troubleshooting Question

PF to protect devices on same subnet ?

Avatar of Marketing_Insists
Marketing_Insists asked on
Unix OS
4 Comments1 Solution688 ViewsLast Modified:
I need to protect a somewhat fragile document scanner with a embeded OS.  (A good blast from Nessus or nmap and the system needs a reset to factory defaults, followed by in-depth configuring, before the device is working again.)

I wanted to look into OpenBSD and PF (Pacekt Filter) for this to get a little experience with BSD, but I'm having trouble with my pf.conf.

I've already got OpenBSD running with 2 nic cards with static IPs.
The only other device that needs access to the protected document scanner is a document server based on windows 2000.  
I don't want to split the protected side (the doc scanner) into a new subnet (may need to quickly revert to previous un-protected system)

So, what should my pf.conf look like given the following?:

192.168.0.195 is the document scanner
192.168.0.196 is the document server. The only other device that should access the above scanner.
192.168.0.193 is xl0 : OpenBSD NIC card 1 - external
192.168.0.194 is xl1 : OpenBSD NIC card 2 - internal (goes to mini-hub then to 192.168.0.195)

what I got so far, but no dice:

# Macros
ext_if="xl0"
int_if="xl1"
internal_net="192.168.0.0/24"
external_addr="192.168.0.0/24"

# Start by allowing the normal remote management access to BSD server.
# Port 22 for SSH.  
pass in quick on xl0 proto tcp from 192.168.0.0 to 192.168.0.193 port 22 keep state

# Allow loopback packets
pass in quick on lo0 all
pass out quick on lo0 all

# allow traffic between document scanner and document server only
pass in any from 192.168.0.196 to 192.168.0.195
pass out any from 192.168.0.195 to 192.168.0.196

# Block everything else.
block in all
block out all

Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 4 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 4 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros