From owner-freebsd-pf@FreeBSD.ORG Mon Dec 4 06:22:01 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 0B71F16A40F for ; Mon, 4 Dec 2006 06:22:01 +0000 (UTC) (envelope-from danielby@slightlystrange.org) Received: from catflap.slightlystrange.org (cpc5-cmbg1-0-0-cust497.cmbg.cable.ntl.com [86.6.1.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A8DA43CA2 for ; Mon, 4 Dec 2006 06:21:29 +0000 (GMT) (envelope-from danielby@slightlystrange.org) Received: by catflap.slightlystrange.org (Postfix, from userid 1001) id 0F6A8613D; Mon, 4 Dec 2006 06:21:58 +0000 (GMT) Date: Mon, 4 Dec 2006 06:21:58 +0000 From: Daniel Bye To: freebsd-pf@freebsd.org Message-ID: <20061204062158.GA57910@catflap.slightlystrange.org> Mail-Followup-To: freebsd-pf@freebsd.org References: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="6TrnltStXW4iwmi0" Content-Disposition: inline In-Reply-To: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com> User-Agent: Mutt/1.4.2.2i Subject: Re: newbie to pf X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Daniel Bye List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 04 Dec 2006 06:22:01 -0000 --6TrnltStXW4iwmi0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 03, 2006 at 12:25:36PM +0100, Niklas Saers wrote: >=20 > I've been reading a bit and using examples I've found good, and so far > my pf.conf looks like this. Nat seems to work fine for the internal > network, not for the business network. Incoming traffic to 10.0.3.2 > does not work, neither does incoming to 10.0.2.2, and setting up an > ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds. > Do you have any suggestions on how I can solve these problems? Are > there any problems with this setup that I have not discovered yet? >=20 > # macros > ext_if =3D "sis0" > int_if =3D "sis1" > bus_if =3D "sis2" > internal_net =3D "10.0.2.0/24" > business_net =3D "10.0.3.0/24" > soekris =3D "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }" >=20 > # tables > table const { self } >=20 > # options > set block-policy drop > set state-policy if-bound >=20 > # scrub incoming packets > scrub all reassemble tcp fragment reassemble >=20 > # nat > nat on $ext_if from $internal_net to any -> ($ext_if) > no nat on $ext_if from $internal_net to $business_net > no nat on $ext_if from $internal_net to $soekris >=20 > # redirection > rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } ->=20 > 10.0.3.2 > rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2 >=20 > # setup a default deny policy > block drop log all >=20 > # pass traffic on the loopback interface in either direction > pass quick on lo0 all > pass quick on $int_if all > pass quick on $bus_if all >=20 > # outgoing dns, ntp > pass out quick on $ext_if inet proto udp from ($ext_if) to any port { > 53, 123 } keep state >=20 > # outgoing from firewall > pass out log quick on $ext_if inet proto tcp from ($ext_if) to any > flags S/SA keep state > pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if) > to any keep state >=20 > # incoming active ftp-data (this is required for active ftp to work) > pass in log quick on $ext_if inet proto tcp from any port 20 to > ($ext_if) port >=3D 1024 flags S/SA keep state >=20 > # incoming tcp and udp from the internal network to the internet > pass in log quick on $int_if inet proto tcp from $internal_net to > ! flags S/SA modulate state > pass in log quick on $int_if inet proto udp from $internal_net to > ! keep state I'm also a pf n00b, so please don't regard this as expert opinion! =46rom reading the excellent documentation at the OpenBSD site, I think you are missing a `pass' rule for your redirected traffic. You can either add a `pass' keyword to the rdr rules (which will mean they don't get filtered /at all/), or you can write dedicated `pass' rules for the redirected traffic. Remember that the filtering engine will see the redirected packets /after/ translation occurs, so take that into account if you write dedicated rules. As for your ssh problem - this may be related to a DNS timeout. Try disabling DNS in ssh (by default, it will try to look up the name of a remote host from its IP and check that it resolves back to the same address). Alternatively, you can edit your /etc/hosts, or start running a local name server. Anyway, like I said - IANAE! Dan --=20 Daniel Bye PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc PGP Key fingerprint: D349 B109 0EB8 2554 4D75 B79A 8B17 F97C 1622 166A --6TrnltStXW4iwmi0 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFFc76Gixf5fBYiFmoRAjKOAKDebvkGbsmfx121tPaIiSMjLSRshgCeKmin ZCUuTSrsixx8/EXuzQ6lWY0= =+G1D -----END PGP SIGNATURE----- --6TrnltStXW4iwmi0--