Date: Fri, 8 Dec 2006 08:39:29 -0600 From: "Isaac Grover" <isaac.grover@gmail.com> To: freebsd-pf@freebsd.org Subject: Help with <other_clients> issue Message-ID: <bf7af5e50612080639p76f4a530x20d70677cac434fd@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Good morning from Wisconsin, I have a wireless network set up as such: the gateway/proxy/firewall is a FreeBSD 6.1 box running pf and squid with three NICs (xl0 isn't used yet),xl2 connects to the outside world, xl1 connects to the wireless access point, and my laptop (192.168.100.X) should have unrestricted access to everything while all other wireless clients are restricted to tcp_services and udp_services. I built this pf.conf from the ground up using Peter's PF tutorial at http://home.nuug.no/~peter/pf/ , and I'm sure it's not a fault of Peter's fine tutorial, but that my understanding of how traffic flows through pf is somewhat lacking. I can ping from my WinXP laptop to the FreeBSD box and to the outside world, but I am not able to use any tcp or udp services. The rules involving tcp_services and udp_services seem to be correct; however, I am suspecting that the table <other_clients> isn't defined correctly, but I can't stay connected long enough to see where the problem is, as pfctl -f pf.conf resets my ssh connection. Could a more experienced person take a look at what I have below and point out any problems? Thanks in advance. ---8<--- ext_if="xl2" ext_net=$ext_if:network wireless_if="xl1" wireless_if_addr="192.168.100.1" wireless_net=$wireless_if:network my_laptop="192.168.100.X" table <other_clients> { $wireless_net, !$my_laptop } tcp_services="{ ssh, domain, smtp, pop3, auth, https }" udp_services="{ domain, ntp }" icmp_types= "echoreq" set block-policy return nat on $ext_if from <other_clients> to any port $tcp_services -> ($ext_if) nat on $ext_if from $my_laptop to any -> ($ext_if) rdr on $wireless_if inet proto tcp from $wireless_net to any port 80 -> $wireless_if_addr port 3080 block all pass in on $wireless_if inet proto tcp from $wireless_net to $wireless_if_addr port 3080 keep state state pass out on $ext_if inet proto tcp from $wireless_net to any port 3080 keep state pass out on $ext_if inet proto tcp from <other_clients> to any port $tcp_services keep state pass out on $ext_if inet proto tcp from $my_laptop to any keep state pass out on $ext_if inet proto udp from $wireless_net to any port $udp_services keep state pass inet proto icmp from any to any ---8<--- -- Isaac Grover, Owner Quality Computer Services of River Falls, Wisconsin Affordable I. T. Consulting, Web Design, and Web Hosting. Commercial and Residential Inquiries Welcomed. Web: http://www.qcs-rf.com
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bf7af5e50612080639p76f4a530x20d70677cac434fd>