From owner-freebsd-pf@FreeBSD.ORG Thu May 26 21:13:25 2005 Return-Path: X-Original-To: pf@freebsd.org Delivered-To: freebsd-pf@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9708F16A41C for ; Thu, 26 May 2005 21:13:25 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from 72-12-2-214.wan.networktel.net (72-12-2-214.wan.networktel.net [72.12.2.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id E344043D72 for ; Thu, 26 May 2005 21:13:21 +0000 (GMT) (envelope-from eculp@encontacto.net) Received: from dsl-201-144-92-62.prod-infinitum.com.mx ([201.144.92.62]) by 72-12-2-214.wan.networktel.net with esmtp; Thu, 26 May 2005 16:13:16 -0500 id 00095A9C.42963BED.000141AC Received: from localhost (localhost [127.0.0.1]) (uid 80) by dsl-201-144-92-62.prod-infinitum.com.mx with local; Thu, 26 May 2005 16:13:15 -0500 Received: from localhost.encontacto.net (localhost.encontacto.net [127.0.0.1]) by mail.encontacto.net (Horde MIME library) with HTTP for ; Thu, 26 May 2005 16:13:15 -0500 Message-ID: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net> Date: Thu, 26 May 2005 16:13:15 -0500 From: "Edwin L. Culp" To: pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format="flowed" Content-Disposition: inline Content-Transfer-Encoding: 7bit User-Agent: Internet Messaging Program (IMP) 4.1-cvs Cc: Subject: problem with dns on all and squid on some. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2005 21:13:25 -0000 # macros I am trying to learn to use pf. I basically took this from a home office example and made some modifications. That is probably the problem ;) I have installed this on three different servers and the only change from one to another are the int_if and ex_if values. The three servers are primary and secondary dns' for each other and when all are running this configuration there is no dns resolution. The first problem. The second problem is that the redirect for squid initially worked for all three servers but now only works for one. The other two give an error in the squid.log with 1117043675.879 5 192.168.1.2 TCP_DENIED/400 1807 GET error:pf-open-failed - NONE/- text/html [] [HTTP/1.0 40 0 Bad Request\r\nServer: squid/2.5.STABLE10\r\nMime-Version: 1.0\r\nDate: Wed, 25 May 2005 17:54:35 GMT\r\nConten t-Type: text/html\r\nContent-Length: 1509\r\nExpires: Wed, 25 May 2005 17:54:35 GMT\r\nX-Squid-Error: ERR_INVALID _REQ 0\r\n\r] The squid configurations are more or less identical also. The following is my pf.conf file. int_if = "rl1" ext_if = "rl0" tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }" icmp_types = "echoreq" priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 224.0.0.0/3 }" # options set block-policy return set loginterface $ext_if # scrub scrub in all # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128 # rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 # filter rules block all pass quick on lo0 all block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state pass in inet proto icmp all icmp-type $icmp_types keep state pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state Thanks in advance for any and all suggestions. Hopefully, I'll learn something ;) and have a better firewall for it. Thanks, ed