[ Home | Liste | F.A.Q. | Risorse | Cerca... ]


[ Data: precedente | successivo | indice ] [ Argomento: precedente | successivo | indice ]


Archivio: openbsd@sikurezza.org
Soggetto: [openbsd] problema con pf e connessioni smtp
Mittente: Matteo Mancini
Data: Mon, 13 Mar 2006 20:48:42 +0100 (CET)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ciao @lista,

ho un problema con un firewall su hw soekris, sono due settimane che
faccio prove su prove ma non ho trovato il perche' del problema.

Il problema sta' nelle sessioni smtp per le mail con allegati in
ingresso, non arrivano e quando arrivano hanno ritardi clamorosi.
Il problema e' nel firewall e non nel server smtp (ho provato
con un altro fw sempre open e tutto va'); su uso tcpdump vedo che la
mail arriva ma ogni tanto ci sono dei "buchi" dove non vedo passare
traffico,presumo che in questi buchi il server mittente va in timeout
(ma non ne sono sicuro). pflog non dice nulla e le sessioni smtp non
vengono bloccate, i log di sistema non indicano problemi.

Il firewall gestisce una lan, due dmz ed una linea internet, nelle due
dmz oltre al server smtp ci sono anche servizi ftp e web che non hanno
problemi anche se faccio ulpoad/download molto lunghi.

la configurazione della rete e' la seguente

			 INET
			  |		 	  (http,ftp)---<--DMZ2-----fw------dmz1-->--(smtp-http-ftp)
			  |
		          |
		  -------LAN---------


la dmz2 e una vlan dello switch di lan, la dmz e' attaccata al firewall
tramite un hub e il router di inernet e' in cros con il fw.

Il problema se metto su il firewall di backup non c'e', i due firewall
hanno di diverso hw e il secondo firewall non gestisce la dmz (avevo
finito gli slot pci per le eth).

idee??..io le ho esaurite...
mercoledi' provo con un altra box soekris in modo da discriminare anche
il fattore hw...

Ciao

Grazie

Matteo


ps: qui di seguito il pf.conf


# cat pf/pf.conf
###############################################################################
# Macros
#

# available interfaces
dmz_if=         "sis2"
dmz2_if=        "sis3"
dmz3_if=        "sis4"
int_if=         "sis1"
ext_if=         "sis0"

# list of networks
ext_net=        $ext_if:network
dmz_net=        $dmz_if:network
dmz2_net=       $dmz2_if:network
dmz3_net=       $dmz3_if:network
int_net=        $int_if:network

# list of hosts
fw_ext=         "xx.yy.zz.34"
fw_dmz=         "($dmz_if)"
fw_dmz2=        "($dmz2_if)"
fw_dmz3=        "($dmz3_if)"
fw_int=         "($int_if)"

#web_dmz=       "10.0.0.70"
web_dmz=        "192.168.1.235"
web_ext=        "xx.yy.zz.34"
mail_int=       "10.0.0.70"
kbs_int=        "10.0.0.35"
as_int=         "10.0.0.55"
nagios_int=     "10.0.0.147"
ts_int=         "10.0.0.38"
web2_dmz2=     "172.25.16.123"
web2_ext=       "xx.yy.zz.38"
hilite_ip=      "{ xx.yy.zz.190, xx.yy.zz.220 }"
dc=             "{ 10.0.0.60, 10.0.0.61 }"

wupdate_ip=     ""


tcp_in_34=      "{ 20, 443, 25, 80, 53, 21, > 49151, 444 }"
udp_in_34=      "{ 53 }"

tcp_in_38=      "{ 21, 80, 5500:5700 }"
udp_in_38=      "{ }"

auth_dc_tcp=    "{ 389, 3268, 88, 53, 135, 1600, 6001, 6004, 445 }"
auth_dc_udp=    "{ 389, 88, 53, 123 }"

###############################################################################
# Tables
#

#table <rfc1918> const file "/etc/pf/rfc1918"
#table <trusted> persist file "/etc/pf/trusted"
#table <spam> persist file "/etc/pf/spam"
#table <dns_trans> persist file "/etc/pf/dns_trans"
table <server> persist file "/etc/pf/server"

####################################
# Options
#

#set timeout     { frag 15, interval 5 }
#set timeout     { tcp.first 120, tcp.opening 30, tcp.established 86400}
#set timeout     { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set limit       { frags 2500, states 5000 }
set optimization        aggressive
set block-policy        drop
set loginterface        $ext_if

#scrub in all fragment reassemble no-df min-ttl 24 max-mss 1492
#scrub out all random-id fragment reassemble no-df min-ttl 24 max-mss 1492

###################################
# Translation
#

binat   on $ext_if inet from $web2_dmz2 to any -> $web2_ext
binat   on $ext_if inet from $web_dmz to any -> $web_ext
nat     on $ext_if inet from $dmz3_net to any -> xx.yy.zz.35
no nat  on $ext_if inet from !<server> to any
nat     on $ext_if inet from <server> to any -> xx.yy.zz.35

###############################################################################

##############################################################################
# Packet Filtering
#


block   in log all
block   out all


pass    in quick on lo0 all
pass    out quick on lo0 all
pass    in quick on $int_if all
pass    out quick on $int_if all

# dmz interface
pass    in quick on $dmz_if inet from $dmz_net to !$int_net keep state
pass    out quick on $dmz_if all keep state

# dmz2 interface
pass    in quick on $dmz2_if inet from $dmz2_net to !$int_net keep state
pass    out quick on $dmz2_if all keep state


block   out quick on $ext_if inet from !$ext_net to any


#antispoof log for $ext_if


#block in quick on $ext_if proto tcp all flags SF/SFRA
#block in quick on $ext_if proto tcp all flags SFUP/SFRAU
#block in quick on $ext_if proto tcp all flags FPU/SFFRAUP
#block in quick on $ext_if proto tcp all flags /SFRA
#block in quick on $ext_if proto tcp all flags F/SFRA


pass    out on $ext_if inet proto { icmp, udp, tcp } all keep state

##############################################
################## FIREWALL ##################
# inbound traffic (firewall)
pass    in on $ext_if inet proto tcp from <trusted> to $fw_ext \
        port 22 flags S/SA keep state

##############################################
################## DMZ ZONE ##################

# inbound traffic ( inet->web)
pass    in quick on $ext_if inet proto tcp from any to $web_dmz \
        port $tcp_in_34 keep state

pass    in quick on $ext_if inet proto udp from any to $web_dmz \
        port $udp_in_34 keep state

pass    in quick on $dmz_if inet proto tcp from $web_dmz to $mail_int \
        port 25 keep state

pass    in quick on $dmz_if inet proto tcp from $web_dmz to $dc \
        port $auth_dc_tcp keep state

pass    in quick on $dmz_if inet proto udp from $web_dmz to $dc \
        port $auth_dc_udp keep state

pass    in quick on $dmz_if inet proto icmp from $web_dmz to $dc keep state

pass    in quick on $dmz_if inet proto tcp from $web_dmz to $nagios_int \
        port 5667 keep state

pass    in quick on $dmz_if inet proto udp from $web_ext to $dc \
        port 53 keep state

# Port-wise to internal
pass    in quick on $dmz_if inet proto tcp from $web_dmz to $kbs_int \
        port 80 keep state

pass    in quick on $dmz_if inet proto tcp from $web_dmz to $as_int \
        port { 8475, 446, 23 } keep state

pass    in quick on $dmz_if inet proto tcp from $web_dmz to $ts_int \
        port 3389 keep state

# Web server DMZ2
pass    in quick on $ext_if inet proto tcp from any to $web2_dmz2 \
        port $tcp_in_38 keep state

pass    in quick on $ext_if inet proto tcp from $hilite_ip to $web2_dmz2 \
        port { 3389 } keep state

pass    in quick on $dmz2_if inet proto tcp from $web2_dmz2 to $mail_int
port 2\        keep state

pass    in quick on $dmz2_if inet proto tcp from $web2_dmz2 to
$nagios_int port\        keep state
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFEFcxI/TjXD9LUVswRAhFqAKCGD8OHv3Znv90cRT2bj1BHWjq2KgCfX7Tl
I66OcFe2UGX1eyZ1vAr7/TI=
=Doxr
-----END PGP SIGNATURE-----




[ Home | Liste | F.A.Q. | Risorse | Cerca... ]

www.sikurezza.org - Italian Security Mailing List
(c) 1999-2005