From owner-freebsd-pf@FreeBSD.ORG Fri Dec 8 14:39:35 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 9B63516A403 for ; Fri, 8 Dec 2006 14:39:35 +0000 (UTC) (envelope-from isaac.grover@gmail.com) Received: from nf-out-0910.google.com (nf-out-0910.google.com [64.233.182.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD10043CA6 for ; Fri, 8 Dec 2006 14:38:36 +0000 (GMT) (envelope-from isaac.grover@gmail.com) Received: by nf-out-0910.google.com with SMTP id x37so1105507nfc for ; Fri, 08 Dec 2006 06:39:30 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=IA2k4tNKOYCX3C7p2ne4xWGl1DTMNdVWSErgDPqrdPJ9+a+Aoz1wEluLpJAbJmwvqpKdNlvFywmUwxNLHfsV+fvUK2ibOCmzL0/k3LrEXYFQbxpApekVv1EyXyLoUxKT/FcngLviaOMtcZu9XCTsePyWEyOmxS0C1G3++LYk72g= Received: by 10.82.179.9 with SMTP id b9mr397207buf.1165588770025; Fri, 08 Dec 2006 06:39:30 -0800 (PST) Received: by 10.82.141.18 with HTTP; Fri, 8 Dec 2006 06:39:29 -0800 (PST) Message-ID: Date: Fri, 8 Dec 2006 08:39:29 -0600 From: "Isaac Grover" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Help with issue X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Dec 2006 14:39:35 -0000 Good morning from Wisconsin, I have a wireless network set up as such: the gateway/proxy/firewall is a FreeBSD 6.1 box running pf and squid with three NICs (xl0 isn't used yet),xl2 connects to the outside world, xl1 connects to the wireless access point, and my laptop (192.168.100.X) should have unrestricted access to everything while all other wireless clients are restricted to tcp_services and udp_services. I built this pf.conf from the ground up using Peter's PF tutorial at http://home.nuug.no/~peter/pf/ , and I'm sure it's not a fault of Peter's fine tutorial, but that my understanding of how traffic flows through pf is somewhat lacking. I can ping from my WinXP laptop to the FreeBSD box and to the outside world, but I am not able to use any tcp or udp services. The rules involving tcp_services and udp_services seem to be correct; however, I am suspecting that the table isn't defined correctly, but I can't stay connected long enough to see where the problem is, as pfctl -f pf.conf resets my ssh connection. Could a more experienced person take a look at what I have below and point out any problems? Thanks in advance. ---8<--- ext_if="xl2" ext_net=$ext_if:network wireless_if="xl1" wireless_if_addr="192.168.100.1" wireless_net=$wireless_if:network my_laptop="192.168.100.X" table { $wireless_net, !$my_laptop } tcp_services="{ ssh, domain, smtp, pop3, auth, https }" udp_services="{ domain, ntp }" icmp_types= "echoreq" set block-policy return nat on $ext_if from to any port $tcp_services -> ($ext_if) nat on $ext_if from $my_laptop to any -> ($ext_if) rdr on $wireless_if inet proto tcp from $wireless_net to any port 80 -> $wireless_if_addr port 3080 block all pass in on $wireless_if inet proto tcp from $wireless_net to $wireless_if_addr port 3080 keep state state pass out on $ext_if inet proto tcp from $wireless_net to any port 3080 keep state pass out on $ext_if inet proto tcp from to any port $tcp_services keep state pass out on $ext_if inet proto tcp from $my_laptop to any keep state pass out on $ext_if inet proto udp from $wireless_net to any port $udp_services keep state pass inet proto icmp from any to any ---8<--- -- Isaac Grover, Owner Quality Computer Services of River Falls, Wisconsin Affordable I. T. Consulting, Web Design, and Web Hosting. Commercial and Residential Inquiries Welcomed. Web: http://www.qcs-rf.com