Hi All,
I've been battling this issue for a couple of days now and I'm hoping someone
might have a possible fix for it. Any help is greatly appreciated.
I have a workstation which is on a network routed through VPN client device
The clients are on VLAN 304 with an address range of 192.168.18.0 -
192.168.18.128 (192.168.18.0/25)
This VPN client device is connected to a VPN concentrator
The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141
I have the upper 128 IP addresses are also in VLAN 304 but have a default route
of 192.168.18.254
I have a OpenBSD bridge / firewall with several VLANs on it. It bridges VLANs
provided by Network Services, who have recently took over our routing, and our
VLANs
The bridge VLANs in question are as follows
Network Services Our VLAN
310 300 = bridge300
314 304 = bridge304
The problem is that traffic from a host on the 192.168.18.0/25 (192.168.18.90)
seems to be getting blocked by my rules. For example if I ping a host on VLAN
300 (192.168.1.59) from VLAN 304 (192.168.18.90) the packet is dropped as it is
found to match my default block rule for traffic passing to the public side of
the bridge.
If I add a default route on the 192.168.1.59 host for 192.168.18.0/25 to
192.168.1.254 traffic passes. It also passes if I remove the default block
rule.
It also look like every packet is passing through the firewall twice, in and
out, but the second packet is the one being blocked.
Block logs: Attempt connect to a web server
-------------------------------------------
Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310: 192.168.18.90.2263
> 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos 0x10]
Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
---------------------------------------------------------------
Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310: 192.168.1.251 >
192.168.18.90: icmp: echo request (DF)
Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310: 192.168.1.251 >
192.168.18.90: icmp: echo request (DF)
PF Rules
=========
NS_LAN1="vlan310"
NS_LAN2="vlan314"
LAN1="vlan300"
LAN2="vlan304"
<snip>
# don't do any filtering on these devices
# only "public" side is filtered since you only
# need to filter on one side of the bridge
set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
# scrub incoming packets
match in all scrub (no-df)
# block any host deemed for whatever reason to be bad
# be meaner and just drop them which will use resources
# of the attacker slightly longer
block drop from <bad_hosts>
block drop from <blacklist_hosts>
# By default, do not permit remote connections to X11
# all X11 traffic should be tunnelled through SSH
block in quick on ! lo0 proto tcp to port 6000:6010
# Allow ping and traceroute through
pass quick log (to pflog1) inet proto icmp from any to any icmp-type echoreq
keep state
# traffic from these hosts should never be blocked
pass quick from <whitelist_hosts>
pass to <whitelist_hosts>
### LAN1 RULES ###
###
# Block access to FASNET
block in log on $NS_LAN1 all
# use modulate state to generate stronger ISNs on outgoing packets
# for OSs that don't already generate them
pass out quick log (to pflog1) on $NS_LAN1
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : [email protected]
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
