Date: Mon, 20 Oct 2008 14:25:24 -0400 From: "Chen Xu" <xuchen66@gmail.com> To: freebsd-pf@freebsd.org Subject: my firewall doesn't work Message-ID: <184b087c0810201125y20714aa9y276d26a9e7e8a3b1@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Dear List, I am new to PF, but I have experience with FreeBSD in general. I took a look at the example1 from PF FAQ, since my network is almost exact the same. However, I have problem to connect any where after loading the /etc/pf.conf, I can not ping even myself 127.0.0.1 and 192.168.1.1 which is my internal NIC. Can anyone give me an hint what is wrong? Many thanks in advance. Information about the setup: 1. FreeBSD 5.3-release-p26 2. with those line compiled in kernel # device pf device pflog device pfsync # 3. here are line in /etc/rc.conf # pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # 4. /etc/pf.conf # ------------------------------- # # macros ext_if = "fxp0" int_if = "em0" tcp_services = "{ 22, 113 }" icmp_type = "echoreq" tecnai = "192.168.1.2" leginon = "192.168.1.3" # next is the web enable data logging device that record temp and RH% tr_72w = "192.168.1.10" # we might need brandeis DNS local_dns = "{ 129.64.99.11 129.64.99.12 }" # options set block-policy return set loginterface $ext_if # 5.3 doesn't have it. #set skip on lo0 # scrob scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 80 -> $tr_72w # filter rules pass quick on lo0 block in pass inet proto tcp from $int_if:network to any keep state pass out keep state block out on $ext_if proto { tcp, udp } from $tecnai to any port http #anchor "ftp-proxy/*" #antispoof quick for $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to $tr_72w \ port 80 flags S/SA synproxy state # may or may not need this, need test pass in on $ext_if inet proto udp from $local_dns to any port 53 pass in inet proto icmp all icmp-type $icmp_type keep state pass in quick on $int_if # the end ------------------------------ Chen
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?184b087c0810201125y20714aa9y276d26a9e7e8a3b1>