From owner-freebsd-pf@FreeBSD.ORG Sun Mar 27 09:29:14 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19CF9106566B for ; Sun, 27 Mar 2011 09:29:14 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-iw0-f182.google.com (mail-iw0-f182.google.com [209.85.214.182]) by mx1.freebsd.org (Postfix) with ESMTP id D16378FC0A for ; Sun, 27 Mar 2011 09:29:13 +0000 (UTC) Received: by iwn33 with SMTP id 33so3183062iwn.13 for ; Sun, 27 Mar 2011 02:29:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:sender:date:from:to:cc:subject:in-reply-to :message-id:references:user-agent:x-openpgp-key-id :x-openpgp-key-fingerprint:mime-version:content-type; bh=DIvwCrChHm40du0vDIxZdlYjXidT/pjqvjL0ZoHdY/0=; b=edkGYivWGKXJYRBFGA5dxCXsQsW+sMhxAlm3hy1x9Pz2XdLO82k84hpgy143XC8y8D 8bkyMpMpmUn7nQTS2k3noVacaOhKQLZYb8MQRrvyFzX75WOiFGmgPmG/NDtw1My/k+h0 oyoMtnWeyxjdMEULqY28+jWipQEqFT7ENJ7Io= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=i4VlqX6sNle73WvJfLO8M6hSIZ8PxygtWJC2ANHkeuYQh9/F8q2RTVfcXvMcLH6xBj 58Zm4uFAH1/Wh0TDho8uijUcGLhTpy+1h08bmrRBRTFcln9vSq1wD1XTVxhKJ1Snj/iE OlJ9o0fThkar/G1NAI5a5ZOI05DlwXkqXFESA= Received: by 10.231.32.75 with SMTP id b11mr2783403ibd.95.1301218152976; Sun, 27 Mar 2011 02:29:12 -0700 (PDT) Received: from disbatch.dataix.local ([99.181.153.110]) by mx.google.com with ESMTPS id gx2sm2072620ibb.9.2011.03.27.02.29.10 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 27 Mar 2011 02:29:11 -0700 (PDT) Sender: "J. Hellenthal" Date: Sun, 27 Mar 2011 05:28:52 -0400 From: "J. Hellenthal" To: Leslie Jensen In-Reply-To: <4D8E11CB.2070501@eskk.nu> Message-ID: References: <4D8E11CB.2070501@eskk.nu> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 27 Mar 2011 09:29:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 26 Mar 2011 12:18, leslie@ wrote: > Hello list. > > I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy > server on a network with 10 pc behind it for some years. > > Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with > exactly the same set-up. > > My problem is that PF is not acting the same. Everything is blocked, if I > remove the first rule "block in log on $ext_if all" I get some functionality > but it won't redirect the traffic to Squid for example. > > I've been trying to fix it but I need some new eyes to help me. > > Below are the pf.conf on the new 8.2 machine and further below is the > original pf.conf from the 7.2 system > > I'm aware that there has been some changes to the pf syntax, but when doing > pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong. > > Will you Please take a look and see if you can see what's wrong. > > Thank you :-) > Hi Leslie, I just extracted your rules sets from the email and from what I gather I hope its just not a formatting issue with your mailer that I have seen in coincidence. After pulling out the patch pipe and loading with a diff this is what I've come up with: (-)=New Config (+)=Old Config # Let the goodguys access the machine from the outside - -pass in log on $ext_if inet proto tcp from to ($ext_if) +pass in on $ext_if inet proto tcp from to ($ext_if) \ port $tcp_services flags S/SA keep state # We need this for the rdr to VNC (change of portnumber) - -pass in on $ext_if inet proto tcp from to $internal_net +pass in on $ext_if inet proto tcp from to $internal_net \ port $vncports flags S/SA synproxy state You mentioned that when removing your block rule that you would get some functionality back and this stuck out like a sore thumb!. Pay close attention to the new line character at the new or in other words "don't forget the backslash" Also you used to have: # filter rules - -block in log on $ext_if all +block in log (all) but that is probably not relative to what you are seeing in your rule sets at this time. If this all is not a formatting error you should be able to verify that all your rules are loaded with ( pfctl -s rules ) and manually inspect the ones in question whether the backslash really makes the difference. Good luck. - -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89D8547E iQEcBAEBAgAGBQJNjwNeAAoJEJBXh4mJ2FR+02EH/RUG17OuvE1ltgIMtGJpTy17 26oLFCiWY0AlH7LR8L1hImXFL8VPdsrybsCN6F7YgKFOpKtAPYoqV50zI5gF81cI FOGErW1I8rNB4aHZsjBlQyARlSFtJO5uRr/desuCrL4SIK8FzD9QPb8qdEoWaehc fMjHPhC5277NljkHH22HPKKRb1yA2+jvrZ91LOjUVO8AanPHDcXWvmNGOmbnTcB9 yG8K1gJymxzs4Atlw1m0PPCxmrwYzw4IbLB1TGzsZIhnGcmfR8M0eKCi/G98uyCP LWXr8f/qL8lE4tjbr3jiKXEqeQWNXACI2vjqCEn6QG4t24U2gZtOrlnssneAY/M= =vzmL -----END PGP SIGNATURE-----