From owner-freebsd-pf@FreeBSD.ORG Thu Apr 21 14:24:03 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C63B16A4CE for ; Thu, 21 Apr 2005 14:24:03 +0000 (GMT) Received: from ms-smtp-03-eri0.ohiordc.rr.com (ms-smtp-03-smtplb.ohiordc.rr.com [65.24.5.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 585B443D31 for ; Thu, 21 Apr 2005 14:24:02 +0000 (GMT) (envelope-from dmehler26@woh.rr.com) Received: from satellite (cpe-65-31-44-74.woh.res.rr.com [65.31.44.74]) j3LENxYF027353 for ; Thu, 21 Apr 2005 10:23:59 -0400 (EDT) Message-ID: <000901c5467d$c1681f90$0200a8c0@satellite> From: "dave" To: Date: Thu, 21 Apr 2005 10:23:57 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1437 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-Virus-Scanned: Symantec AntiVirus Scan Engine Subject: pf rules not allowing traffic X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: dave List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Apr 2005 14:24:03 -0000 Hello, I'm trying to get the below working on a 5.3 router. Internal traffic dhcp, at least is working, but external stuff, ntp, web browsing, etc. is not. When i load this ruleset i am unable to get out. Checking pflog doesn't help as i am not getting log information. There are no errors when i try to load this ruleset, any help appreciated. Thanks. Dave. # Macros: define common values, so they can be referenced and changed easily. EXT = "fxp0" LAN = "ep0" LAN_NET = "192.168.0.0/24" LAN_SERVER = "192.168.0.3" LAN_FIREWALL = "192.168.0.254" LAN_ADMIN = "192.168.0.2" TCP_INCOMING_SERVICES = "{ 22, 25, 80, 110, 143, 443, 465, 587, 873, 993, 995, 1723, 2401, 3306, 5432, 8000, 9101, 9102, 9103 }" TCP_OUTGOING_SERVICES = "{ 20, 21, 22, 25, 43, 53, 80, 110, 119, 143, 443, 1790, 1791, 1792, 1793, 1794, 1795, 2401, 5190, 5191, 5192, 5193, 5999, 8880 }" UDP_INCOMING_SERVICES = "{ 53, 68, 123 }" UDP_OUTGOING_SERVICES = "{ 53, 67, 123 }" # Tables: similar to macros, but more flexible for many addresses. table { x.x.x.x, x.x.x.x } table { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 } # Options: tune the behavior of pf set optimization aggressive set block-policy drop set require-order yes set fingerprints "/etc/pf.os" # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. # Max-mss is needed due to mpd's poor mss handling scrub on $EXT all reassemble tcp scrub out all random-id max-mss 1440 # Queueing: rule-based bandwidth control. #altq on $EXT priq bandwidth 128Kb queue {bt_out, std_out, http_out, ssh_out, dns_out, ack_out} #queue bt_out on $EXT priority 0 priq(red) #queue std_out on $EXT priority 3 priq(default) #queue http_out on $EXT priority 5 priq #queue ssh_out on $EXT priority 7 priq #queue dns_out on $EXT priority 9 priq #queue ack_out on $EXT priority 11 priq # Translation: specify how addresses are to be mapped or redirected. # nat: packets going out through $EXT with source address $internal_net will # get translated as coming from the address of $EXT, a state is created for # such packets, and incoming packets will be redirected to the internal address. nat on $EXT from $LAN_NET to any -> ($EXT) # redirections # rdr outgoing FTP requests to the ftp-proxy rdr on $LAN proto tcp from any to any port ftp -> 127.0.0.1 port 8021 #rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80 # spam table setup and implementation # table < spammers #no rdr on { lo0, lo1 } from any to any # rdr < spammers # antispoof rules antispoof for $EXT inet # immediately prevent IPv6 traffic from entering or leaving all interfaces block quick inet6 all block all # loopback pass quick on lo0 all # incoming on $EXT # block by default #block in on $EXT all block in quick on $EXT from #DNS pass in quick on $EXT proto udp from port 53 to $EXT keep state #Incoming tcp pass in quick on $EXT proto tcp from any to $EXT port $TCP_INCOMING_SERVICES flags S/AUPRFS modulate state #dhcp from isp pass in quick on $EXT proto udp from any port 67 to 255.255.255.255 port 68 keep state queue(ack_out) #pptp pass in quick on $EXT proto gre from any to $LAN_SERVER keep state #-----------outgoing on $EXT---------------- #block out on $EXT all block out quick on $EXT from any to pass out quick on $EXT proto udp from $EXT to port 53 keep state pass out quick on $EXT proto tcp from $EXT to $LAN_NET port $TCP_OUTGOING_SERVICES keep state pass out quick on $EXT proto udp from $EXT to $LAN_NET port $UDP_OUTGOING_SERVICES keep state #-----------incoming on $LAN---------------- block in on $LAN all # allow broadcast pass quick on $LAN from any to 192.168.0.255 # allow in tcp and udp incoming pass in quick on $LAN proto tcp from $LAN_NET to any port $TCP_INCOMING_SERVICES flags S/AUPRFS modulate state pass in quick on $LAN proto udp from $LAN_NET to any port $UDP_INCOMING_SERVICES modulate state #allow out CDDB pass in quick on $LAN proto {tcp,udp} from $LAN_NET to any port 8880 flags S/SAFR keep state #-----------outgoing on $LAN---------------- block out on $LAN all # tcp and udp out pass out quick on $LAN proto tcp from $LAN_NET to $EXT port $TCP_OUTGOING_SERVICES flags S/AUPRFS modulate state pass out quick on $LAN proto udp from $LAN_NET to $EXT port $UDP_OUTGOING_SERVICES modulate state