LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Stange Access error using BSD router. (http://www.linuxquestions.org/questions/linux-networking-3/stange-access-error-using-bsd-router-268738/)

lil_drummaboy 12-21-2004 06:14 AM

Stange Access error using BSD router.
 
Hi

I am running a OpenBSD 3.6 router with PF (obviously) and I am having troubles accessing from the outside of it from my windows machines. I'll 'draw' out my network map for you but people outside my network can access my site but I cannot. It's quite strange.

Here is how my network is setup:
Code:

    Motorola Cable Modem
              |
        Basic 3Com Router
      /            \
Windows            OpenBSD
Machines          Router
                      |
                    Switch
                      |
                  Servers

The 3com router is DMZ-ing to my OpenBSD router. Now, from a windows machine I try to access my site by it's domain name (it has a domain server under my OpenBSD Router) and I get nothing. If i access it via the local IP i can get http, ssh and icmp but no ftp which is forwarded through aswell. This is a very confusing situation and I don't know what part of it is causing it. At one point I moved my router to the level of the 3com like so:
Code:

    Modem
      |
    Switch
    /    \
 3Com    OpenBSD

the OpenBSD router had an entirely different ISP IP than the 3com which my windows machine was still under and I still experienced the same problem. Prior to even having the OpenBSD router, i had all my servers connected to just the 3Com router and I COULD access them via my domain name fine.

Here are the current PF rules from my /etc/pf.conf, if you can spot any problems with it, let me know:
Code:

####  OpenBSD PF    ####
#### Router Script  ####

### Variables: ###

## Interfaces: ##
ext_if="xl0"
int_if="xl1"

## Hosts/Ports: ##
web_srvr="10.0.0.10"
        web_tcp="{80,443,21,22}"
        web_udp="{}"
sql_srvr="10.0.0.20"
        sql_tcp="{}"
        sql_udp="{}"
dns_srvr="10.0.0.30"
        dns_tcp="{}"
        dns_udp="{53}"
mail_srvr="10.0.0.40"
        mail_tcp="{25,110,993,143}"
        mail_udp="{}"

srvr_net="10.0.0.0/24"
wins_net="192.168.1.0/24"

### Tables: ###
table <blacklist> persist file "/etc/pf.blacklist"
table <spamd-blacklist> persist file "/etc/pf.spamdblacklist"

### Options: ###
set loginterface $ext_if
set block-policy drop
set optimization normal

### Normailization: ###
scrub in all

### NAT Section: ###

## Main NAT Rule: ##
nat on $ext_if inet from any to any -> $ext_if

## Redirects: ##
# TCP: #
rdr on $ext_if inet proto tcp from any to any port $web_tcp -> $web_srvr
rdr on $ext_if inet proto tcp from any to any port $mail_tcp -> $mail_srvr

# UDP: #
rdr on $ext_if inet proto udp from any to any port $dns_udp -> $dns_srvr

### Packet Filtering: ###

## Block/Gateway Rules: ##
block in all
pass out quick on $ext_if from $srvr_net to any
pass in quick on $int_if from $srvr_net to any

## Antispoofing: ##
antispoof quick for $ext_if inet

## Blacklists: ##
block in quick on $ext_if inet from any os nmap
block in quick on $ext_if inet from <blacklist> to $srvr_net
block in quick on $ext_if inet from <spamd-blacklist> to $mail_srvr

## Server Allow Rules: ##
pass quick proto tcp from any to $web_srvr
pass quick proto tcp from any to $sql_srvr
pass quick proto udp from any to $dns_srvr
pass quick proto tcp from any to $mail_srvr

## Local Machine Filtering: ##
pass in quick on $int_if proto tcp from $srvr_net to any port ssh keep state
pass in quick on $int_if proto icmp from $srvr_net to any keep state
pass quick on lo0 all

Thank you in advance for any responses, I appreciate any help.

lil_drummaboy


All times are GMT -5. The time now is 12:00 PM.