From owner-freebsd-questions@FreeBSD.ORG Thu Mar 6 14:19:21 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8E2B1065676 for ; Thu, 6 Mar 2008 14:19:21 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: from rn-out-0910.google.com (rn-out-0910.google.com [64.233.170.189]) by mx1.freebsd.org (Postfix) with ESMTP id 86F4E8FC1A for ; Thu, 6 Mar 2008 14:19:21 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: by rn-out-0910.google.com with SMTP id e11so1198343rng.7 for ; Thu, 06 Mar 2008 06:19:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:mime-version:content-type; bh=ntDnA3xWGhEqhYnL0DEAxV1+C6kH7g40MUl3hLe6jBM=; b=h78kvGH8iJP0WWR+pC/VWvC82aKOHeAbl2NfNtPEkSf8dQk15zXzYOJgyO4WHmhZ384iHqhX/PYPT53fyj++Yk5JZorJB4QObAcafXafkQvyGfr7mlgQqFsFL5WCsE2rG9MF8k2CBYx80EWs9h3rtsI7nEx2NW90crywIhqGBQU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type; b=SeajmBcqkZlJVwsiL1oM5HMbowiaIc+1e/H6CS7DD+i08x8s2A9VYaBFx//4xmjAX+KoiegyFHXu3+u2wYpSWt5s8JirD3gzfxpumhGL3xVszC480JJwt3l7/uHltbkYfYL+XMfaSWohFcGgAq+m9y7C2Ebla78xJXuZ0ErvkWM= Received: by 10.114.61.1 with SMTP id j1mr6931773waa.62.1204811670562; Thu, 06 Mar 2008 05:54:30 -0800 (PST) Received: by 10.114.235.15 with HTTP; Thu, 6 Mar 2008 05:54:30 -0800 (PST) Message-ID: <2949641c0803060554q2ecba5e7g7920bf0b252277c9@mail.gmail.com> Date: Thu, 6 Mar 2008 10:54:30 -0300 From: "Alaor Barroso de Carvalho Neto" To: freebsd-questions@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Please help me with my PF config X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 14:19:22 -0000 Hi guyz, let me explain what I have. I work in a school, we have access to the internet, two internal networks (academic and administrative) and we have to connect to some servers in another school because we share databases and to video-conference. I have a FreeBSD box with PF and squid, i want all my web traffic to pass through the squid, it's working. I want to academic net don't be able to communicate with administrative net, and the inverse, it's working. But I would like to my adm net to communicate with some servers in the other school network, and only this servers, no other ip would be accessible, it's NOT working. I can ping to the servers but I can't connect to the services ports (SQL Server, and so on). Here's my pf.conf: BEGIN OF CONFIG ext_if="em0" adm_if="xl0" acad_if="xl1" cefet_if="xl2" all_if="{ em0, xl0, xl1, xl2 }" ext_net="XXX.XXX.XXX.XXX/XX" adm_net="192.168.1.0/24" acad_net="192.168.2.0/24" cefet_net="10.10.0.0/16" cefet_servers="{ 10.10.0.10, 10.10.0.15, 10.10.0.213 }" internal_nets="{ 192.168.1.0/24, 192.168.2.0/24 }" tcp_services="{ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3, pop3s, auth, 3128 }" }" udp_services="{ domain, ntp }" proxy_ports="{ 80, 8000, 8080, 3128 }" martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" set block-policy return scrub in all nat on $ext_if from $internal_nets to any -> ($ext_if) nat on $cefet_if from $adm_net to any -> ($cefet_if) rdr on $all_if proto tcp from any to any port $proxy_ports -> 127.0.0.1 port 3128 block all block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block drop quick from $acad_net to $adm_net block drop quick from $adm_net to $acad_net pass quick proto icmp from any to any keep state pass quick from $adm_net to $cefet_servers keep state pass quick from $cefet_servers to $adm_net keep state block quick from any to $cefet_net block quick from $cefet_net to any pass proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state antispoof for $all_if END OF CONFIG cefet_net is the network of the other school, and cefet_servers are the servers I want to communicate with, I want all ports and protocols to these servers, but it's not working. I need a light guyz. Thankz, and sorry my poor english. Alaor Neto