Date: Sat, 26 Mar 2011 16:46:06 +0000 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Leslie Jensen <leslie@eskk.nu>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: Lost in rules! Message-ID: <9E8D76EC267C9444AC737F649CBBAD903A32A37EE2@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <4D8E11CB.2070501@eskk.nu> References: <4D8E11CB.2070501@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
You've enabled routing ?=20 What are the logs telling you ?=20 Change this=20 "block in log on $ext_if all" to block log all there maybe an egress block somewhere.=20 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Leslie Jensen > Sent: 26 March 2011 4:18 PM > To: freebsd-pf@freebsd.org > Subject: Lost in rules! >=20 > Hello list. >=20 > I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid pr= oxy > server on a network with 10 pc behind it for some years. >=20 > Now I've got some new hardware and have installed Freebsd 8.2-RELEASE > with exactly the same set-up. >=20 > My problem is that PF is not acting the same. Everything is blocked, if I > remove the first rule "block in log on $ext_if all" I get some functional= ity but it > won't redirect the traffic to Squid for example. >=20 > I've been trying to fix it but I need some new eyes to help me. >=20 > Below are the pf.conf on the new 8.2 machine and further below is the > original pf.conf from the 7.2 system >=20 > I'm aware that there has been some changes to the pf syntax, but when > doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is wr= ong. >=20 > Will you Please take a look and see if you can see what's wrong. >=20 > Thank you :-) >=20 > /Leslie >=20 >=20 >=20 > My new pf.conf > --------------------------------------------------------------- >=20 > # > # macros > ext_if=3D"xl0" > int_if=3D"bfe0" >=20 > tcp_services=3D"{ 22, 993, 5910:5917 }" > tcp_priv_services=3D"{ 389, 443 }" > proxy_services =3D "{ 21, 80 }" > icmp_types=3D"{ echoreq unreach squench timex }" > internal_net =3D "172.17.0/16" > proxy =3D "127.0.0.1" > vncports=3D"{ 5900, 5901 }" >=20 > # tables > table <goodguys> persist > table <sshguard> persist >=20 > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if >=20 > set skip on lo0 >=20 > # scrub > scrub in >=20 > # Testing for VNC! > # Translate incoming packets' destination addresses. > # As an example, redirect a TCP and UDP port to an internal machine. > # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \ > # -> 172.17.0.160 port 5900 >=20 > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi= ces - > > $proxy port 8080 >=20 > # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from > !($ext_if) to any -> ($ext_if) >=20 > # filter rules > block in log on $ext_if all >=20 > block drop in log quick proto ipv6 all >=20 > block drop out log quick proto ipv6 all >=20 > block in log quick on $ext_if from <sshguard> label "ssh bruteforce" >=20 > pass in log on $int_if inet proto tcp from $internal_net to $proxy port > 8080 keep state >=20 > pass out log on $ext_if inet proto tcp from $proxy to any port > $proxy_services keep state >=20 > pass out log >=20 > # Let the goodguys access the machine from the outside pass in log on > $ext_if inet proto tcp from <goodguys> to ($ext_if) port $tcp_services fl= ags > S/SA keep state >=20 > # We need this for the rdr to VNC (change of portnumber) pass in on $ext_= if > inet proto tcp from <goodguys> to $internal_net port $vncports flags S/SA > synproxy state >=20 > # ICMP answers (traffic) needs to be passed: > pass in inet proto icmp all icmp-type $icmp_types keep state >=20 > # traffic must be passed to and from the internal network pass in quick o= n > $int_if # >=20 > __________________________________________________________ > _____________ >=20 >=20 > The original pf.conf > -------------------------------------------------------------------------= - >=20 >=20 > # macros > ext_if=3D"xl0" > int_if=3D"bfe0" >=20 > tcp_services=3D"{ 22, 993, 5910:5917 }" > tcp_priv_services=3D"{ 389, 443 }" > proxy_services =3D "{ 21, 80 }" > icmp_types=3D"echoreq" > internal_net =3D "172.17.0/16" > proxy =3D "127.0.0.1" >=20 > # tables > table <goodguys> persist > table <sshguard> persist >=20 > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if >=20 > set skip on lo0 >=20 > # scrub > scrub in >=20 > # Testing for VNC! > # Translate incoming packets' destination addresses. > # As an example, redirect a TCP and UDP port to an internal machine. > # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \ > # -> 172.17.0.160 port 5900 >=20 > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi= ces - > > $proxy port 8080 >=20 > # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from > !($ext_if) to any -> ($ext_if) >=20 > # filter rules > block in log (all) >=20 > block drop in log quick proto ipv6 all >=20 > block drop out log quick proto ipv6 all >=20 > block in log quick on $ext_if from <sshguard> label "ssh bruteforce" >=20 > pass in log on $int_if inet proto tcp from $internal_net to $proxy port > 8080 keep state >=20 > pass out log on $ext_if inet proto tcp from $proxy to any port > $proxy_services keep state >=20 > pass out keep state >=20 > # Let the goodguys access the machine from the outside pass in on $ext_if > inet proto tcp from <goodguys> to ($ext_if) \ port $tcp_services flags S/= SA > keep state >=20 > # We need this for the rdr to VNC (change of portnumber) pass in on $ext_= if > inet proto tcp from <goodguys> to $internal_net \ port $vncports flags S/= SA > synproxy state >=20 > # ICMP answers (traffic) needs to be passed: > # pass in inet proto icmp all icmp-type $icmp_types keep state >=20 > # traffic must be passed to and from the internal network pass in quick o= n > $int_if # >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD903A32A37EE2>