From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 16:35:03 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1671B106564A for ; Sat, 26 Mar 2011 16:35:03 +0000 (UTC) (envelope-from leslie@eskk.nu) Received: from mx1.bjare.net (mx1.bjare.net [212.31.160.3]) by mx1.freebsd.org (Postfix) with ESMTP id 8A18D8FC12 for ; Sat, 26 Mar 2011 16:35:02 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx1.bjare.net (Postfix) with ESMTP id D502A5E131 for ; Sat, 26 Mar 2011 17:17:55 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at mx1.bjare.net X-Spam-Flag: NO X-Spam-Score: -2.417 X-Spam-Level: X-Spam-Status: No, score=-2.417 tagged_above=-999 required=5 tests=[AWL=0.183, BAYES_00=-2.599, SPF_PASS=-0.001] Received: from mx1.bjare.net ([127.0.0.1]) by localhost (mx1.bjare.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id tixsWMkIZdcK for ; Sat, 26 Mar 2011 17:17:53 +0100 (CET) X-BN-MX1: ja X-BN-MailInfo: BjareNet Received: from bljbsd01.no-ip.org (c-195-216-040-164.static.bjare.net [195.216.40.164]) by mx1.bjare.net (Postfix) with ESMTP id 5E8525E133 for ; Sat, 26 Mar 2011 17:17:53 +0100 (CET) Message-ID: <4D8E11CB.2070501@eskk.nu> Date: Sat, 26 Mar 2011 17:18:19 +0100 From: Leslie Jensen User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; sv-SE; rv:1.9.2.15) Gecko/20110307 Thunderbird/3.1.9 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2011 16:35:03 -0000 Hello list. I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy server on a network with 10 pc behind it for some years. Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with exactly the same set-up. My problem is that PF is not acting the same. Everything is blocked, if I remove the first rule "block in log on $ext_if all" I get some functionality but it won't redirect the traffic to Squid for example. I've been trying to fix it but I need some new eyes to help me. Below are the pf.conf on the new 8.2 machine and further below is the original pf.conf from the 7.2 system I'm aware that there has been some changes to the pf syntax, but when doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong. Will you Please take a look and see if you can see what's wrong. Thank you :-) /Leslie My new pf.conf --------------------------------------------------------------- # # macros ext_if="xl0" int_if="bfe0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="{ echoreq unreach squench timex }" internal_net = "172.17.0/16" proxy = "127.0.0.1" vncports="{ 5900, 5901 }" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in # Testing for VNC! # Translate incoming packets' destination addresses. # As an example, redirect a TCP and UDP port to an internal machine. # rdr on $ext_if inet proto tcp from to ($ext_if) port 5910 \ # -> 172.17.0.160 port 5900 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log on $ext_if all block drop in log quick proto ipv6 all block drop out log quick proto ipv6 all block in log quick on $ext_if from label "ssh bruteforce" pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state pass out log # Let the goodguys access the machine from the outside pass in log on $ext_if inet proto tcp from to ($ext_if) port $tcp_services flags S/SA keep state # We need this for the rdr to VNC (change of portnumber) pass in on $ext_if inet proto tcp from to $internal_net port $vncports flags S/SA synproxy state # ICMP answers (traffic) needs to be passed: pass in inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in quick on $int_if # _______________________________________________________________________ The original pf.conf -------------------------------------------------------------------------- # macros ext_if="xl0" int_if="bfe0" tcp_services="{ 22, 993, 5910:5917 }" tcp_priv_services="{ 389, 443 }" proxy_services = "{ 21, 80 }" icmp_types="echoreq" internal_net = "172.17.0/16" proxy = "127.0.0.1" # tables table persist table persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in # Testing for VNC! # Translate incoming packets' destination addresses. # As an example, redirect a TCP and UDP port to an internal machine. # rdr on $ext_if inet proto tcp from to ($ext_if) port 5910 \ # -> 172.17.0.160 port 5900 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -> $proxy port 8080 # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any -> ($ext_if) # filter rules block in log (all) block drop in log quick proto ipv6 all block drop out log quick proto ipv6 all block in log quick on $ext_if from label "ssh bruteforce" pass in log on $int_if inet proto tcp from $internal_net to $proxy port 8080 keep state pass out log on $ext_if inet proto tcp from $proxy to any port $proxy_services keep state pass out keep state # Let the goodguys access the machine from the outside pass in on $ext_if inet proto tcp from to ($ext_if) \ port $tcp_services flags S/SA keep state # We need this for the rdr to VNC (change of portnumber) pass in on $ext_if inet proto tcp from to $internal_net \ port $vncports flags S/SA synproxy state # ICMP answers (traffic) needs to be passed: # pass in inet proto icmp all icmp-type $icmp_types keep state # traffic must be passed to and from the internal network pass in quick on $int_if #