From owner-freebsd-questions@FreeBSD.ORG Sun May 8 20:22:36 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2DC616A4F3 for ; Sun, 8 May 2005 20:22:36 +0000 (GMT) Received: from ms-smtp-03-eri0.socal.rr.com (ms-smtp-03-qfe0.socal.rr.com [66.75.162.135]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A2AF43D9B for ; Sun, 8 May 2005 20:22:36 +0000 (GMT) (envelope-from rmarella@gmail.com) Received: from [10.0.0.101] (cpe-66-8-186-59.hawaii.res.rr.com [66.8.186.59]) j48KMXgQ001311; Sun, 8 May 2005 13:22:34 -0700 (PDT) Message-ID: <427E7509.1020602@gmail.com> Date: Sun, 08 May 2005 10:22:33 -1000 From: Robert Marella User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.7) Gecko/20050416 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Fafa Hafiz Krantz References: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com> In-Reply-To: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: Symantec AntiVirus Scan Engine cc: questions@freebsd.org Subject: Re: PF RULES! But mine doesn't ... X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 20:22:37 -0000 Fafa Hafiz Krantz wrote: > Hello. > > My ruleset is all twisted. > Unless I disable the default deny policy, this is what happens: > > * My nameserver setup goes disfunctional. > * My web, mail and fileserver goes disfunctional. > * I cannot SSH and FTP into certain servers. > * I cannot ping my IP from the outside. > > Can anyone tell what's wrong? > And maybe also how I can simplify my ruleset? > > int_if="ep0" > ext_if="lnc0" > > # *** Options > # > set block-policy drop > > # *** Scrub incoming packets > # > scrub in all > > # *** NAT > # > nat on $ext_if from $int_if:network to any -> ($ext_if) > rdr on $int_if proto tcp from any to any \ > port 21 -> 127.0.0.1 port 8021 > > # *** Default deny policy > # > # block drop log all > > # *** Pass loopback traffic > # > pass quick on { lo0 $int_if } > > # *** Outgoing > # > pass out on $ext_if inet proto { tcp, udp, icmp } \ > from ($ext_if) to any keep state > > # *** Bootstrap > # > pass out on $ext_if inet proto udp \ > from any port 68 to any port 67 keep state > > # *** DNS and NTP > # > pass out on $ext_if inet proto udp \ > from ($ext_if) to any port { 53, 123 } keep state > > # *** SSH, HTTP and Ident > # > pass in on $ext_if inet proto tcp \ > from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state > > # *** Active FTP > # > pass in on $ext_if inet proto tcp \ > from port 20 to ($ext_if) user proxy flags S/SA keep state > > Thank you so much. > Keep in touch! > > -- > > Fafa Hafiz Krantz > Research Designer @ http://www.bleed.no > Perhaps you should check the archives. :)