From owner-freebsd-pf@FreeBSD.ORG Sun Jan 9 00:56:47 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C990216A4CE for ; Sun, 9 Jan 2005 00:56:47 +0000 (GMT) Received: from bsdfreaks.muntinternet.nl (bsdfreaks.zone1.muntinternet.net [81.173.4.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C2FA43D49 for ; Sun, 9 Jan 2005 00:56:46 +0000 (GMT) (envelope-from rob@bsdfreaks.nl) Received: (qmail 95919 invoked by uid 89); 9 Jan 2005 01:00:16 -0000 Received: by simscan 1.0.8 ppid: 95901, pid: 95907, t: 1.5685s scanners: attach: 1.0.8 clamav: 0.80/m:28/d:633 spam: 3.0.1 Received: from unknown (HELO ?192.168.1.2?) (rob@bsdfreaks.nl@84.31.114.222) by bsdfreaks.zone1.muntinternet.net with SMTP; 9 Jan 2005 01:00:15 -0000 Message-ID: <41E08244.2070409@bsdfreaks.nl> Date: Sun, 09 Jan 2005 02:00:52 +0100 From: Rob Lensen User-Agent: Mozilla Thunderbird 1.0 (X11/20050101) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <41B9BB9A.7000300@bsdfreaks.nl> In-Reply-To: <41B9BB9A.7000300@bsdfreaks.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-DCC: sgs_public_dcc_server: bsdfreaks.muntinternet.nl 1199; Body=1 Fuz1=2 Fuz2=2 X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on bsdfreaks.muntinternet.nl X-Spam-Level: X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00 autolearn=ham version=3.0.1 X-Spam-Pyzor: Reported 0 times. Subject: Re: Strange bridge problem with pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Jan 2005 00:56:47 -0000 Hello, The problem which I had with FreeBSD and the bridged setup is solved. I solved it by switching the transparent bridge machine to OpenBSD 3.6. So the same ruleset is working perfect on OpenBSD. So I think PF and bridge do not work well on FreeBSD. Best, Rob > > I have strange problem with pf on a bridged setup. > > Did read the previous thread about the pf problem with a bridge, since sysctl value of ipf bridge should be enabled. > > In the attached file the pf.conf is given. (fxp0 is the outside nic) > > The firewall is working for all machines behind the firewall except sf1, nothing seem to go this machine if the firewall is enanbled. > > If I look at the output of pfctl -sr I can see the rules for this machine are loaded: > > @7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags S/SA keep state > @16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http flags S/SA keep state > @17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https flags S/SA keep state > > This should open the ports for ssh and http to machine X.6 (sf1), however no connection can be made. > Nmap shows: > 22/tcp open ssh > 80/tcp open http > > #telnet X.6 22 > gives a time out > > All other hosts are working fine. > > Doe anyone have any clue on this problem? > > Best > Rob Lensen > > > ------------------------------------------------------------------------ > > outside="fxp0" > ext_if="fxp0" > inside="fxp1" > local="rl0" > > ext_ip="" > local_net ="X.0/24" > > # Tables: similar to macros, but more flexible for many addresses. > table {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 } > > set loginterface $outside > set block-policy return > > # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. > #scrub in all > > web_A_2 = "X.2" > web_A_3 = "X.3" web_A_4 = "X.4" > web_A_7 = "X.7" > web_A_8 = "X.8" > web_A_9 = "X.9" > web_A_20 = "X.20" > sf1 = "X.6" > sf2 = "X.30" > mysql2 = "X.14" > extranet = "X.13" > firewall = "X.254" > sec_dns = "X" > > http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}" > ssh_servers = "{" $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}" > ftp_servers = "{" $web_A_2 $sf1 "}" > mail_servers = "{" $extranet "}" > samba_servers = "{" $extranet "}" > dns_servers = "{" $web_A_3 "}" > > ssh_ports = "{ 22 }" > http_ports = "{ 80 , 443 }" > ftp_ports = "{ 20, 21 }" > ftp_ports_pasv = "{ 65000:65500 }" > snmp_ports = "{ 161 }" > mysql_ports = "{ 3306 }" > dns_ports = "{ 53 }" > email_ports = "{ 25, 110, 143, 993, 995 }" > samba_udp_ports = "{ 137, 138, 587 }" > samba_tcp_ports = "{ 139, 445, 587 }" > > # filtering done on public side of bridge, so allow everything > # on the protected side of things > pass in quick on $inside all > pass out quick on $inside all > > # block everything by default on bridge > block in log on $outside all > pass out on $outside all > #block out log on $outside all > > pass in quick on $local all > pass out quick on $local all > > ############ > # IN RULES > ############ > > #allow ssh to defined servers > pass in quick on $outside proto tcp from any to $ssh_servers \ > port $ssh_ports flags S/SA keep state > > > #allow http for the defined servers > pass in quick on $outside proto tcp from any to $http_servers \ > port $http_ports flags S/SA keep state > > #allow ftp for defined servers > pass in quick on $outside proto tcp from any to $ftp_servers \ > port $ftp_ports #flags S/SA keep state > pass in quick on $outside proto tcp from any to $ftp_servers \ > port $ftp_ports_pasv #keep state > > #allow email for defined server > pass in quick on $outside proto tcp from any to $mail_servers \ > port $email_ports #flags S/SA keep state > > #allow samba for defined server > pass in quick on $outside proto tcp from any to $samba_servers \ > port $samba_tcp_ports #flags S/SA keep state > > pass in quick on $outside proto udp from any to $samba_servers \ > port $samba_udp_ports #keep state > > #allow dns for defined server > pass in quick on $outside proto { tcp, udp } from any to $dns_servers \ > port domain keep state > > #snmp on firewall > #pass in quick on $outside proto {tcp, udp } from any to $local_ip \ > # port $snmp_ports > > #pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \ > # port $snmp_ports > # Allow ICMP (ping) IN > # pass out/in certain ICMP queries and keep state (ping) > pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11} > > > ############ > # OUT RULES > ############ > # Allow ICMP (ping) OUT > pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11} > # Pass (Allow) all UDP/TCP OUT and keep state > pass out on $outside proto udp all #keep state > pass out on $outside proto tcp all > > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"