From owner-freebsd-pf@FreeBSD.ORG Mon Sep 25 13:06:51 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA77616A403 for ; Mon, 25 Sep 2006 13:06:50 +0000 (UTC) (envelope-from rmiranda@digitalrelay.ca) Received: from wrdsl02.terago.ca (wrdsl02.terago.ca [207.54.102.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id D74F743D7B for ; Mon, 25 Sep 2006 13:06:42 +0000 (GMT) (envelope-from rmiranda@digitalrelay.ca) Received: from [192.168.0.6] (unknown [64.201.181.165]) by wrdsl02.terago.ca (Postfix) with ESMTP id 9DD8986E48 for ; Mon, 25 Sep 2006 08:06:41 -0500 (CDT) From: "Roger Miranda (Digital Relay)" Organization: Digital Relay Inc. To: freebsd-pf@freebsd.org User-Agent: KMail/1.9.1 MIME-Version: 1.0 Content-Disposition: inline Date: Mon, 25 Sep 2006 08:06:33 -0500 Message-Id: <200609250806.34130.rmiranda@digitalrelay.ca> Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Subject: PF FW/ Drop Connections X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 25 Sep 2006 13:06:51 -0000 First Poster here. I have a system with a Static IP on the WAN/EXT_IF Interface. But we are having some issues and my last area to check is the pf.conf file (below) 1) Every 24-36 Hours we get drop connection on the WAN interface, a simple reboot fixes it. 2) running Monitoring software outside the network shows the 6-8 time a hour the a ping will get lost. We have tried everything with the ISP to try to get this resolved. My last try is this pf.conf file. I'm running freebsd 6.1 with PF enabled in the kernel. Thank you --- pf.conf ------------------------------------------------------------------------------------ ext_if = "rl0" int_if = "rl1" dmz_if = "xl0" privnet = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" webserv = "192.168.0.6" gateway = "192.168.0.1" tc = "192.168.55.99" tcp_services = "{ 2205, 443, 80 }" icmp_types = "echoreq" scrub in all nat on $ext_if from $int_if:network to any -> ($ext_if) nat on $ext_if from $dmz_if:network to any -> ($ext_if) rdr on $ext_if proto tcp from any to any port www -> $webserv port 80 rdr on $ext_if proto tcp from any to any port 443 -> $webserv port 443 rdr on $ext_if proto tcp from any to any port 2205 -> $gateway port 2205 rdr on $ext_if proto tcp from $int_if:network to any port 8080 -> $gateway port 8080 rdr on $int_if proto tcp from $int_if:network to any port www -> $gateway port 3128 rdr on $ext_if proto tcp from any to any port 3306 -> $tc port 3306 rdr on $ext_if proto tcp from any to any port 22 -> $tc port 3306 block in log on $ext_if from any to any pass out from any to any keep state pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 8080 flags S/SA pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 2812 flags S/SA pass in log on $ext_if inet proto tcp from any to any port $tcp_services flags S/SA keep state pass in log on $ext_if inet proto tcp from any to $webserv port 80 flags S/SA synproxy state pass in log on $ext_if inet proto tcp from any to $webserv port 443 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 2205 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 3306 flags S/SA keep state pass in log on $ext_if inet proto tcp from any to any port 22 flags S/SA keep state pass in log inet proto icmp all icmp-type $icmp_types keep state pass out log on $int_if from any to $int_if:network keep state pass out log on $dmz_if from any to $dmz_if:network keep state pass log quick on $int_if from any to any pass log quick on $dmz_if from any to $ext_if:network keep state --------------------------------------------------------------------------------------------------------------------------- --ifconfig output------------------------------------------------------------------------------------------------------- rl0: flags=8843 mtu 1500 options=8 inet6 fe80::211:95ff:fe66:698e%rl0 prefixlen 64 scopeid 0x1 inet XXX.XXX.XXX.XXX netmask 0xfffffc00 broadcast XXX.XXX.XXX.XXX ether 00:11:95:66:69:8e media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8943 mtu 1500 options=8 inet6 fe80::211:95ff:fe61:93f0%rl1 prefixlen 64 scopeid 0x2 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 ether 00:11:95:61:93:f0 media: Ethernet autoselect (100baseTX ) status: active xl0: flags=8843 mtu 1500 options=9 inet6 fe80::206:5bff:feae:83fe%xl0 prefixlen 64 scopeid 0x3 inet 192.168.55.1 netmask 0xffffff00 broadcast 192.168.55.255 ether 00:06:5b:ae:83:fe media: Ethernet autoselect (100baseTX ) status: active plip0: flags=108810 mtu 1500 pflog0: flags=0<> mtu 33208 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6 inet 127.0.0.1 netmask 0xff000000 pfsync0: flags=0<> mtu 2020 ---------------------------------------------------------------------------------------------------------------------------