# pf unable to reach dmz



## gpatrick (Sep 14, 2010)

```
##### Macros #####
# ext_if -- the interface to the outside world
ext_if="axe0"

# prv_if -- the interface to the private hosts
prv_if="axe1"
localnet = $prv_if:network

# dmz_if -- the interface to the DMZ
dmz_if="axe2"
dmznet = $dmz_if:network

# prv_hosts -- the list of addresses of hosts on the screened LAN
prv_hosts = "{ 192.168.1.129/32, 192.168.1.130/32 }"

# dmz_hosts -- the list of addresses of hosts in the DMZ
dmz_hosts = "{ 192.168.2.129/32, 192.168.1.130/32, 192.168.1.131/32, 192.168.2.250/32 }"

# dmz_www -- the address of the WWW server in the DMZ
dmz_www = "192.168.2.129/32"

# dmz_smtp -- the address of the SMTP server in the DMZ
dmz_smtp = "192.168.2.130/32"

# dmz_dns -- the address of the DNS server in the DMZ
dmz_dns = "192.168.2.131/32"

# known ports
www_ports = "{ http, https, 8188 }"
mail_ports = "{ smtp, pop3, imap, imaps, pop3s }"

##### Tables #####
# Non-routable addresses
table <rfc1918> const { 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
table <spamd> persist
table <bruteforce> persist

##### Options #####
set skip on lo
set reassemble yes
set require-order yes
set block-policy drop
set loginterface $ext_if
set state-policy if-bound
set fingerprints "/etc/pf.os"
set ruleset-optimization none
set optimization aggressive
set timeout { frag 30, tcp.established 120 }
set timeout { tcp.first 30, tcp.closing 30, tcp.closed 30, tcp.finwait 30 }
set timeout { udp.first 30, udp.single 30, udp.multiple 30 }
set timeout { other.first 30, other.single 30, other.multiple 30 }

##### Traffic Normalization #####
match in all scrub (no-df random-id min-ttl 5 set-tos lowdelay max-mss 1440 reassemble tcp)
match out on $ext_if scrub (no-df random-id)

##### Queueing #####

##### Translation (NAT) #####
# Network Address Translation
# nat for the private hosts
#match out on egress from $prv_hosts to any nat-to egress

# nat for the DMZ hosts
#match out on egress from $dmz_hosts to any nat-to egress

match out on $ext_if from { $prv_if:network, $dmz_if:network } nat-to ($ext_if) static-port

# redirect connections to port 80 (HTTP) to DMZ
match in on egress inet proto tcp from any to any port $www_ports rdr-to $dmz_www

# redirect connections to port 25 (SMTP) to DMZ
#match in on egress inet proto tcp from any to any port 25 rdr-to $dmz_smtp
match in on $ext_if inet proto tcp from <spamd> to ($ext_if) \
        port 25 rdr-to 127.0.0.1 port 8025
match in on $ext_if inet proto tcp from any to ($ext_if) port 25 \
        rdr-to $dmz_smtp port 25

# redirect connections to port 53 (DNS) to DMZ
match in on egress inet proto { tcp, udp } from any to any port 53 rdr-to $dmz_dns 

##### Filtering #####
# Block all incoming connections sent from the outside
# Log all blocked packets
block log on $ext_if
block drop in quick on $ext_if from <bruteforce>
block return log on $prv_if
block return log on $dmz_if

# Block to/from illegal sources/destinations
block drop in quick on $ext_if from <rfc1918> to any
block drop out quick on $ext_if from any to <rfc1918> 
block in quick on $ext_if inet from any to 255.255.255.255
block in log quick on $ext_if inet from urpf-failed to any
block in log quick on $ext_if inet from no-route to any

# Block anything coming from source we have no back routes for
block in from no-route to any

# Anti-fake return scans
block return-rst out on $ext_if proto tcp all
block return-rst  in on $ext_if proto tcp all
block return-icmp out on $ext_if proto udp all
block return-icmp  in on $ext_if proto udp all

# Block and log outgoing packets that don't have our address as source,
# they are either spoofed or something is misconfigured. NAT disabled,
# (for instance), we want to be nice and don't send out garbage.
block out log quick on $ext_if from ! $ext_if to any

# Block nmap os detection scans  
block in quick proto tcp flags FUP/WEUAPRSF
block in quick proto tcp flags WEUAPRSF/WEUAPRSF
block in quick proto tcp flags SRAFU/WEUAPRSF
block in quick proto tcp flags /WEUAPRSF
block in quick proto tcp flags SR/SR
block in quick proto tcp flags SF/SF

# Block spoofed packets: enable "set state-policy if-bound" above
antispoof log quick for { lo0 $dmz_if $prv_if ($ext_if) }

# Special rule for ssh
#pass quick proto tcp from any to any port ssh \
block in log quick on $prv_if proto tcp from ! 192.168.1.129 to $prv_if \
        port ssh (max-src-conn 1, max-src-conn-rate 3/5, \
        overload <bruteforce> flush global)

# pass all connections originating from the firewall
pass out quick on $ext_if inet \
        from ($ext_if) to any flags S/SA modulate state

# pass all connections originating from the screened LAN
pass in quick on $prv_if from $prv_hosts to any flags S/SA

# pass all connections originating from the DMZ
pass in quick on $dmz_if from $dmz_hosts to any flags S/SA
pass quick on $dmz_if from $prv_hosts to any flags S/SA

# pass all connections to the WWW host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_www \
        port $www_ports flags S/SA synproxy state
#pass in on egress inet proto tcp from any to $dmz_www port $www_ports 
#pass out on $ext_if inet proto tcp from any to $dmz_www port $www_ports

# pass all connections to the SMTP host in the DMZ
#pass in on $ext_if proto { tcp, udp } from any to $dmz_smtp \
#       port $mail_ports flags S/SA synproxy state
pass in on lo0 inet proto tcp from <spamd> to 127.0.0.1 port 8025
pass out on $dmz_if inet proto tcp \
        from any to $dmz_smtp port 25 flags S/SA synproxy state

# pass all connections to the DNS host in the DMZ
pass in on $ext_if proto { tcp, udp } from any to $dmz_dns \
        port 53 flags S/SA keep state

# Allow anything on the internal interface
#pass in on $prv_if from $localnet to any keep state
#pass out on $prv_if from any to $localnet keep state

# Allow anything from the internal network out onto the Internet
#pass out on $ext_if proto tcp all modulate state flags S/SA
#pass out on $ext_if proto { tcp, icmp } all keep state
pass out on $ext_if inet proto tcp from $localnet to any modulate state flags S/SA
pass out on $ext_if inet proto { udp, icmp } from $localnet to any keep state
```

When I am inside my LAN I can type http://192.168.2.129 and reach the webserver in the DMZ, but If I try to use the actual (dynamic) IP xx.xx.xxx.xxx I get an "unable to connect to xx.xx.xxx.xxx".

In my "pass connections to www in dmz" section in filtering, I have added a different "pass in" and "pass out" rule (which are now commented out), but it didn't have any affect.

Do I have an incorrect filter or NAT rule that someone can identify?


----------



## quintessence (Sep 15, 2010)

Hello ,

There is a good explanation in the PF docs : http://www.openbsd.org/faq/pf/rdr.html section Redirection and Reflection


----------



## mecano (Oct 10, 2010)

quintessence said:
			
		

> Hello ,
> 
> There is a good explanation in the PF docs : http://www.openbsd.org/faq/pf/rdr.html section Redirection and Reflection



Do we have openbsd 4.7 pf now? If not you better stay away from this doc!!


----------



## quintessence (Oct 11, 2010)

Hello,

mecano, as you can see the above pf.conf is with the new syntax (so it is assumed to be a OpenBSD 4.7). About the documentation part, there is only 1-2 examples - all other is plain text words with explanation. It is better to ask if some rule from the example it is not clear to you or someone else (or to ask to show the example with the old syntax - this is a discussion forum), rather than to advise NOT to use the OFFICIAL documentation.


----------



## mecano (Oct 12, 2010)

Man, calm down, my intention was just to put a little context where you and gpatrick failed to.
Afterall this is a FREEBSD public board, other people (beginners?) can come here, read this, trying 4.7 rules in pf 4.6, tear their hairs apart, damn your name and your ten forthcoming generations siblings and finally loose their time and energy.
My post was aimed to them not to you, don't take it personal.
For reference : http://forums.freebsd.org/showthread.php?t=17358 (OPENBSD Firewall Device thread not FREEBSD, mind you)

[edit]Oh and thanks to your link, I found PF 4.6 on PDF doc, so, quintessence, let me thank you![/edit]


----------

