Date: Tue, 01 Mar 2005 20:31:43 -0500 From: Gerard Samuel <fbsd-pf@trini0.org> To: Hexren <me@hexren.net> Cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? Message-ID: <4225177F.1060008@trini0.org> In-Reply-To: <143533196.20050302004413@hexren.net> References: <4224F74B.1030502@trini0.org> <143533196.20050302004413@hexren.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Hexren wrote:
>GS> For some reason, port 53 is blocked going out of the external interface ->
>GS> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 >
>GS> xx.xx.xx.xxx.4973
>
>GS> Im still new to pf, but shouldn't the last two lines allow anything
>GS> going out
>GS> to pass??
>GS> Any ideas on how to fix?
>GS> Thanks for your time
>
>GS> ----
>GS> # macros
>GS> int_if = "fxp0"
>GS> ext_if = "ed0"
>
>GS> tcp_services = "{ 22, 113 }"
>GS> icmp_types = "echoreq"
>
>GS> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>
>GS> hivemind = "192.168.0.2"
>GS> www = "10.0.0.1"
>
>GS> isp_dhcp = "xx.xx.xx.xx"
>
>GS> # options
>GS> set block-policy return
>GS> set loginterface $ext_if
>
>GS> # scrub
>GS> scrub in all
>
>GS> # nat/rdr
>GS> nat on $ext_if from $int_if:network to any -> ($ext_if)
>
>GS> rdr on $ext_if proto tcp from any to any port 22 -> $hivemind
>GS> rdr on $ext_if proto tcp from any to any port 25 -> $hivemind
>GS> rdr on $ext_if proto tcp from any to any port 80 -> $www
>GS> rdr on $ext_if proto tcp from any to any port 110 -> $hivemind
>
>
>GS> # filter rules
>GS> block log all
>
>GS> pass quick on lo0 all
>
>GS> block drop in quick on $ext_if from $priv_nets to any
>GS> block drop out quick on $ext_if from any to $priv_nets
>
>GS> pass in on $ext_if inet proto tcp from any to ($ext_if) port
>GS> $tcp_services flags S/SA keep state
>
>GS> pass in on $ext_if proto {udp} from $isp_dhcp to any port 68
>
>GS> pass in on $ext_if proto {tcp} from any to any port 22
>
>GS> pass in on $ext_if proto {tcp, udp} from any to any port 53
>
>GS> pass in on $ext_if proto {tcp} from any to any port 25
>GS> pass in on $ext_if proto {tcp} from any to any port 110
>
>GS> pass in on $ext_if proto tcp from any to $www port 80 flags S/SA
>GS> synproxy state
>
>GS> pass in inet proto icmp all icmp-type $icmp_types keep state
>
>GS> pass in on $int_if from $int_if:network to any keep state
>GS> pass out on $int_if from any to $int_if:network keep state
>
>GS> pass out on $ext_if proto tcp all modulate state flags S/SA
>GS> pass out on $ext_if proto {udp, icmp} all keep state
>GS> _______________________________________________
>GS> freebsd-pf@freebsd.org mailing list
>GS> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>GS> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
>
>---------------------------------------------
>
>I am not that genius in pf, but try if it helps if you comment these
>two rules out.
>
>block drop in quick on $ext_if from $priv_nets to any
>block drop out quick on $ext_if from any to $priv_nets
>
>Hexren
>
That didn't work. I didn't think it would have, as $priv_nets only referes
to the internal network.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4225177F.1060008>