From owner-freebsd-pf@FreeBSD.ORG Wed Mar 2 01:31:50 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3769616A4CF for ; Wed, 2 Mar 2005 01:31:50 +0000 (GMT) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.198.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id AB0AE43D3F for ; Wed, 2 Mar 2005 01:31:49 +0000 (GMT) (envelope-from fbsd-pf@trini0.org) Received: from hivemind.trini0.org ([65.34.205.195]) by comcast.net (rwcrmhc11) with ESMTP id <2005030201314701300qp1n6e>; Wed, 2 Mar 2005 01:31:47 +0000 Received: from [192.168.0.16] (gladiator.trini0.org [192.168.0.16]) by hivemind.trini0.org (Postfix) with ESMTP id 361886112; Tue, 1 Mar 2005 20:31:42 -0500 (EST) Message-ID: <4225177F.1060008@trini0.org> Date: Tue, 01 Mar 2005 20:31:43 -0500 From: Gerard Samuel User-Agent: Mozilla Thunderbird 1.0 (X11/20050122) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Hexren References: <4224F74B.1030502@trini0.org> <143533196.20050302004413@hexren.net> In-Reply-To: <143533196.20050302004413@hexren.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: Whats wrong with this ruleset? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Mar 2005 01:31:50 -0000 Hexren wrote: >GS> For some reason, port 53 is blocked going out of the external interface -> >GS> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > >GS> xx.xx.xx.xxx.4973 > >GS> Im still new to pf, but shouldn't the last two lines allow anything >GS> going out >GS> to pass?? >GS> Any ideas on how to fix? >GS> Thanks for your time > >GS> ---- >GS> # macros >GS> int_if = "fxp0" >GS> ext_if = "ed0" > >GS> tcp_services = "{ 22, 113 }" >GS> icmp_types = "echoreq" > >GS> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" > >GS> hivemind = "192.168.0.2" >GS> www = "10.0.0.1" > >GS> isp_dhcp = "xx.xx.xx.xx" > >GS> # options >GS> set block-policy return >GS> set loginterface $ext_if > >GS> # scrub >GS> scrub in all > >GS> # nat/rdr >GS> nat on $ext_if from $int_if:network to any -> ($ext_if) > >GS> rdr on $ext_if proto tcp from any to any port 22 -> $hivemind >GS> rdr on $ext_if proto tcp from any to any port 25 -> $hivemind >GS> rdr on $ext_if proto tcp from any to any port 80 -> $www >GS> rdr on $ext_if proto tcp from any to any port 110 -> $hivemind > > >GS> # filter rules >GS> block log all > >GS> pass quick on lo0 all > >GS> block drop in quick on $ext_if from $priv_nets to any >GS> block drop out quick on $ext_if from any to $priv_nets > >GS> pass in on $ext_if inet proto tcp from any to ($ext_if) port >GS> $tcp_services flags S/SA keep state > >GS> pass in on $ext_if proto {udp} from $isp_dhcp to any port 68 > >GS> pass in on $ext_if proto {tcp} from any to any port 22 > >GS> pass in on $ext_if proto {tcp, udp} from any to any port 53 > >GS> pass in on $ext_if proto {tcp} from any to any port 25 >GS> pass in on $ext_if proto {tcp} from any to any port 110 > >GS> pass in on $ext_if proto tcp from any to $www port 80 flags S/SA >GS> synproxy state > >GS> pass in inet proto icmp all icmp-type $icmp_types keep state > >GS> pass in on $int_if from $int_if:network to any keep state >GS> pass out on $int_if from any to $int_if:network keep state > >GS> pass out on $ext_if proto tcp all modulate state flags S/SA >GS> pass out on $ext_if proto {udp, icmp} all keep state >GS> _______________________________________________ >GS> freebsd-pf@freebsd.org mailing list >GS> http://lists.freebsd.org/mailman/listinfo/freebsd-pf >GS> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >--------------------------------------------- > >I am not that genius in pf, but try if it helps if you comment these >two rules out. > >block drop in quick on $ext_if from $priv_nets to any >block drop out quick on $ext_if from any to $priv_nets > >Hexren > That didn't work. I didn't think it would have, as $priv_nets only referes to the internal network.