Date: Mon, 4 Dec 2006 06:21:58 +0000 From: Daniel Bye <freebsd-questions@slightlystrange.org> To: freebsd-pf@freebsd.org Subject: Re: newbie to pf Message-ID: <20061204062158.GA57910@catflap.slightlystrange.org> In-Reply-To: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--6TrnltStXW4iwmi0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sun, Dec 03, 2006 at 12:25:36PM +0100, Niklas Saers wrote:
>=20
> I've been reading a bit and using examples I've found good, and so far
> my pf.conf looks like this. Nat seems to work fine for the internal
> network, not for the business network. Incoming traffic to 10.0.3.2
> does not work, neither does incoming to 10.0.2.2, and setting up an
> ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds.
> Do you have any suggestions on how I can solve these problems? Are
> there any problems with this setup that I have not discovered yet?
>=20
> # macros
> ext_if =3D "sis0"
> int_if =3D "sis1"
> bus_if =3D "sis2"
> internal_net =3D "10.0.2.0/24"
> business_net =3D "10.0.3.0/24"
> soekris =3D "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }"
>=20
> # tables
> table <firewall> const { self }
>=20
> # options
> set block-policy drop
> set state-policy if-bound
>=20
> # scrub incoming packets
> scrub all reassemble tcp fragment reassemble
>=20
> # nat
> nat on $ext_if from $internal_net to any -> ($ext_if)
> no nat on $ext_if from $internal_net to $business_net
> no nat on $ext_if from $internal_net to $soekris
>=20
> # redirection
> rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } ->=20
> 10.0.3.2
> rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2
>=20
> # setup a default deny policy
> block drop log all
>=20
> # pass traffic on the loopback interface in either direction
> pass quick on lo0 all
> pass quick on $int_if all
> pass quick on $bus_if all
>=20
> # outgoing dns, ntp
> pass out quick on $ext_if inet proto udp from ($ext_if) to any port {
> 53, 123 } keep state
>=20
> # outgoing from firewall
> pass out log quick on $ext_if inet proto tcp from ($ext_if) to any
> flags S/SA keep state
> pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if)
> to any keep state
>=20
> # incoming active ftp-data (this is required for active ftp to work)
> pass in log quick on $ext_if inet proto tcp from any port 20 to
> ($ext_if) port >=3D 1024 flags S/SA keep state
>=20
> # incoming tcp and udp from the internal network to the internet
> pass in log quick on $int_if inet proto tcp from $internal_net to
> !<firewall> flags S/SA modulate state
> pass in log quick on $int_if inet proto udp from $internal_net to
> !<firewall> keep state
<disclaimer>I'm also a pf n00b, so please don't regard this as expert
opinion!</disclaimer>
=46rom reading the excellent documentation at the OpenBSD site, I think
you are missing a `pass' rule for your redirected traffic. You can
either add a `pass' keyword to the rdr rules (which will mean they
don't get filtered /at all/), or you can write dedicated `pass' rules
for the redirected traffic. Remember that the filtering engine will
see the redirected packets /after/ translation occurs, so take that
into account if you write dedicated rules.
As for your ssh problem - this may be related to a DNS timeout.
Try disabling DNS in ssh (by default, it will try to look up the name
of a remote host from its IP and check that it resolves back to the same
address). Alternatively, you can edit your /etc/hosts, or start running
a local name server.
Anyway, like I said - IANAE!
Dan
--=20
Daniel Bye
PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A
--6TrnltStXW4iwmi0
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (FreeBSD)
iD8DBQFFc76Gixf5fBYiFmoRAjKOAKDebvkGbsmfx121tPaIiSMjLSRshgCeKmin
ZCUuTSrsixx8/EXuzQ6lWY0=
=+G1D
-----END PGP SIGNATURE-----
--6TrnltStXW4iwmi0--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20061204062158.GA57910>