NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2004-08

OpenBSD 3.5 Freezing as a network bridge with PF

From: Dean (deanlaughlin.net)
Date: Tue Aug 03 2004 - 14:51:21 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
        I've googled and looked for a problem similar to mine and have
found one but it doesn't accurately describe the problem. I'm not sure
what's causing it and was unable to find anyone sufficently versed in pf
or openbsd to answer my question on my own so I'm asking this list.
        I've setup a packet filtering bridge with OpenBSD 3.5-stable on
a PIII 700MHz with 256MB of RAM. It has two Intel EtherExpress Pro 100
NICs and one RTL-8139 Nic. When I am not in "bypass" mode (pass in/out
quick on fxp0), my firewall will lock up unexpectedly in one to two
days. This is bad because it locks up at night when I'm not monitoring
it (3-4am) and causes loss of internet for our subscribers. There is no
dump or core files and I've even ran top to monitor cpu and disk usage.
All of that seems just as normal when I booted up the box.
        I'm almost CONVINCED it's my pf ruleset because if I'm not
"filtering" any traffic the box is rock solid. I've posted my pf.conf
below in the hopes that someone has some answers.

ext_if="fxp0"
int_if="rl0"

table <blocked-ip> persist file "/etc/ip.block"
table <allowed-host> persist file "/etc/allow.host"
scrub random-id reassemble tcp
#scrub out random-id
#
# FIREWALL BYPASS
#
pass in quick on $ext_if all
pass out quick on $ext_if all

block in from ! 216.253.82.2 to 216.253.82.2
pass in quick from <allowed-host> to 216.253.82.2 keep state
pass out quick from 216.253.82.2 keep state
pass in on $int_if all keep state
pass out on $int_if all keep state
block out from <blocked-ip> to any
block in from any to <blocked-ip>

The <allowed-host> file contains a list of IP addresses which
may ssh to that boxes IP address for maintenance, and <blocked-ip>
contains 131 lines of spammers and malicious people that I would like to
block from reaching any of our machines on our two class C's. Can anyone
help?

Thanks,
Dean

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]