From owner-freebsd-questions@FreeBSD.ORG Sun Mar 9 19:33:05 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C370A106566B for ; Sun, 9 Mar 2008 19:33:05 +0000 (UTC) (envelope-from erik.mlists@gmail.com) Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.191]) by mx1.freebsd.org (Postfix) with ESMTP id 481B08FC1C for ; Sun, 9 Mar 2008 19:33:04 +0000 (UTC) (envelope-from erik.mlists@gmail.com) Received: by rv-out-0910.google.com with SMTP id g13so1032029rvb.43 for ; Sun, 09 Mar 2008 12:33:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; bh=iL0ThUq0tqL6MDqSdr277b5eZKd+/Sw1Cb/becxHEvM=; b=CELgZUJgKX8YO8j+b/TS0XOBU3wKFLDZkSK4ad1Mk9KudtZW7I4Fr3vzGtAGOChj7pIcagKwYDrIVyRrSiNONd5+iF7CaJ6SjFAVBzhFZ55pD8iEN+Cfmsut6LT+EcZlrQdKeN+2f7owHKCmQ52K0oABuVYnsUJLat2ng4XYzA0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=suNMbLdk0lx1nWHGfl2JMeiAGSik/kiKZetVy/nLDDyx+r+u5Q5JyMJwz9YTpYrMstaN+pWJlgLv8gO5CruWdSAhivysG0+/wL/ap7Y3yXFbkG4q9S7HXLG/vwYiX9RWgQCFxeCqQjLnb4PiedybCphAVE56MaLhEMFAfsRBN0A= Received: by 10.141.33.21 with SMTP id l21mr2550140rvj.251.1205091183777; Sun, 09 Mar 2008 12:33:03 -0700 (PDT) Received: by 10.140.141.10 with HTTP; Sun, 9 Mar 2008 12:33:03 -0700 (PDT) Message-ID: Date: Sun, 9 Mar 2008 15:33:03 -0400 From: "Erik Wilson" To: "Erik Norgaard" In-Reply-To: <47D4388A.2090604@locolomo.org> MIME-Version: 1.0 References: <47D4388A.2090604@locolomo.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: Help with pf ruleset X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Mar 2008 19:33:05 -0000 On Sun, Mar 9, 2008 at 3:20 PM, Erik Norgaard wrote: > erik Wilson wrote: > > I'm pulling my hair out here. I've been working on this for days without > > any success. > > > > I've whittled the ruleset down to the barest possible rules and even > that > > doesn't work. I'm at my wits end. I would really appreciate it if > someone > > could show me where i'm being a complete and total moron. > > > > Here's the situation. I have a somewhat unique environment. It consists > of > > 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which > need > > to be accessible from the internet, but not to each other). This runs in > a > > VMWare esx server, but that's not really important. > > > > FreeBSD 7.0-RELEASE > > > > em0 = lan (10.0.0.x) > > em2 = WAN1 (y.y.y.y) (dhcp) > > em3 = WAN2 (x.x.x.x) (static /28 subnet) > > > > the default gateway is on nic2. nic3 will need to forward ip:port's to > > various vlans. nic2 is used for all outbound lan traffic (internet). > nic2 > > will need to failover to nic3 eventually, and nic3 will have to failover > to > > nic2 (for outbound, obviously no choice for inbound). > > > > So here's the problem. I can't even get nic2 or nic3 to respond to a > ping > > request from outside my network when pf is enabled. I know the > interfaces > > are set up correct, as I can ping the default gateways of both > interfaces. > > > > Also, outbound NAT works perfectly on wan1. > > > > Here's my ruleset. > > > > lan_if="em0" > > wan1_if="em2" > > wan2_if="em3" > > set block-policy return > > set skip on lo0 > > nat on $wan1_if from $lan_if:network to any -> ($wan1_if) > > block in log > > pass out log keep state > > pass in log inet proto icmp all icmp-type echoreq keep state > > pass in log quick on $lan_if > > > > Looks simple enough, right? Why won't it work? All i want is to get a > ping > > from both of the firewalls WAN's from outside the network. > > > > Any ideas? > > How about the log? I'll post some log info as soon as I can bring down the network again to do some testing. > I know you have cut away a lot of rules, but maybe that just makes > things more confusing. Try to nest your rules in the following order: > > direction - interface - protocol - src net - dst net - port/type > > You should need no "out" rules if you have "in" rules with keep state. > At each branch level make a catchup rule at the end with default action > and "quick" key word to make sure packets don't spill over and get > matched by other rules. Good advice, thanks. I'm afraid i've tried so many different options and variations to get this to work that it's not as pretty as it should be. I got some of these rules from various examples posted on the web, and tweaked them into unrecognizability ;) Do you think that Josh is right about needing a route-to rule for the second WAN interface? Since you're handing out best practices ;) Is it better to use a nat pass or rdr pass rule than seperate nat/rdr and pass statements? Why? I think my biggest frustration is not finding a single place that is detailed enough about things. I've rad the book of pf, the man pages, the handbooks, etc.. they all give pieces of the puzzle. Maybe once i master this i'll work on a "pf bible" ;) > Hopefully this will help you pin down where things go wrong. > > Cheers, Erik > Cheers yourself Erik ;)