I have been running a pf based filtering router on OpenBSD 4.3 for about a year now. My current task is to set up a new network segment for hosting our external sites.
My aim is that machines set up in this network segment should not have any more access to the rest of our network than a machine on the internet.
On the whole, this is quite close. We have the DNS server returning its external view to this network segment. The pf is not routing traffic from this segment to any segment other than the internet interface. However i cannot seem to prevent it from routing packets to the router, if they are also allowed to go to the internet.
e.g.
block in ... # tag dmz traffic as only allowed to internet pass in on $dmz_if inet all tag INTERNET_ONLY ... # Ensure only traffic allowed to Internet is passed block out on $internet_if block out on $internet_if tagged INTERNET_ONLY tag ROUTE_INTERNET pass out on $internet_if tagged ROUTE_INTERNET
I would like to be able to add
block out on $local_if from $(dmz_if:network)
to block any packets form going the router, but it appears that packets for the local host do not go out on lo0. How can i block them?
Have I misunderstood how this all works? is there an option that i have missed to allow this?
any suggestions?
lo0 is local trafic from your router to your router. Like when you use IP 127.0.0.1 to connect.
If you want to prevent your DMZ to talk to connect to your router you need to
block in on $dmz_ifto your router IPsThis has now solved my problem, and is tested.
# record your internal IP addresses internal_ip_addr="{" $dmz_if:0 "," $office_if:0 "," $pms-servers_if:0 "}" block in ... # tag dmz traffic as only allowed to internet pass in on $dmz_if inet all tag INTERNET_ONLY ... # Ensure only traffic allowed to Internet is passed block out on $internet_if block out on $internet_if tagged INTERNET_ONLY tag ROUTE_INTERNET pass out on $internet_if tagged ROUTE_INTERNET ... # block traffic directed at my internal ip addresses. block in on $dmz_if from any to $internal_ip_addrThe "user model" for this is to consider the computer with a series of interfaces for each network connection, (inc local, encrypted etc..) and the packet filter is applied each time a packet passes accross an interface. If you tag a packet, that tag remains with the packet when it is filtered on the out interface.