Date: Sat, 31 Oct 2009 22:00:04 +0100 (CET) From: Nico De Dobbeleer <nico@elico-it.be> To: freebsd-pf@freebsd.org Subject: Re: freebsd-pf Digest, Vol 266, Issue 4 Message-ID: <3350817.188221257022804727.JavaMail.root@zimbra-store> In-Reply-To: <2849417.188201257022710812.JavaMail.root@zimbra-store>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, I have an issue with pf bridge. This is my setup Wan --> pf-bridge --> servers (mail, webserver with public IP) When I activate my pf-bridge FW It allows the things as it should be (http, rdp, ssh, ...) But when I try to send a mail for example it cannot find hostname or when I'm connected to the webserver over RDP I cannot browse. It's like I can get in to the correct ports but from the inside I'm not allowed to do stuff. Here's pf-bridge.conf: # #################### # Macro's #################### ext_if="em0" int_if="em1" mng_if="rl0" loop_if="lo0" public_services="{ ssh, http, https, smtp, pop3, imap, 7071, 53, 3389 }" admin_services="{ ssh, http, https }" power_services="{ telnet, http }" # TCP Options #TCP_Options="flags S/SAFRUP modulate state" # UDP Options #UDP_Options="keep state" ####################### # Tables ####################### table <all_public_ips> { 62.213.196.XXX/xx } table <customer_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx } table <admin_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx } table <power_ips> { 62.213.196.xxx, 62.213.196.xxx } ############################################################################ # Normalization rules: ############################################################################ #set block-policy drop #set fingerprints "/etc/pf.os" set block-policy return # scrub incoming packets scrub in on { $ext_if, $int_if } all fragment reassemble min-ttl 15 max-mss 1400 scrub in on { $ext_if, $int_if } all no-df scrub on { $ext_if, $int_if } all reassemble tcp # Don't filter on the loopback interface set skip on $loop_if # this should block OS fingerprints?? block in log quick proto tcp flags FUP/WEUAPRSF block in log quick proto tcp flags WEUAPRSF/WEUAPRSF block in log quick proto tcp flags SRAFU/WEUAPRSF block in log quick proto tcp flags /WEUAPRSF block in log quick proto tcp flags SR/SR block in log quick proto tcp flags SF/SF # thwart nmap scans block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP ############################################################################ # Filter rules: ############################################################################ # Allow public services to customers IP pass in quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services pass out quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services # Allow admin services to admin servers pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services pass out quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services # Allow access to powerboots pass in quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services pass out quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services block drop in on $ext_if all block drop out on $ext_if all block drop in on $int_if all block drop out on $int_if all Any idea's?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3350817.188221257022804727.JavaMail.root>