From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 22:32:35 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2DB8216A41F for ; Tue, 29 Nov 2005 22:32:35 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 440DF43D83 for ; Tue, 29 Nov 2005 22:32:21 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jATMW9eN012171 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 17:32:19 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438CD75B.2060002@forrie.com> Date: Tue, 29 Nov 2005 17:34:03 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051129) MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.87/1198/Tue Nov 29 05:05:20 2005 on server.forrie.com X-Virus-Status: Clean Subject: Unable to attach to public IP from private net... and a couple of questions. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 22:32:35 -0000 I am unable to route to my public IP address from my private RFC network, which is puzzling me. I can get to 192.168.1.2:80 just fine (which I have internal DNS pointing my domain to anyhow). From what I understand, the connection should simply redirect internally. What am I doing wrong? (rules below). Another item that puzzles me is: pass quick on $int_if inet all keep state # pass in quick on $int_if inet from $prv_net to any flags S/SA keep state # pass in quick on $int_if inet from $prv_net to any keep state If I do any of the commented-out items, I cannot ssh or do anything from the gateway to the internal network. I also found, using ($ext_if) does not seem to work correctly. According to the PF BOOK, you should be able to use: block in quick on $ext_if proto { tcp, udp } from to ($ext_if) port 25 where the use of parenthesis ($ext_if) should automatically obtain the IP address of the interface and place it into the rules accordingly - when I debug, it shows only "fxp0" and indeed the rules don't match. I seem to have most of this working okay - it's been rough (converting from ipfw2). Any constructive critique/advice on the rules below would be greatly appreciated (before I lose my mind adding CBC queue for VoIP ). Thank you. ext_if = "fxp0" int_if = "em0" icmp_types = "echoreq" server = "192.168.1.2/32" ext_ad = "24.62.224.XXX/32" prv_net = "192.168.1.0/24" rfc_nets = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, \ 240.0.0.0/5, 127.0.0.0/8, 0.0.0.0 }" tcp_services = "imap imaps www smtp smtps http https" set require-order yes set limit { frags 30000, states 25000 } set block-policy drop set optimization normal set timeout tcp.first 20 set timeout { udp.first 300, udp.single 150, udp.multiple 900 } table persist file "/etc/pf.d/spammers" table persist file "/etc/pf.d/abuse" table persist { \ 58.0.0.0/8, \ 61.0.0.0/8, \ 124.0.0.0/8, \ 126.0.0.0/8, \ 168.208.0.0/16, \ 196.192.0.0/16, \ 202.0.0.0/8, \ 210.0.0.0/8, \ 218.0.0.0/8, \ 220.0.0.0/8, \ 222.0.0.0/8 \ } table persist { \ 80.0.0.0/8, \ 81.0.0.0/8, \ 82.0.0.0/8, \ 83.0.0.0/8, \ 84.0.0.0/8, \ 85.0.0.0/8, \ 86.0.0.0/8, \ 87.0.0.0/8, \ 88.0.0.0/8, \ 89.0.0.0/8, \ 90.0.0.0/8, \ 91.0.0.0/8, \ 193.0.0.0/8, \ 194.0.0.0/8, \ 195.0.0.0/8, \ 212.0.0.0/8, \ 213.0.0.0/8, \ 217.0.0.0/8 \ } table persist { \ 41.0.0.0/8 \ } table persist { \ 189.0.0.0/8, \ 190.0.0.0/8, \ 200.0.0.0/8, \ 201.0.0.0/8 \ } scrub on $ext_if all reassemble tcp no-df random-id nat on $ext_if inet from $prv_net to any -> $ext_if rdr pass on $ext_if inet proto tcp from any to $ext_ad \ port { $tcp_services } -> $server antispoof for { lo0, $int_if, $ext_if } set skip on lo0 block all block in quick on $ext_if proto { tcp, udp } from { , , , } \ to $ext_ad port 25 block in quick on $ext_if from to any block in quick on $ext_if proto { tcp, udp } from to $ext_ad port 25 pass in quick on $int_if inet from $prv_net to any keep state pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \ flags S/SA modulate state pass in on $ext_if inet proto udp all keep state pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state (max 32) pass out quick on $ext_if inet proto tcp all \ flags S/SA keep state pass out quick on $ext_if inet proto udp all keep state pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state