Date: Thu, 26 Mar 2009 17:23:23 +0300 From: Eric Magutu <emagutu@gmail.com> To: "Michael K. Smith - Adhost" <mksmith@adhost.com> Cc: freebsd-questions@freebsd.org Subject: Re: first firewall with pf Message-ID: <e9cb8190903260723y40f12cd9s7af35670f7285627@mail.gmail.com> In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan> References: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net> <op.ura05ywcflcvyi@da1-desktop-x64> <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi everyone, Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? ############# #interfaces # ############# ext_if="le0" #ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 80, 110, 143, 161, 443, 873 }" #udp ports good_port_udp="{ 161, 873 }" ########################## #block all other traffic # ########################## # should be the first rule block in on $ext_if all ################ #anti-spoofing # ################ #traffic can't come in on your IP's #antispoof quick for { lo0 $ext_if $ext_if2 } inet ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state ############## #Blocked ips # ############## #put ips or ip blocks as below badguys="{ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 }" block in quick on $ext_if from $badguys ############################ #smtp connections allowed # ############################ #European servers pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #American pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state #pass traffic from allowed udp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #my ip pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to 10.0.0.110 keep state #172.16.0.0/12 are the ips NMC access with pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to 10.0.0.110 keep state ################## # enable logging # ################## block in log on $ext_if # to view log run command below #tcpdump -n -e -ttt -i pflog0 ################################################## #for any questions contact me# ################################################## On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost < mksmith@adhost.com> wrote: > I also forgot to mention: > > You should probably log your block rule so that you can see what's going on > if things don't work as expected. > > So: > > block in log on $ext_if > > Note the lack of "quick" as well, as previously mentioned. > > With logging enabled, provided you have pflog running (which you should), > you can use the following to see what's being blocked. > > tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface). > > Regards, > > Mike > -- Regards, Eric Magutu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?e9cb8190903260723y40f12cd9s7af35670f7285627>