Date: Sat, 16 Dec 2006 14:54:23 +0100 From: "Martijn Broeders - HUB Labs" <m.broeders@hublabs.nl> To: <freebsd-pf@freebsd.org> Subject: ADSL modem in bridged mode Message-ID: <1DDD0EBB36ACA443BD81C8243F7051CD844B@exchsrvr1.hub.local>
next in thread | raw e-mail | index | archive | help
Hello,
I just started to move my ipfilter configs to pf, so I'm really a newbie
to pf.
I have an ADSL2-connection to the internet and my Alcatel SpeedTouch 516
is in 'bridged' mode. This means one of the nics in my FreeBSD-machine
get an external IP-adres. Like this:
to internet
^
|
|
ADSL2 Modem(Bridged)
|=20
V
ip ext from isp
FreeBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
local network (192.168.0.0/24)
This is my very 'simple' firewall-ruleset:
--- begin firewall-ruleset ---
# macros
ext_if=3D"xl1"
int_if=3D"xl0"
tcp_services=3D"{ 22, 25, 113, 80, 443 }"
icmp_types=3D"echoreq"
webserver1=3D"192.168.0.2"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $webserver1
rdr on $ext_if proto tcp from any to any port 443 -> $webserver1
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $webserver1 port 80 \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $webserver1 port 443 \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
--- end firewall-ruleset ---
When I load this ruleset and try to connect to port 80 or 443 (from the
outside), no connection to the internal webserver is made. When I do a
'pfctl -ss', this is displayed:
self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452
PROXY:DST
Can someone tell me what is means? And why does the redirection fail to
the internal webserver?
(a simular ipfilter ruleset works perfectly on this machine, but I don't
want ipfilter anymore, I want pf for its features like ALTQ, tagging,
etc.)
I hope you can help.
Best regards,
Martijn Broeders
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1DDD0EBB36ACA443BD81C8243F7051CD844B>