0

I'm facing a challenge with my PF firewall on an OpenBSD machine.

From a client (A) I'm connecting to a server (B) using a target ip (SRV-IP-1). The server is replying to my request, but sourcing the reply from a different IP (SRV-IP-2).

The firewall is dropping the reply, since it's unable to understand that the reply is part of a conversation originated from the inside network (it thinks that the reply is a connection started from outside).

Is there a way to instruct the firewall to consider a reply valid if coming from, say, a "pool" of addresses instead of the address used as the conversation target (SRV-IP-1)? For example, it would be nice to map a specified address with other addresses, to "chain" the state.

Thank you.

spidernik84
  • 319
  • 1
  • 5
  • 12

2 Answers2

1

There are many ways of allowing traffic from a pool of addresses.

You can use CIDR subnets:

pass in on [interface] from 10.0.0.0/8

You can use a macro:

allowed-reply = " {10.0.0.1, 10.0.0.3} "
pass in on [interface] from allowed-reply

Another way would be to use anchors

That would allow you to "nest" rules inside another rule...kind of...

OpenBSD's documentation on PF if very helpful as is Calomel's web site

Alex
  • 3,129
  • 21
  • 28
  • Thanks Alex, unfortunately I need something that takes into consideration the state, it's not enough to allow the IPs. – spidernik84 Jul 19 '11 at 15:44
0

The firewall doesn't know that server B has two IP addresses -- It treats each IP address as a different source/object. The diagram below shows what your firewall is seeing. What the firewall sees

To get the firewall to pass traffic from this "other" computer you need to add explicit rules to allow the green traffic (from the second IP to arbitrary hosts out on the internet) - you can do this with individual rules or with an address table (see the pf documentation for more info on tables).

A better solution is probably to determine why you are sending replies from a different address than where you're receiving the requests -- If you can make all the traffic take place to/from one address you will be able to take advantage of pf's automatic state tracking, and have a much simpler environment to manage.

voretaq7
  • 79,879
  • 17
  • 130
  • 214
  • Hi voretaq7, I'll definitely look into tables. As for the best solution you're proposing, that's exactly my point. Unfortunately it's not my choice to have the replies coming from a different IP, since that's an issue caused by the company at the other side. Having a single ip would really be the easiest solution, but they're firm on their idea and won't change the current setup... – spidernik84 Jul 19 '11 at 15:42
  • If the setup can't be changed you're stuck with explicit rules, and two sets of state data (this can get painful, especially as you grow). Using tables for the allowed IP lists is a substantial improvement over discrete rules in any case: It allows hashed lookups and reduces the length of the ruleset that needs to be evaluated. – voretaq7 Jul 20 '11 at 17:39