LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 12-21-2004, 06:14 AM   #1
lil_drummaboy
Member
 
Registered: May 2003
Location: Victoria, CANADA!
Distribution: OpenBSD, Slackware, Debian
Posts: 85

Rep: Reputation: 15
Stange Access error using BSD router.


Hi

I am running a OpenBSD 3.6 router with PF (obviously) and I am having troubles accessing from the outside of it from my windows machines. I'll 'draw' out my network map for you but people outside my network can access my site but I cannot. It's quite strange.

Here is how my network is setup:
Code:
     Motorola Cable Modem
               |
        Basic 3Com Router
       /            \
Windows            OpenBSD
Machines           Router
                      |
                    Switch
                      |
                   Servers
The 3com router is DMZ-ing to my OpenBSD router. Now, from a windows machine I try to access my site by it's domain name (it has a domain server under my OpenBSD Router) and I get nothing. If i access it via the local IP i can get http, ssh and icmp but no ftp which is forwarded through aswell. This is a very confusing situation and I don't know what part of it is causing it. At one point I moved my router to the level of the 3com like so:
Code:
     Modem
       |
     Switch
     /    \
 3Com    OpenBSD
the OpenBSD router had an entirely different ISP IP than the 3com which my windows machine was still under and I still experienced the same problem. Prior to even having the OpenBSD router, i had all my servers connected to just the 3Com router and I COULD access them via my domain name fine.

Here are the current PF rules from my /etc/pf.conf, if you can spot any problems with it, let me know:
Code:
####  OpenBSD PF    ####
#### Router Script  ####

### Variables: ###

## Interfaces: ##
ext_if="xl0"
int_if="xl1"

## Hosts/Ports: ##
web_srvr="10.0.0.10"
	web_tcp="{80,443,21,22}"
	web_udp="{}"
sql_srvr="10.0.0.20"
	sql_tcp="{}"
	sql_udp="{}"
dns_srvr="10.0.0.30"
	dns_tcp="{}"
	dns_udp="{53}"
mail_srvr="10.0.0.40"
	mail_tcp="{25,110,993,143}"
	mail_udp="{}"

srvr_net="10.0.0.0/24"
wins_net="192.168.1.0/24"

### Tables: ###
table <blacklist> persist file "/etc/pf.blacklist"
table <spamd-blacklist> persist file "/etc/pf.spamdblacklist"

### Options: ###
set loginterface $ext_if
set block-policy drop
set optimization normal

### Normailization: ###
scrub in all

### NAT Section: ###

## Main NAT Rule: ##
nat on $ext_if inet from any to any -> $ext_if

## Redirects: ##
# TCP: #
rdr on $ext_if inet proto tcp from any to any port $web_tcp -> $web_srvr
rdr on $ext_if inet proto tcp from any to any port $mail_tcp -> $mail_srvr

# UDP: #
rdr on $ext_if inet proto udp from any to any port $dns_udp -> $dns_srvr

### Packet Filtering: ###

## Block/Gateway Rules: ##
block in all
pass out quick on $ext_if from $srvr_net to any 
pass in quick on $int_if from $srvr_net to any

## Antispoofing: ##
antispoof quick for $ext_if inet

## Blacklists: ##
block in quick on $ext_if inet from any os nmap
block in quick on $ext_if inet from <blacklist> to $srvr_net
block in quick on $ext_if inet from <spamd-blacklist> to $mail_srvr

## Server Allow Rules: ##
pass quick proto tcp from any to $web_srvr
pass quick proto tcp from any to $sql_srvr
pass quick proto udp from any to $dns_srvr
pass quick proto tcp from any to $mail_srvr

## Local Machine Filtering: ##
pass in quick on $int_if proto tcp from $srvr_net to any port ssh keep state
pass in quick on $int_if proto icmp from $srvr_net to any keep state
pass quick on lo0 all
Thank you in advance for any responses, I appreciate any help.

lil_drummaboy

Last edited by lil_drummaboy; 12-21-2004 at 06:18 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Stange Access error using BSD router. lil_drummaboy Linux - Networking 5 12-24-2004 10:03 PM
BSD Router with natd and ipfw need help please SIP2005 *BSD 25 12-06-2004 02:29 PM
Open BSD router zaicheke *BSD 5 08-19-2004 12:09 PM
Replacing a win2k router/firewall with Linux/BSD, which? sud_crow Linux - Networking 4 07-11-2004 02:31 AM
Stange OpenBSD 3.5 error. lil_drummaboy *BSD 2 05-23-2004 06:05 PM


All times are GMT -5. The time now is 03:29 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration