From owner-freebsd-questions@FreeBSD.ORG Sun May 8 19:59:35 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3951116A4EC for ; Sun, 8 May 2005 19:59:35 +0000 (GMT) Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC7DF43DA7 for ; Sun, 8 May 2005 19:59:34 +0000 (GMT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk ([137.222.16.62]) by dirg.bris.ac.uk with esmtp (Exim 4.50) id 1DUrw4-0004aZ-6d; Sun, 08 May 2005 20:59:33 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 4.50) id 1DUrw2-0000g7-Uz; Sun, 08 May 2005 20:59:31 +0100 Date: Sun, 8 May 2005 20:59:30 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Fafa Hafiz Krantz In-Reply-To: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com> Message-ID: References: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Jan Grant X-Spam-Score: -2.8 X-Spam-Level: -- cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 19:59:35 -0000 On Sun, 8 May 2005, Fafa Hafiz Krantz wrote: > Hello. > > My ruleset is all twisted. > Unless I disable the default deny policy, this is what happens: > > * My nameserver setup goes disfunctional. > * My web, mail and fileserver goes disfunctional. > * I cannot SSH and FTP into certain servers. > * I cannot ping my IP from the outside. > > Can anyone tell what's wrong? > And maybe also how I can simplify my ruleset? It's a question of letting DNS traffic _in_ to your nameserver: > int_if="ep0" > ext_if="lnc0" > > # *** Options > # > set block-policy drop > > # *** Scrub incoming packets > # > scrub in all > > # *** NAT > # > nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $int_if proto tcp from any to any \ > port 21 -> 127.0.0.1 port 8021 > > # *** Default deny policy > # > # block drop log all > > # *** Pass loopback traffic > # > pass quick on { lo0 $int_if } > > # *** Outgoing > # > pass out on $ext_if inet proto { tcp, udp, icmp } \ > from ($ext_if) to any keep state > > # *** Bootstrap > # > pass out on $ext_if inet proto udp \ > from any port 68 to any port 67 keep state > > # *** DNS and NTP > # > pass out on $ext_if inet proto udp \ > from ($ext_if) to any port { 53, 123 } keep state > > # *** SSH, HTTP and Ident > # > pass in on $ext_if inet proto tcp \ > from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state pass in on $ext_if inet proto { tcp, udp } \ from any to ($ext_if) port 53 ^^^ that lets the traffic in.... pass out on $ext_if inet proto { tcp, udp } \ from ($ext_if) port 53 to any ^^^ and that lets it back out. If you add the "query-source address * port 53;" to your named.conf "options" section, that'll suffice; additionally, since your DNS query source port is then predictable, you can drop it from the DNS and NTP rule. > # *** Active FTP > # > pass in on $ext_if inet proto tcp \ > from port 20 to ($ext_if) user proxy flags S/SA keep state -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44 (0)117 9287088 (with luck) http://ioctl.org/jan/ Usenet: The separation of content AND presentation - simultaneously.