Date: Mon, 27 Sep 2010 12:40:41 +0100 From: krad <kraduk@gmail.com> To: jhell <jhell@dataix.net> Cc: freebsd-hackers@freebsd.org, =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= <faust64@gmail.com>, freebsd-questions@freebsd.org Subject: Re: pf Message-ID: <AANLkTi=3EhWK=zXTn-kgj3XQPhKQHH4QnB4TWK9Li_8n@mail.gmail.com> In-Reply-To: <4C9FB0D2.1010205@DataIX.net> References: <AANLkTingNA5V4b9UdE_Yotqtuy1RMx190phMzn5UrMdi@mail.gmail.com> <i7ni0m$ids$1@dough.gmane.org> <AANLkTi=SoHHrFGiBrtdGmPqd5Go3qSzL=SogHRPXmZB-@mail.gmail.com> <4C9FB0D2.1010205@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On 26 September 2010 21:45, jhell <jhell@dataix.net> wrote: > This is more for questions@ or pf@ > > On 09/26/2010 11:43, Samuel Mart=EDn Moro wrote: > > On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell <nightrecon@hotmail.com > >wrote: > > > >> Samuel Mart=EDn Moro wrote: > >> > >>> Hello, > >>> > >>> > >>> I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE > amd64). > >>> I used the sample configuration file available on > >>> calomel<https://calomel.org/pf_config.html>; > >>> After a few tests, it appears that the gate has fully access to the > >>> internet, but I can't open connections from clients to distant server= s > >>> (web, ssh, ...). > >>> Checking pflog log file, I can't see anything about those timeouts, > even > >>> if I added the log directive in every block/pass command. > >>> Everything else seems to work, I can talk with my DNS from the > internet, > >>> ssh redirections to another pc also seems to works. > >>> I just can't access the Internet from a client of my network... > >>> > >>> For debugging, I commented out the options and the 'block all in/out' > >>> directives. > >>> > >>> Here's my config file http://pastebin.com/Nim2zBCx > >>> > >>> Is there someone understanding what I'm doing wrong? > >>> > >> The firewall ruleset is a trifle overly complex for a quick glance; > study > >> and analysis would take some doing. However, if you can reach the > internet > >> from the firewall box and other client computers behind your NAT can't > >> (which is what it sounds like you're describing) it may be just that y= ou > >> are > >> missing gateway_enable=3D"YES" in your /etc/rc.conf. > >> > >> Turning this "ON" makes your firewall box into a router. The status of > this > >> can be checked with: sysctl net.inet.ip.forwarding - a "0" means no > >> gateway > >> and a "1" means gateway. > >> > >> -Mike > >> > >> > >> > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to " > >> freebsd-questions-unsubscribe@freebsd.org" > >> > > > > the gateway is already enabled (and forwarding is correctly set) > > whatever, I had to do quick, I started again > > I think the missing thing on my old conf was the 'scrub' (at least) > > I made a more simple configuration, as following: > > > > ext_if=3D"bge0" > > int_if=3D"bge1" > > localnet =3D $int_if:network > > emma=3D"10.242.42.200" > > alpha=3D"10.42.42.42" > > delta=3D"10.42.42.44" > > set skip on lo0 > > scrub in on $ext_if all fragment reassemble > > #INTERNETZ > > nat on $ext_if from $localnet to any -> ($ext_if) > > #EMMA > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1101 -= > > > $emma port 22 > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 307 -> > > $emma port 80 > > #WHAT.CD > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -= > > > $alpha port 1666 > > #REMOTE ADM > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -= > > > $delta port 22 > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -= > > > $alpha port 22 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 22 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 53 > > pass in log on $ext_if inet proto udp from any to $ext_if port 53 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 1664 > > pass in log on $int_if inet proto tcp from any to any > > pass in log on $int_if inet proto udp from any to any > > block in log on $ext_if inet proto icmp from any to $ext_if > > > > it's basically working > > i'll stuff it when I'll have time. > > > > Samuel Mart=EDn Moro > > {EPITECH.} tek5 > > > -- > > jhell,v > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > its worth doing as restart on pf rather than a reload. Ive seen nat rules not take affect sometimes on reloads
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=3EhWK=zXTn-kgj3XQPhKQHH4QnB4TWK9Li_8n>