Date: Sat, 26 Mar 2011 16:46:06 +0000 From: Greg Hennessy <Greg.Hennessy@nviz.net> To: Leslie Jensen <leslie@eskk.nu>, "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: RE: Lost in rules! Message-ID: <9E8D76EC267C9444AC737F649CBBAD903A32A37EE2@PEMEXMBXVS02.jellyfishnet.co.uk.local> In-Reply-To: <4D8E11CB.2070501@eskk.nu> References: <4D8E11CB.2070501@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
You've enabled routing ?=20
What are the logs telling you ?=20
Change this=20
"block in log on $ext_if all"
to
block log all
there maybe an egress block somewhere.=20
> -----Original Message-----
> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-
> pf@freebsd.org] On Behalf Of Leslie Jensen
> Sent: 26 March 2011 4:18 PM
> To: freebsd-pf@freebsd.org
> Subject: Lost in rules!
>=20
> Hello list.
>=20
> I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid pr=
oxy
> server on a network with 10 pc behind it for some years.
>=20
> Now I've got some new hardware and have installed Freebsd 8.2-RELEASE
> with exactly the same set-up.
>=20
> My problem is that PF is not acting the same. Everything is blocked, if I
> remove the first rule "block in log on $ext_if all" I get some functional=
ity but it
> won't redirect the traffic to Squid for example.
>=20
> I've been trying to fix it but I need some new eyes to help me.
>=20
> Below are the pf.conf on the new 8.2 machine and further below is the
> original pf.conf from the 7.2 system
>=20
> I'm aware that there has been some changes to the pf syntax, but when
> doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is wr=
ong.
>=20
> Will you Please take a look and see if you can see what's wrong.
>=20
> Thank you :-)
>=20
> /Leslie
>=20
>=20
>=20
> My new pf.conf
> ---------------------------------------------------------------
>=20
> #
> # macros
> ext_if=3D"xl0"
> int_if=3D"bfe0"
>=20
> tcp_services=3D"{ 22, 993, 5910:5917 }"
> tcp_priv_services=3D"{ 389, 443 }"
> proxy_services =3D "{ 21, 80 }"
> icmp_types=3D"{ echoreq unreach squench timex }"
> internal_net =3D "172.17.0/16"
> proxy =3D "127.0.0.1"
> vncports=3D"{ 5900, 5901 }"
>=20
> # tables
> table <goodguys> persist
> table <sshguard> persist
>=20
> # options
> set block-policy return # ports are closed but can be seen
> set loginterface $ext_if
>=20
> set skip on lo0
>=20
> # scrub
> scrub in
>=20
> # Testing for VNC!
> # Translate incoming packets' destination addresses.
> # As an example, redirect a TCP and UDP port to an internal machine.
> # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
> # -> 172.17.0.160 port 5900
>=20
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi=
ces -
> > $proxy port 8080
>=20
> # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from
> !($ext_if) to any -> ($ext_if)
>=20
> # filter rules
> block in log on $ext_if all
>=20
> block drop in log quick proto ipv6 all
>=20
> block drop out log quick proto ipv6 all
>=20
> block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
>=20
> pass in log on $int_if inet proto tcp from $internal_net to $proxy port
> 8080 keep state
>=20
> pass out log on $ext_if inet proto tcp from $proxy to any port
> $proxy_services keep state
>=20
> pass out log
>=20
> # Let the goodguys access the machine from the outside pass in log on
> $ext_if inet proto tcp from <goodguys> to ($ext_if) port $tcp_services fl=
ags
> S/SA keep state
>=20
> # We need this for the rdr to VNC (change of portnumber) pass in on $ext_=
if
> inet proto tcp from <goodguys> to $internal_net port $vncports flags S/SA
> synproxy state
>=20
> # ICMP answers (traffic) needs to be passed:
> pass in inet proto icmp all icmp-type $icmp_types keep state
>=20
> # traffic must be passed to and from the internal network pass in quick o=
n
> $int_if #
>=20
> __________________________________________________________
> _____________
>=20
>=20
> The original pf.conf
> -------------------------------------------------------------------------=
-
>=20
>=20
> # macros
> ext_if=3D"xl0"
> int_if=3D"bfe0"
>=20
> tcp_services=3D"{ 22, 993, 5910:5917 }"
> tcp_priv_services=3D"{ 389, 443 }"
> proxy_services =3D "{ 21, 80 }"
> icmp_types=3D"echoreq"
> internal_net =3D "172.17.0/16"
> proxy =3D "127.0.0.1"
>=20
> # tables
> table <goodguys> persist
> table <sshguard> persist
>=20
> # options
> set block-policy return # ports are closed but can be seen
> set loginterface $ext_if
>=20
> set skip on lo0
>=20
> # scrub
> scrub in
>=20
> # Testing for VNC!
> # Translate incoming packets' destination addresses.
> # As an example, redirect a TCP and UDP port to an internal machine.
> # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
> # -> 172.17.0.160 port 5900
>=20
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi=
ces -
> > $proxy port 8080
>=20
> # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from
> !($ext_if) to any -> ($ext_if)
>=20
> # filter rules
> block in log (all)
>=20
> block drop in log quick proto ipv6 all
>=20
> block drop out log quick proto ipv6 all
>=20
> block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
>=20
> pass in log on $int_if inet proto tcp from $internal_net to $proxy port
> 8080 keep state
>=20
> pass out log on $ext_if inet proto tcp from $proxy to any port
> $proxy_services keep state
>=20
> pass out keep state
>=20
> # Let the goodguys access the machine from the outside pass in on $ext_if
> inet proto tcp from <goodguys> to ($ext_if) \ port $tcp_services flags S/=
SA
> keep state
>=20
> # We need this for the rdr to VNC (change of portnumber) pass in on $ext_=
if
> inet proto tcp from <goodguys> to $internal_net \ port $vncports flags S/=
SA
> synproxy state
>=20
> # ICMP answers (traffic) needs to be passed:
> # pass in inet proto icmp all icmp-type $icmp_types keep state
>=20
> # traffic must be passed to and from the internal network pass in quick o=
n
> $int_if #
>=20
>=20
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9E8D76EC267C9444AC737F649CBBAD903A32A37EE2>