From owner-freebsd-questions@freebsd.org Sat Aug 6 18:38:58 2016 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 06A1BBB0355 for ; Sat, 6 Aug 2016 18:38:58 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (tds-solutions.net [174.136.96.202]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E83231A36 for ; Sat, 6 Aug 2016 18:38:56 +0000 (UTC) (envelope-from tyler@tysdomain.com) Received: from tds-solutions.net (localhost [127.0.0.1]) by tds-solutions.net (Postfix) with ESMTP id 091962087A75 for ; Sat, 6 Aug 2016 14:32:46 -0400 (EDT) X-Virus-Scanned: amavisd-new at tds-solutions.net Received: from tds-solutions.net ([127.0.0.1]) by tds-solutions.net (tds-solutions.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id kaLgcYDtMDt7 for ; Sat, 6 Aug 2016 14:32:45 -0400 (EDT) Received: from [192.168.88.253] (c-24-147-10-153.hsd1.ma.comcast.net [24.147.10.153]) (Authenticated sender: sorressean) by tds-solutions.net (Postfix) with ESMTPSA id 73DEE2087A3C for ; Sat, 6 Aug 2016 14:32:45 -0400 (EDT) Reply-To: tyler@tysdomain.com To: FreeBSD Questions From: "Littlefield, Tyler" Subject: pf: rdr with two interfaces Message-ID: <9dc95fb0-737b-67d8-c6f7-7d7cbd402e72@tysdomain.com> Date: Sat, 6 Aug 2016 14:34:57 -0400 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 06 Aug 2016 18:38:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, I'm attempting to set up two interfaces on different networks. I can connect to ports 22 and 53, but I cannot connect to any of the samba ports. Prior to the introduction of two interfaces this worked fine. Is there a problem with this setup? If so, any tips/etc would be great. also any thoughts on cleaning up these rules to look better/be more efficient would also be helpful. Thanks, if="bridge0" eif="igb1" addr="192.168.88.200" eaddr="10.21.96.200" samba_addr="192.168.0.2" #port groupings tcp_services="{4000 53 netbios-ns netbios-dgm netbios-ssn microsoft-ds 22}" etcp_services="{netbios-ns netbios-dgm netbios-ssn microsoft-ds 22}" udp_services="{53 netbios-ns netbios-dgm netbios-ssn microsoft-ds}" eudp_services="{netbios-ns netbios-dgm netbios-ssn microsoft-ds}" samba_services="{netbios-dgm netbios-ns netbios-ssn microsoft-ds}" set skip on lo set loginterface $if scrub in all #allow jails through #samba nat on $if inet from $samba_addr to any tag jail_samba -> $addr #portforward to jails. #samba rdr pass proto tcp from any to any port $samba_services -> $samba_addr rdr pass proto udp from any to any port $samba_services -> $samba_addr #rdr pass on $eif proto tcp from any to any port $samba_services -> $samba_addr #rdr pass on $eif proto udp from any to any port $samba_services -> $samba_addr #rules pass quick on lo1 pass from $if to any keep state pass from $eif to any keep state #default policy: deny block in log all antispoof quick for { $if $eif lo } #accept TCP ports. pass in on $if proto tcp from any to any port $tcp_services pass in on $eif proto tcp from any to any port $etcp_services pass in on $if proto udp from any to any port $udp_services pass in on $eif proto udp from any to any port $eudp_services - -- Take care, Ty Twitter: @sorressean Web: https://tysdomain.com Pubkey: https://tysdomain.com/files/pubkey.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJXpi3RAAoJEAdP60+BYxejbPMH/0NNyACtbljoqdt+pGczrWDV HJQiBjfGe8/XxDIml6MJu3/NmO+G54ZICidvFdkolTIVDxjzfe9dRvynwGlcR68e HkEfsWsQ464gTjmJLYeOONP/WJI6q+zuzqucB6E6HG+4Yh0/C1d8cUAiME2FAPsn KURFa4a4t110A1yGtF5hRyAAfjKtZ6QOWK5TwfUVI7BVmuGGdu/ElTrtO/7klzPy Ot2B0g7Nlp75m3uKIVthJd3Qtw1V1FmfXMa2H7/96R0FRxmtLyGIDsUrWA/m2TiT WXMfPCmByzD2e+AbtMeFilp+HYOqhWJW5cYla/dGKWns7OQSpy4OZmEJsWm2K5g= =xEii -----END PGP SIGNATURE-----