From owner-freebsd-pf@FreeBSD.ORG  Sat Dec 16 13:54:33 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 848FD16A403
	for <freebsd-pf@freebsd.org>; Sat, 16 Dec 2006 13:54:33 +0000 (UTC)
	(envelope-from m.broeders@hublabs.nl)
Received: from services.hub.nl (services.hub.nl [217.194.110.131])
	by mx1.FreeBSD.org (Postfix) with ESMTP id C826643CA3
	for <freebsd-pf@freebsd.org>; Sat, 16 Dec 2006 13:54:32 +0000 (GMT)
	(envelope-from m.broeders@hublabs.nl)
Received: from exchsrvr1.hub.local (exchsrvr1.hub.local [172.16.1.2])
	by services.hub.nl (8.13.6/8.13.6) with ESMTP id kBGDsNw8071573
	for <freebsd-pf@freebsd.org>; Sat, 16 Dec 2006 14:54:23 +0100 (CET)
	(envelope-from m.broeders@hublabs.nl)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
X-MimeOLE: Produced By Microsoft Exchange V6.5
Date: Sat, 16 Dec 2006 14:54:23 +0100
Message-ID: <1DDD0EBB36ACA443BD81C8243F7051CD844B@exchsrvr1.hub.local>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: ADSL modem in bridged mode
Thread-Index: AcchGbFfdhSYcu7lS9C9iheVrhCppA==
From: "Martijn Broeders - HUB Labs" <m.broeders@hublabs.nl>
To: <freebsd-pf@freebsd.org>
X-Virus-Scanned: by amavisd-new
Subject: ADSL modem in bridged mode
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Dec 2006 13:54:33 -0000

Hello,

I just started to move my ipfilter configs to pf, so I'm really a newbie
to pf.

I have an ADSL2-connection to the internet and my Alcatel SpeedTouch 516
is in 'bridged' mode. This means one of the nics in my FreeBSD-machine
get an external IP-adres. Like this:

to internet
^
|
|
ADSL2 Modem(Bridged)
|=20
V
ip ext from isp
FreeBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
local network (192.168.0.0/24)

This is my very 'simple' firewall-ruleset:

--- begin firewall-ruleset ---

# macros
ext_if=3D"xl1"
int_if=3D"xl0"

tcp_services=3D"{ 22, 25, 113, 80, 443 }"
icmp_types=3D"echoreq"

webserver1=3D"192.168.0.2"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $webserver1
rdr on $ext_if proto tcp from any to any port 443 -> $webserver1

# filter rules
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from any to $webserver1 port 80 \
    flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $webserver1 port 443 \
    flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if

--- end firewall-ruleset ---

When I load this ruleset and try to connect to port 80 or 443 (from the
outside), no connection to the internal webserver is made. When I do a
'pfctl -ss', this is displayed:

self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452
PROXY:DST

Can someone tell me what is means? And why does the redirection fail to
the internal webserver?

(a simular ipfilter ruleset works perfectly on this machine, but I don't
want ipfilter anymore, I want pf for its features like ALTQ, tagging,
etc.)

I hope you can help.

Best regards,
Martijn Broeders