Estou configurando uma AWS VPC com um firewall externo / interno para proteger os hosts na DMZ (para tráfego de Internet DMZ e DMZ e DMZ) e hosts na rede local (para DMZ e > Tráfego local, local > DMZ e local > na Internet). Como o OpenBSD agora tem drivers Xen, criei duas VMs do OpenBSD 6.1 e configurei-as de acordo com o diagrama abaixo. O firewall externo, vegeta, pode se comunicar bem com a Internet. No entanto, o firewall interno, bulma não pode.
Se eu estiver no bulma e fizer o seguinte:
$ telnet 50.194.72.148 80
então eu esperaria ver pacotes em vegeta: xnf3, a rota padrão
para bulma, mas eu não. Eu posso ssh de bulma para vegeta bem assim
pacotes estão passando. E, minhas regras de firewall pf, apesar de bloquearem tudo por padrão, permitem o tráfego e registram todas as outras falhas. Mas, pf não mostra falhas notáveis. Estou sentindo falta de alguma configuração da AWS para fazer isso funcionar?
Tabela de roteamento no bulma:
bulma# route -n show -inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 192.168.15.238 UGS 0 209 - 8 xnf0
224/4 127.0.0.1 URS 0 0 32768 8 lo0
127/8 127.0.0.1 UGRS 0 0 32768 8 lo0
127.0.0.1 127.0.0.1 UHhl 1 22 32768 1 lo0
192.168.15.0/28 192.168.15.14 UCn 2 0 - 4 xnf1
192.168.15.1 0a:8f:0f:99:77:46 UHLc 0 5668 - 3 xnf1
192.168.15.2 0a:8f:0f:99:77:46 UHLc 0 3 - 3 xnf1
192.168.15.14 0a:cb:41:73:83:ca UHLl 0 6052 - 1 xnf1
192.168.15.15 192.168.15.14 UHb 0 0 - 1 xnf1
192.168.15.224/28 192.168.15.228 UCn 2 0 - 4 xnf0
192.168.15.225 0a:28:c7:f3:88:0c UHLc 0 5671 - 3 xnf0
192.168.15.228 0a:15:e5:12:a4:28 UHLl 0 5806 - 1 xnf0
192.168.15.238 0a:c4:41:0e:06:74 UHLch 5 113 - 3 xnf0
192.168.15.239 192.168.15.228 UHb 0 0 - 1 xnf0
/etc/pf.conf no bulma:
dmz_if = "xnf0"
int_if = "xnf1"
icmp_types = "{ echoreq, unreach }"
table <aws_nets> const { 192.168.15.0/24 }
set block-policy return
set skip on lo
block log all
block in quick inet6 all
# Allow ping and path MTU discovery
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass out log on $dmz_if inet proto { udp, icmp } all keep state
# Allow anything on the NAT interface
pass in log on $dmz_if inet from <aws_nets> to any
pass out log on $dmz_if inet from $dmz_if:network to any
# Allow anything on the internal interface
pass out log on $int_if inet from $int_if:network to any
# Nat
match out log on $dmz_if inet from $int_if:network to any \
nat-to ($dmz_if:0)
pass out log on $dmz_if from any to any
# Allow ssh
pass in log on $dmz_if inet proto tcp from $dmz_if:network to \
$dmz_if:0 port = ssh
pass out log on $dmz_if inet proto tcp from $dmz_if:network to \
$dmz_if:network port = ssh
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
/etc/pf.conf no vegeta:
ext_if = "xnf0"
dmz_if = "xnf3"
icmp_types = "{ echoreq, unreach }"
table <aws_nets> const { 192.168.15.192/28, 192.168.15.208/28, \
192.168.15.224/28 }
set block-policy return
set skip on lo
block log all
block in quick inet6 all
# Allow ping and path MTU discovery
pass in log inet proto icmp all icmp-type $icmp_types keep state
pass out log on $ext_if inet proto { udp, icmp } all keep state
# Allow anything on the NAT interface
pass in log on $dmz_if inet from <aws_nets> to any
# Nat
match out log on $ext_if inet from $dmz_if:network to any \
nat-to ($ext_if:0)
pass out log on $ext_if from any to any
# Allow ssh
pass in log on $ext_if inet proto tcp from any to \
any port = ssh
pass in log on $dmz_if inet proto tcp from any to \
any port = ssh
pass out log on $dmz_if inet proto tcp from $dmz_if:network to \
$dmz_if:network port = ssh
# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010