From owner-freebsd-hackers@FreeBSD.ORG Sun Sep 26 15:44:05 2010 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BE3FF106564A; Sun, 26 Sep 2010 15:44:05 +0000 (UTC) (envelope-from faust64@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 569EC8FC12; Sun, 26 Sep 2010 15:44:05 +0000 (UTC) Received: by qwd6 with SMTP id 6so2701670qwd.13 for ; Sun, 26 Sep 2010 08:44:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=s0WqTgUJHdjYsVPk9Ijon1lgE1aMHpsAoWM65YBoULA=; b=t/3tv+qyjd+SAe4RYNjH2I+B+2JAhjtql1PpBDtIGoYg5a4h4utfhyyixYWcNt9+L7 OKyFFmye5YWID9WHJxkFT5dj0P3EE+oJzy1alajhU/gu1LvgZD0KkRw+SmDri9oRXsaa MeoWdrdsBdd9AGeva+AE7eNXR6Rj8CXHmwOwo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=dKh1toHX0/QuR3urcuPbK6RKLtPgLoTfgLV6EhF0DGUBWiUZugqiJtF5f3956F+11I zGh3CNCYlZ3sL2ivGPrr/XRVAE/JtFxPeOUzT+Orw7rpNzvd5TRRjaJL1E/jOCsXYtWK FheM4v4+DKS+MR7BLVWk4XoB9EI/yZV7hI2dU= Received: by 10.229.11.27 with SMTP id r27mr4575197qcr.294.1285515844383; Sun, 26 Sep 2010 08:44:04 -0700 (PDT) MIME-Version: 1.0 Received: by 10.229.187.212 with HTTP; Sun, 26 Sep 2010 08:43:33 -0700 (PDT) In-Reply-To: References: From: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= Date: Sun, 26 Sep 2010 17:43:33 +0200 Message-ID: To: Michael Powell Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: pf X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Sep 2010 15:44:05 -0000 On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell wro= te: > Samuel Mart=EDn Moro wrote: > > > Hello, > > > > > > I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64= ). > > I used the sample configuration file available on > > calomel > > After a few tests, it appears that the gate has fully access to the > > internet, but I can't open connections from clients to distant servers > > (web, ssh, ...). > > Checking pflog log file, I can't see anything about those timeouts, eve= n > > if I added the log directive in every block/pass command. > > Everything else seems to work, I can talk with my DNS from the internet= , > > ssh redirections to another pc also seems to works. > > I just can't access the Internet from a client of my network... > > > > For debugging, I commented out the options and the 'block all in/out' > > directives. > > > > Here's my config file http://pastebin.com/Nim2zBCx > > > > Is there someone understanding what I'm doing wrong? > > > The firewall ruleset is a trifle overly complex for a quick glance; study > and analysis would take some doing. However, if you can reach the interne= t > from the firewall box and other client computers behind your NAT can't > (which is what it sounds like you're describing) it may be just that you > are > missing gateway_enable=3D"YES" in your /etc/rc.conf. > > Turning this "ON" makes your firewall box into a router. The status of th= is > can be checked with: sysctl net.inet.ip.forwarding - a "0" means no > gateway > and a "1" means gateway. > > -Mike > > > > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > the gateway is already enabled (and forwarding is correctly set) whatever, I had to do quick, I started again I think the missing thing on my old conf was the 'scrub' (at least) I made a more simple configuration, as following: ext_if=3D"bge0" int_if=3D"bge1" localnet =3D $int_if:network emma=3D"10.242.42.200" alpha=3D"10.42.42.42" delta=3D"10.42.42.44" set skip on lo0 scrub in on $ext_if all fragment reassemble #INTERNETZ nat on $ext_if from $localnet to any -> ($ext_if) #EMMA rdr on $ext_if inet proto tcp from any to ($ext_if) port 1101 -> $emma port 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 307 -> $emma port 80 #WHAT.CD rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -> $alpha port 1666 #REMOTE ADM rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -> $delta port 22 rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -> $alpha port 22 pass in log on $ext_if inet proto tcp from any to $ext_if port 22 pass in log on $ext_if inet proto tcp from any to $ext_if port 53 pass in log on $ext_if inet proto udp from any to $ext_if port 53 pass in log on $ext_if inet proto tcp from any to $ext_if port 1664 pass in log on $int_if inet proto tcp from any to any pass in log on $int_if inet proto udp from any to any block in log on $ext_if inet proto icmp from any to $ext_if it's basically working i'll stuff it when I'll have time. Samuel Mart=EDn Moro {EPITECH.} tek5