From owner-freebsd-questions@FreeBSD.ORG Fri Dec 7 16:23:47 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8B7B316A469 for ; Fri, 7 Dec 2007 16:23:47 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr11.xs4all.nl (smtp-vbr11.xs4all.nl [194.109.24.31]) by mx1.freebsd.org (Postfix) with ESMTP id E9AA813C46B for ; Fri, 7 Dec 2007 16:23:45 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with ESMTP id lB7GNipI097159; Fri, 7 Dec 2007 17:23:45 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 3B4E3B829; Fri, 7 Dec 2007 17:23:44 +0100 (CET) Date: Fri, 7 Dec 2007 17:23:44 +0100 From: Roland Smith To: ajtiM Message-ID: <20071207162344.GA13752@slackbox.xs4all.nl> Mail-Followup-To: ajtiM , freebsd-questions@freebsd.org References: <200712070620.37273.lumiwa@gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1" Content-Disposition: inline In-Reply-To: <200712070620.37273.lumiwa@gmail.com> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.16 (2007-06-09) X-Virus-Scanned: by XS4ALL Virus Scanner Cc: freebsd-questions@freebsd.org Subject: Re: PF firewall X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 Dec 2007 16:23:47 -0000 --RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 07, 2007 at 06:20:37AM -0600, ajtiM wrote: > Hi! >=20 > I am a new FreeBSD 7.0 beta3 user and I have standalone computer connecte= d to=20 > the internet (cable). I use both, console and KDE desktop. I tried to se= tup=20 > PF firewall for the standalone computer but I have a problem with interna= l=20 > messages (mail) which are blocked if firewall running. > This is from /var/log/mail: > "sm-msp-queue[15113]: lB493C1i007320: to=3Droot, ctladdr=3Droot (0/0),=20 > delay=3D1+21:37:55, xdelay=3D00:00:00, mailer=3Drelay, pri > =3D2552408, relay=3D[127.0.0.1], dsn=3D4.0.0, stat=3DDeferred: Operation = not=20 > permitted" >=20 > My pf.conf looks like: >=20 > pass out quick inet from (sk0) to any keep state label "RULE 0 -- ACC= EPT " > block drop in quick inet all label "RULE 1 -- DROP " > block drop out quick inet all label "RULE 1 -- DROP " > block drop in quick inet all label "RULE 10000 -- DROP " > block drop out quick inet all label "RULE 10000 -- DROP " You're dropping all incoming traffic, also on the local interface! Try adding: set skip on lo furthermore, your ruleset has duplicates, especially since you use the quick keyword. Below is a commented example a pf.conf for a workstation (mine :-) -------------------- /etc/pf.conf --------------------- # /etc/pf.conf # Macros: define common values, so they can be referenced and changed easil= y. ext_if =3D "rl0" int_if =3D "rl1" # Addresses that can't be routed externally.=20 # See http://www.rfc-editor.org/rfc/rfc3330.txt # (10.0.0.138 is my router, so it should be reachable!) table const { 0.0.0.0/8, 10.0.0.0/8, !10.0.0.138, 127.0.0.0/8,= \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 240.0.0.0/4 } # Options: tune the behavior of pf. set optimization normal set block-policy drop set loginterface $ext_if set skip on lo # Normalization: reassemble fragments etc. scrub in all # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. # The sysctl net.inet.ip.forwarding should be set for this to work. # Alternatively, set gateway_enable=3D"YES" in /etc/rc.conf. nat pass on $ext_if inet from $int_if:network to any -> $ext_if # Filtering antispoof quick for $int_if # Nobody gets in from the outside! block in log quick on $ext_if all label "inblock" # Block packets to unroutable addresses block out log quick on $ext_if from any to label "unroutable" # Block by default. block out log on $ext_if all label "outblock" # Internal "network" is trusted. pass in on $int_if all=20 # Let outgoing traffic through, and keep state # 'modulate state' only works with TCP! pass out on $ext_if inet proto tcp all flags S/SA modulate state pass out on $ext_if inet proto udp all keep state # Let pings through. pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state -------------------- /etc/pf.conf --------------------- HTH, Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHWXOQEnfvsMMhpyURAmiKAJ4oByyvD8C2AdPZkFTT9s2qFF2wIgCfbv+u nHW/SmDgOZRUJQmOqjWWjOY= =WmxZ -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--