From owner-freebsd-questions@FreeBSD.ORG Mon Sep 27 11:40:43 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 50A53106566C for ; Mon, 27 Sep 2010 11:40:43 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id F20C08FC0A for ; Mon, 27 Sep 2010 11:40:42 +0000 (UTC) Received: by qyk30 with SMTP id 30so651211qyk.13 for ; Mon, 27 Sep 2010 04:40:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=uYafwklf5jx0cQgp+T9Qj90pKXq+RB7NWRCGT0uyfKI=; b=qS06/+5SJjnxyGKpsMbnKIHJd/MuTljrLunQFNRHrRyiZOzhXfp3xZmVCqOg6jg5qR krEJsfL3AcT3DkoW5YMPOzjJygsIh6TasMA15MuCnTFIVS7TjqFrMUJlNjIu319pvnkV KdRzKtwz6FNmOK09VYolFljusYAXCVaylCGWI= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=GL0aVx5JnzbWnHfTXJPh5oInAehe6hhTM7bKUsImK9HN6M8neCnhSNWxD9CF7M10gU wAB9h0xUt+po8nqxQKK3nT2DG2VxrkUoFW62Sue3LZJ4il+TdmU2P5kBgYZV21yzNT2z skinOgeY1Acus37jfcH4v4KMZ+qgEdd7y1nrA= MIME-Version: 1.0 Received: by 10.229.223.198 with SMTP id il6mr5615323qcb.50.1285587641714; Mon, 27 Sep 2010 04:40:41 -0700 (PDT) Received: by 10.229.215.209 with HTTP; Mon, 27 Sep 2010 04:40:41 -0700 (PDT) In-Reply-To: <4C9FB0D2.1010205@DataIX.net> References: <4C9FB0D2.1010205@DataIX.net> Date: Mon, 27 Sep 2010 12:40:41 +0100 Message-ID: From: krad To: jhell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-hackers@freebsd.org, =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= , freebsd-questions@freebsd.org Subject: Re: pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 27 Sep 2010 11:40:43 -0000 On 26 September 2010 21:45, jhell wrote: > This is more for questions@ or pf@ > > On 09/26/2010 11:43, Samuel Mart=EDn Moro wrote: > > On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell >wrote: > > > >> Samuel Mart=EDn Moro wrote: > >> > >>> Hello, > >>> > >>> > >>> I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE > amd64). > >>> I used the sample configuration file available on > >>> calomel > >>> After a few tests, it appears that the gate has fully access to the > >>> internet, but I can't open connections from clients to distant server= s > >>> (web, ssh, ...). > >>> Checking pflog log file, I can't see anything about those timeouts, > even > >>> if I added the log directive in every block/pass command. > >>> Everything else seems to work, I can talk with my DNS from the > internet, > >>> ssh redirections to another pc also seems to works. > >>> I just can't access the Internet from a client of my network... > >>> > >>> For debugging, I commented out the options and the 'block all in/out' > >>> directives. > >>> > >>> Here's my config file http://pastebin.com/Nim2zBCx > >>> > >>> Is there someone understanding what I'm doing wrong? > >>> > >> The firewall ruleset is a trifle overly complex for a quick glance; > study > >> and analysis would take some doing. However, if you can reach the > internet > >> from the firewall box and other client computers behind your NAT can't > >> (which is what it sounds like you're describing) it may be just that y= ou > >> are > >> missing gateway_enable=3D"YES" in your /etc/rc.conf. > >> > >> Turning this "ON" makes your firewall box into a router. The status of > this > >> can be checked with: sysctl net.inet.ip.forwarding - a "0" means no > >> gateway > >> and a "1" means gateway. > >> > >> -Mike > >> > >> > >> > >> _______________________________________________ > >> freebsd-questions@freebsd.org mailing list > >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions > >> To unsubscribe, send any mail to " > >> freebsd-questions-unsubscribe@freebsd.org" > >> > > > > the gateway is already enabled (and forwarding is correctly set) > > whatever, I had to do quick, I started again > > I think the missing thing on my old conf was the 'scrub' (at least) > > I made a more simple configuration, as following: > > > > ext_if=3D"bge0" > > int_if=3D"bge1" > > localnet =3D $int_if:network > > emma=3D"10.242.42.200" > > alpha=3D"10.42.42.42" > > delta=3D"10.42.42.44" > > set skip on lo0 > > scrub in on $ext_if all fragment reassemble > > #INTERNETZ > > nat on $ext_if from $localnet to any -> ($ext_if) > > #EMMA > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1101 -= > > > $emma port 22 > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 307 -> > > $emma port 80 > > #WHAT.CD > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -= > > > $alpha port 1666 > > #REMOTE ADM > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -= > > > $delta port 22 > > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -= > > > $alpha port 22 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 22 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 53 > > pass in log on $ext_if inet proto udp from any to $ext_if port 53 > > pass in log on $ext_if inet proto tcp from any to $ext_if port 1664 > > pass in log on $int_if inet proto tcp from any to any > > pass in log on $int_if inet proto udp from any to any > > block in log on $ext_if inet proto icmp from any to $ext_if > > > > it's basically working > > i'll stuff it when I'll have time. > > > > Samuel Mart=EDn Moro > > {EPITECH.} tek5 > > > -- > > jhell,v > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > its worth doing as restart on pf rather than a reload. Ive seen nat rules not take affect sometimes on reloads