allowing incoming trafic from 192.168.1.1 because i don't know if this in combination with
the DMZ just by-passes my packetfilter. From the dump beneat I get the impression that the DMZ just forwards all trafic
to 192.168.1.7 without NAT (192.168.1.1) but I am no sure.
The strangest things happen at the moment:
-I can connect from extern computers to my apache server on my OpenBSD machine but cannot reach any subdomains
-I can connect to the internet from my client PC with a browser but MSN cannot make a connection
-I can recieve and send mail from the mail-server on the OpenBSD machine
To get an impression of what happens here is a dump from the incomming traffic on the BSD machine
pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000 09:47:17
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp In 192.168.0.4:1374 192.168.0.1:22 ESTABLISHED:ESTABLISHED 00:09:33 23:59:55 1141 102486
tcp In 192.168.0.4:1375 65.54.239.80:1863 FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp In 192.168.0.4:1376 207.46.2.124:1863 ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp In 192.168.0.4:1377 65.54.183.192:443 ESTABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
tcp Out 192.168.0.4:1375 65.54.239.80:1863 FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp Out 192.168.0.4:1376 207.46.2.124:1863 ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp Out 192.168.0.4:1377 65.54.183.192:443 STABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
udp In 192.168.0.4:1063 192.168.0.1:53 MULTIPLE:MULTIPLE 00:00:25 00:00:37 4 711
udp Out 192.168.1.7:11789 62.4.69.96:53 MULTIPLE:SINGLE 00:00:25 00:00:05 2 160
udp Out 192.168.1.7:11789 65.55.238.126:53 MULTIPLE:SINGLE 00:00:23 00:00:07 2 201
udp Out 192.168.1.7:11789 65.54.240.126:53 MULTIPLE:SINGLE 00:00:25 00:00:05 2 196
udp Out 192.168.1.7:11789 212.187.162.134:53 MULTIPLE:SINGLE 00:00:23 00:00:07 2 392
udp Out 192.168.1.7:11789 213.199.144.151:53 MULTIPLE:SINGLE 00:00:23 00:00:07 12 972
to internet
^
|
|
ADSL Router/Modem(Bridged)
|
V
ip ext from isp
OPENBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
New Situation:
to internet
^
|
|
ip ext from isp
Davolink DV-201AMR----->to VOIP telephone
ip 192.168.1.1
^
|
| (DMZ 192.168.1.7)
V
ip 192.168.1.7
OPENBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
ip 192.168.0.4
client PC
The prefered settings for NAT on the would be like mentioned with a DeMilitartized Zone to just let OpenBSD take care
of the secrurity issues.
It is not possible to set the router to a bridged-setting because:
-fist the web-interface doesnot allow this and I found no way to telnet into the router for different settings
-second I don't think this will work in combination with the VOIP (the Davolink should have the extern ip from the isp)
Further more I have a packet filter installed on the BSD machine, the following rule set used to work in the old situation:
# /etc/pf.conf
# Macros
EXT_IF="rl0"
INT_IF="rl1"
LOCAL_IF="lo0"
LAN="192.168.0.0/24"
NO_ROUTE=" { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } "
# Options
set optimization normal
set block-policy drop
set require-order yes
# Traffic Normalization
scrub in all
# Translation
# General rdr to a port
#rdr on $EXT_IF inet proto tcp from any to $EXT_IF port $RDR_PORT -> $DEST_IP port $DEST_PORT
# Network Adress Translation
nat on $EXT_IF inet from $LAN to any -> $EXT_IF
# Packet Filtering
block in log all
block out log all
antispoof log quick for $LOCAL_IF inet
pass in on $LOCAL_IF inet all keep state
pass out on $LOCAL_IF inet all keep state
antispoof log quick for $INT_IF inet
pass in on $INT_IF inet all keep state
pass out on $INT_IF inet all keep state
antispoof log quick for $EXT_IF inet
block in log quick on $EXT_IF inet from $NO_ROUTE to $EXT_IF
block return-rst in log quick on $EXT_IF inet proto tcp from any to $EXT_IF port 113
pass in on $EXT_IF inet proto icmp from any to $EXT_IF icmp-type 8 code 0 keep state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 22 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 80 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 25 flags S/SA modulate state
pass in on $EXT_IF inet proto tcp from any to $EXT_IF port 443 flags S/SA modulate state
block out log quick on $EXT_IF inet from $EXT_IF to $NO_ROUTE
pass out on $EXT_IF inet from $EXT_IF to any keep state
Now I think there is probably a problem in the NO_ROUTE statements because the NO_ROUTE 192.168.0.0/16 section
includes the address range 192.168.1.0/24 but since the DMZ forwards all the incoming trafic to 192.168.1.7
and if I make a statment allowing incoming trafic from 192.168.1.1 because i don't know if this in combination with
the DMZ just by-passes my packetfilter. From the dump beneat I get the impression that the DMZ just forwards all trafic
to 192.168.1.7 without NAT (192.168.1.1) but I am no sure.
The strangest things happen at the moment:
-I can connect from extern computers to my apache server on my OpenBSD machine but cannot reach any subdomains
-I can connect to the internet from my client PC with a browser but MSN cannot make a connection
-I can recieve and send mail from the mail-server on the OpenBSD machine
To get an impression of what happens here is a dump from the incomming traffic on the BSD machine
pfTop: Up State 1-5/5, View: default, Order: none, Cache: 10000 09:47:17
PR DIR SRC DEST STATE AGE EXP PKTS BYTES
tcp In 192.168.0.4:1374 192.168.0.1:22 ESTABLISHED:ESTABLISHED 00:09:33 23:59:55 1141 102486
tcp In 192.168.0.4:1375 65.54.239.80:1863 FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp In 192.168.0.4:1376 207.46.2.124:1863 ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp In 192.168.0.4:1377 65.54.183.192:443 ESTABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
tcp Out 192.168.0.4:1375 65.54.239.80:1863 FIN_WAIT_2:FIN_WAIT_2 00:00:25 00:01:06 13 934
tcp Out 192.168.0.4:1376 207.46.2.124:1863 ESTABLISHED:ESTABLISHED 00:00:24 23:59:37 10 932
tcp Out 192.168.0.4:1377 65.54.183.192:443 STABLISHED:ESTABLISHED 00:00:23 23:59:52 16 8903
udp In 192.168.0.4:1063 192.168.0.1:53 MULTIPLE:MULTIPLE 00:00:25 00:00:37 4 711
udp Out 192.168.1.7:11789 62.4.69.96:53 MULTIPLE:SINGLE 00:00:25 00:00:05 2 160
udp Out 192.168.1.7:11789 65.55.238.126:53 MULTIPLE:SINGLE 00:00:23 00:00:07 2 201
udp Out 192.168.1.7:11789 65.54.240.126:53 MULTIPLE:SINGLE 00:00:25 00:00:05 2 196
udp Out 192.168.1.7:11789 212.187.162.134:53 MULTIPLE:SINGLE 00:00:23 00:00:07 2 392
udp Out 192.168.1.7:11789 213.199.144.151:53 MULTIPLE:SINGLE 00:00:23 00:00:07 12 972