From owner-freebsd-pf@FreeBSD.ORG Sat Mar 26 16:46:10 2011 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9655F106566B for ; Sat, 26 Mar 2011 16:46:10 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from mail1.jellyfishnet.co.uk (mail1.jellyfishnet.co.uk [93.91.20.9]) by mx1.freebsd.org (Postfix) with ESMTP id 1D73B8FC08 for ; Sat, 26 Mar 2011 16:46:09 +0000 (UTC) Received: from pemexhub01.jellyfishnet.co.uk.local (93.91.20.3) by mail1.jellyfishnet.co.uk (93.91.20.9) with Microsoft SMTP Server (TLS) id 8.1.393.1; Sat, 26 Mar 2011 16:46:14 +0000 Received: from PEMEXMBXVS02.jellyfishnet.co.uk.local ([192.168.65.37]) by pemexhub01.jellyfishnet.co.uk.local ([192.168.65.7]) with mapi; Sat, 26 Mar 2011 16:46:08 +0000 From: Greg Hennessy To: Leslie Jensen , "freebsd-pf@freebsd.org" Date: Sat, 26 Mar 2011 16:46:06 +0000 Thread-Topic: Lost in rules! Thread-Index: Acvr08zfCCUo8nFKQSSUqzzFeyfGagAAOykg Message-ID: <9E8D76EC267C9444AC737F649CBBAD903A32A37EE2@PEMEXMBXVS02.jellyfishnet.co.uk.local> References: <4D8E11CB.2070501@eskk.nu> In-Reply-To: <4D8E11CB.2070501@eskk.nu> Accept-Language: en-US, en-GB Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US, en-GB Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Cc: Subject: RE: Lost in rules! X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Mar 2011 16:46:10 -0000 You've enabled routing ?=20 What are the logs telling you ?=20 Change this=20 "block in log on $ext_if all" to block log all there maybe an egress block somewhere.=20 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Leslie Jensen > Sent: 26 March 2011 4:18 PM > To: freebsd-pf@freebsd.org > Subject: Lost in rules! >=20 > Hello list. >=20 > I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid pr= oxy > server on a network with 10 pc behind it for some years. >=20 > Now I've got some new hardware and have installed Freebsd 8.2-RELEASE > with exactly the same set-up. >=20 > My problem is that PF is not acting the same. Everything is blocked, if I > remove the first rule "block in log on $ext_if all" I get some functional= ity but it > won't redirect the traffic to Squid for example. >=20 > I've been trying to fix it but I need some new eyes to help me. >=20 > Below are the pf.conf on the new 8.2 machine and further below is the > original pf.conf from the 7.2 system >=20 > I'm aware that there has been some changes to the pf syntax, but when > doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is wr= ong. >=20 > Will you Please take a look and see if you can see what's wrong. >=20 > Thank you :-) >=20 > /Leslie >=20 >=20 >=20 > My new pf.conf > --------------------------------------------------------------- >=20 > # > # macros > ext_if=3D"xl0" > int_if=3D"bfe0" >=20 > tcp_services=3D"{ 22, 993, 5910:5917 }" > tcp_priv_services=3D"{ 389, 443 }" > proxy_services =3D "{ 21, 80 }" > icmp_types=3D"{ echoreq unreach squench timex }" > internal_net =3D "172.17.0/16" > proxy =3D "127.0.0.1" > vncports=3D"{ 5900, 5901 }" >=20 > # tables > table persist > table persist >=20 > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if >=20 > set skip on lo0 >=20 > # scrub > scrub in >=20 > # Testing for VNC! > # Translate incoming packets' destination addresses. > # As an example, redirect a TCP and UDP port to an internal machine. > # rdr on $ext_if inet proto tcp from to ($ext_if) port 5910 \ > # -> 172.17.0.160 port 5900 >=20 > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi= ces - > > $proxy port 8080 >=20 > # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from > !($ext_if) to any -> ($ext_if) >=20 > # filter rules > block in log on $ext_if all >=20 > block drop in log quick proto ipv6 all >=20 > block drop out log quick proto ipv6 all >=20 > block in log quick on $ext_if from label "ssh bruteforce" >=20 > pass in log on $int_if inet proto tcp from $internal_net to $proxy port > 8080 keep state >=20 > pass out log on $ext_if inet proto tcp from $proxy to any port > $proxy_services keep state >=20 > pass out log >=20 > # Let the goodguys access the machine from the outside pass in log on > $ext_if inet proto tcp from to ($ext_if) port $tcp_services fl= ags > S/SA keep state >=20 > # We need this for the rdr to VNC (change of portnumber) pass in on $ext_= if > inet proto tcp from to $internal_net port $vncports flags S/SA > synproxy state >=20 > # ICMP answers (traffic) needs to be passed: > pass in inet proto icmp all icmp-type $icmp_types keep state >=20 > # traffic must be passed to and from the internal network pass in quick o= n > $int_if # >=20 > __________________________________________________________ > _____________ >=20 >=20 > The original pf.conf > -------------------------------------------------------------------------= - >=20 >=20 > # macros > ext_if=3D"xl0" > int_if=3D"bfe0" >=20 > tcp_services=3D"{ 22, 993, 5910:5917 }" > tcp_priv_services=3D"{ 389, 443 }" > proxy_services =3D "{ 21, 80 }" > icmp_types=3D"echoreq" > internal_net =3D "172.17.0/16" > proxy =3D "127.0.0.1" >=20 > # tables > table persist > table persist >=20 > # options > set block-policy return # ports are closed but can be seen > set loginterface $ext_if >=20 > set skip on lo0 >=20 > # scrub > scrub in >=20 > # Testing for VNC! > # Translate incoming packets' destination addresses. > # As an example, redirect a TCP and UDP port to an internal machine. > # rdr on $ext_if inet proto tcp from to ($ext_if) port 5910 \ > # -> 172.17.0.160 port 5900 >=20 > # redirect www trafic to proxy > rdr on $int_if inet proto tcp from $internal_net to any port $proxy_servi= ces - > > $proxy port 8080 >=20 > # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from > !($ext_if) to any -> ($ext_if) >=20 > # filter rules > block in log (all) >=20 > block drop in log quick proto ipv6 all >=20 > block drop out log quick proto ipv6 all >=20 > block in log quick on $ext_if from label "ssh bruteforce" >=20 > pass in log on $int_if inet proto tcp from $internal_net to $proxy port > 8080 keep state >=20 > pass out log on $ext_if inet proto tcp from $proxy to any port > $proxy_services keep state >=20 > pass out keep state >=20 > # Let the goodguys access the machine from the outside pass in on $ext_if > inet proto tcp from to ($ext_if) \ port $tcp_services flags S/= SA > keep state >=20 > # We need this for the rdr to VNC (change of portnumber) pass in on $ext_= if > inet proto tcp from to $internal_net \ port $vncports flags S/= SA > synproxy state >=20 > # ICMP answers (traffic) needs to be passed: > # pass in inet proto icmp all icmp-type $icmp_types keep state >=20 > # traffic must be passed to and from the internal network pass in quick o= n > $int_if # >=20 >=20 > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"