Date: Thu, 21 Oct 2004 23:07:24 +0200 From: Matteo Riondato <rionda@gufi.org> To: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. Message-ID: <1098392844.909.34.camel@kaiser.sig11.org> In-Reply-To: <1415983562.20041021225652@andric.com> References: <1098383388.909.3.camel@kaiser.sig11.org> <643946323.20041021211340@andric.com> <1098391754.909.16.camel@kaiser.sig11.org> <1415983562.20041021225652@andric.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--=-F20G7WEXN5yOvCKXbAvh
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Thu, 2004-10-21 at 22:56, Dimitry Andric wrote:
> On 2004-10-21 at 22:49:14 Matteo Riondato wrote:
> Hm, so your rules seem to be okay. Do I miss something, or don't I
> see any NAT rule in there?
Uh, well, I commented them out because I had to make my lan hosts
browsing (and my family happy...)
The complete output is this:=20
kaiser# pfctl -n -v -f /etc/pf.conf
ext_if =3D "tun0"
wifi_if =3D "rl0"
eth_if =3D "fxp1"
wifi_net =3D "192.168.1.0/27"
eth_net =3D "192.168.0.0/29"
tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }"
icmp_types =3D "{ 0, 3, 8, 11 }"
scrub in all fragment reassemble
nat on tun0 inet from 192.168.1.0/27 to any -> (tun0) round-robin
nat on tun0 inet from 192.168.0.0/29 to any -> (tun0) round-robin
block drop all
pass quick on lo0 all
block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any
block drop in log quick inet from 192.168.1.1 to any
block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any
block drop in quick inet from 192.168.0.1 to any
pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flags
S/SA keep state
pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http
flags S/SA keep state
pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp
flags S/SA keep state
pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 ><
4683 flags S/SA keep state
pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 ><
6901 flags S/SA keep state
pass inet proto icmp all icmp-type echorep
pass inet proto icmp all icmp-type unreach
pass inet proto icmp all icmp-type echoreq
pass inet proto icmp all icmp-type timex
pass in on rl0 inet from 192.168.1.0/27 to any keep state
pass out on rl0 inet from any to 192.168.1.0/27 keep state
pass in on fxp1 inet from 192.168.0.0/29 to any keep state
pass out on fxp1 inet from any to 192.168.0.0/29 keep state
pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state
pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state
pass out on tun0 proto tcp all flags S/SA modulate state
pass out on tun0 proto udp all keep state
pass out on tun0 proto icmp all keep state
> Next question is: what happens if you manually run /etc/rc.d/pf start
> or reload?
Rules get loaded. Can this be related to the fact that I use the module
and not the in-kernel support?
Best Regards
--=20
Rionda aka Matteo Riondato
GUFI Staff Member (http://www.gufi.org)
FreeSBIE Developer (http://www.freesbie.org)
BSD-FAQ-it Main Developer (http://utenti.gufi.org/~rionda)
Sent from: kaiser.sig11.org running FreeBSD-6.0-CURRENT
--=-F20G7WEXN5yOvCKXbAvh
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (FreeBSD)
iD8DBQBBeCUL2Mp4pR7Fa+wRAkNtAJ9D0zOO1dQ6YT3NJi0lmXFMBTJDEgCdFxz4
+PrvYsLvymcwCpnsViYLXE8=
=oObK
-----END PGP SIGNATURE-----
--=-F20G7WEXN5yOvCKXbAvh--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1098392844.909.34.camel>