Date: Thu, 21 Oct 2004 22:56:52 +0200 From: Dimitry Andric <dimitry@andric.com> To: Matteo Riondato <rionda@gufi.org> Cc: freebsd-pf@freebsd.org Subject: Re: Another problem with pf.. Message-ID: <1415983562.20041021225652@andric.com> In-Reply-To: <1098391754.909.16.camel@kaiser.sig11.org> References: <1098383388.909.3.camel@kaiser.sig11.org> <1098391754.909.16.camel@kaiser.sig11.org>
next in thread | previous in thread | raw e-mail | index | archive | help
------------198121F385E4979
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
On 2004-10-21 at 22:49:14 Matteo Riondato wrote:
> ext_if =3D "tun0"
> wifi_if =3D "rl0"
> eth_if =3D "fxp1"
> wifi_net =3D "192.168.1.0/27"
> eth_net =3D "192.168.0.0/29"
> tcp_services =3D "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }"
> icmp_types =3D "{ 0, 3, 8, 11 }"
> scrub in all fragment reassemble
> block drop all
> pass quick on lo0 all
> block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any
> block drop in log quick inet from 192.168.1.1 to any
> block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any
> block drop in quick inet from 192.168.0.1 to any
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D ssh flag=
s S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D http fla=
gs S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port =3D smtp fla=
gs S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683=
flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901=
flags S/SA keep state
> pass inet proto icmp all icmp-type echorep
> pass inet proto icmp all icmp-type unreach
> pass inet proto icmp all icmp-type echoreq
> pass inet proto icmp all icmp-type timex
> pass in on rl0 inet from 192.168.1.0/27 to any keep state
> pass out on rl0 inet from any to 192.168.1.0/27 keep state
> pass in on fxp1 inet from 192.168.0.0/29 to any keep state
> pass out on fxp1 inet from any to 192.168.0.0/29 keep state
> pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state
> pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state
> pass out on tun0 proto tcp all flags S/SA modulate state
> pass out on tun0 proto udp all keep state
> pass out on tun0 proto icmp all keep state
Hm, so your rules seem to be okay. Do I miss something, or don't I
see any NAT rule in there?
Next question is: what happens if you manually run /etc/rc.d/pf start
or reload?
------------198121F385E4979
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.2.5 (MingW32)
iD8DBQFBeCKUsF6jCi4glqMRAkcgAKCLWAN816USa+KO8bc6ux39R2841QCg04xs
0iClWxNVF57yy00XZ1RNmu8=
=otv2
-----END PGP MESSAGE-----
------------198121F385E4979--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1415983562.20041021225652>