----- Original Message -----
| Hi All,
|
| I've been battling this issue for a couple of days now and I'm hoping
| someone might have a possible fix for it. Any help is greatly
| appreciated.
|
| I have a workstation which is on a network routed through VPN client
| device
| The clients are on VLAN 304 with an address range of 192.168.18.0 -
| 192.168.18.128 (192.168.18.0/25)
| This VPN client device is connected to a VPN concentrator
| The VPN concentrator is on VLAN 300 with the IP address 192.168.1.141
| I have the upper 128 IP addresses are also in VLAN 304 but have a
| default route of 192.168.18.254
| I have a OpenBSD bridge / firewall with several VLANs on it. It
| bridges VLANs provided by Network Services, who have recently took
| over our routing, and our VLANs
| The bridge VLANs in question are as follows
|
| Network Services Our VLAN
| 310 300 = bridge300
| 314 304 = bridge304
|
|
| The problem is that traffic from a host on the 192.168.18.0/25
| (192.168.18.90) seems to be getting blocked by my rules. For example
| if I ping a host on VLAN 300 (192.168.1.59) from VLAN 304
| (192.168.18.90) the packet is dropped as it is found to match my
| default block rule for traffic passing to the public side of the
| bridge.
|
| If I add a default route on the 192.168.1.59 host for 192.168.18.0/25
| to 192.168.1.254 traffic passes. It also passes if I remove the
| default block rule.
| It also look like every packet is passing through the firewall twice,
| in and out, but the second packet is the one being blocked.
|
| Block logs: Attempt connect to a web server
| -------------------------------------------
| Jul 07 19:51:55.757076 rule 10/(match) block in on vlan310:
| 192.168.18.90.2263 > 192.168.1.167.80: R 1:1(0) ack 1 win 0 (DF) [tos
| 0x10]
|
|
| Pass Logs: Pinging 192.168.18.90 host from 192.168.1.251 host
| ---------------------------------------------------------------
| Jul 07 20:13:39.041885 rule 4/(match) pass out on vlan310:
| 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
| Jul 07 20:13:39.042008 rule 4/(match) pass in on vlan310:
| 192.168.1.251 > 192.168.18.90: icmp: echo request (DF)
|
|
| PF Rules
| =========
| NS_LAN1="vlan310"
| NS_LAN2="vlan314"
| LAN1="vlan300"
| LAN2="vlan304"
|
| <snip>
| # don't do any filtering on these devices
| # only "public" side is filtered since you only
| # need to filter on one side of the bridge
| set skip on { lo $NS_LAN2 $LAN2 $LAN1 }
|
| # scrub incoming packets
| match in all scrub (no-df)
|
| # block any host deemed for whatever reason to be bad
| # be meaner and just drop them which will use resources
| # of the attacker slightly longer
| block drop from <bad_hosts>
| block drop from <blacklist_hosts>
|
| # By default, do not permit remote connections to X11
| # all X11 traffic should be tunnelled through SSH
| block in quick on ! lo0 proto tcp to port 6000:6010
|
| # Allow ping and traceroute through
| pass quick log (to pflog1) inet proto icmp from any to any icmp-type
| echoreq keep state
|
| # traffic from these hosts should never be blocked
| pass quick from <whitelist_hosts>
| pass to <whitelist_hosts>
|
| ### LAN1 RULES ###
| ###
| # Block access to FASNET
| block in log on $NS_LAN1 all
|
| # use modulate state to generate stronger ISNs on outgoing packets
| # for OSs that don't already generate them
| pass out quick log (to pflog1) on $NS_LAN1
I should also mention that I tried adding a pass quick on $NS_LAN1 from
192.168.18.0/25 rule and this did not solve the problem either.
--
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : [email protected]
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
