lil_drummaboy |
12-21-2004 06:14 AM |
Stange Access error using BSD router.
Hi
I am running a OpenBSD 3.6 router with PF (obviously) and I am having troubles accessing from the outside of it from my windows machines. I'll 'draw' out my network map for you but people outside my network can access my site but I cannot. It's quite strange.
Here is how my network is setup:
Code:
Motorola Cable Modem
|
Basic 3Com Router
/ \
Windows OpenBSD
Machines Router
|
Switch
|
Servers
The 3com router is DMZ-ing to my OpenBSD router. Now, from a windows machine I try to access my site by it's domain name (it has a domain server under my OpenBSD Router) and I get nothing. If i access it via the local IP i can get http, ssh and icmp but no ftp which is forwarded through aswell. This is a very confusing situation and I don't know what part of it is causing it. At one point I moved my router to the level of the 3com like so:
Code:
Modem
|
Switch
/ \
3Com OpenBSD
the OpenBSD router had an entirely different ISP IP than the 3com which my windows machine was still under and I still experienced the same problem. Prior to even having the OpenBSD router, i had all my servers connected to just the 3Com router and I COULD access them via my domain name fine.
Here are the current PF rules from my /etc/pf.conf, if you can spot any problems with it, let me know:
Code:
#### OpenBSD PF ####
#### Router Script ####
### Variables: ###
## Interfaces: ##
ext_if="xl0"
int_if="xl1"
## Hosts/Ports: ##
web_srvr="10.0.0.10"
web_tcp="{80,443,21,22}"
web_udp="{}"
sql_srvr="10.0.0.20"
sql_tcp="{}"
sql_udp="{}"
dns_srvr="10.0.0.30"
dns_tcp="{}"
dns_udp="{53}"
mail_srvr="10.0.0.40"
mail_tcp="{25,110,993,143}"
mail_udp="{}"
srvr_net="10.0.0.0/24"
wins_net="192.168.1.0/24"
### Tables: ###
table <blacklist> persist file "/etc/pf.blacklist"
table <spamd-blacklist> persist file "/etc/pf.spamdblacklist"
### Options: ###
set loginterface $ext_if
set block-policy drop
set optimization normal
### Normailization: ###
scrub in all
### NAT Section: ###
## Main NAT Rule: ##
nat on $ext_if inet from any to any -> $ext_if
## Redirects: ##
# TCP: #
rdr on $ext_if inet proto tcp from any to any port $web_tcp -> $web_srvr
rdr on $ext_if inet proto tcp from any to any port $mail_tcp -> $mail_srvr
# UDP: #
rdr on $ext_if inet proto udp from any to any port $dns_udp -> $dns_srvr
### Packet Filtering: ###
## Block/Gateway Rules: ##
block in all
pass out quick on $ext_if from $srvr_net to any
pass in quick on $int_if from $srvr_net to any
## Antispoofing: ##
antispoof quick for $ext_if inet
## Blacklists: ##
block in quick on $ext_if inet from any os nmap
block in quick on $ext_if inet from <blacklist> to $srvr_net
block in quick on $ext_if inet from <spamd-blacklist> to $mail_srvr
## Server Allow Rules: ##
pass quick proto tcp from any to $web_srvr
pass quick proto tcp from any to $sql_srvr
pass quick proto udp from any to $dns_srvr
pass quick proto tcp from any to $mail_srvr
## Local Machine Filtering: ##
pass in quick on $int_if proto tcp from $srvr_net to any port ssh keep state
pass in quick on $int_if proto icmp from $srvr_net to any keep state
pass quick on lo0 all
Thank you in advance for any responses, I appreciate any help.
lil_drummaboy
|