Date: Sun, 09 Jan 2005 02:00:52 +0100 From: Rob Lensen <rob@bsdfreaks.nl> To: freebsd-pf@freebsd.org Subject: Re: Strange bridge problem with pf Message-ID: <41E08244.2070409@bsdfreaks.nl> In-Reply-To: <41B9BB9A.7000300@bsdfreaks.nl> References: <41B9BB9A.7000300@bsdfreaks.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Hello, The problem which I had with FreeBSD and the bridged setup is solved. I solved it by switching the transparent bridge machine to OpenBSD 3.6. So the same ruleset is working perfect on OpenBSD. So I think PF and bridge do not work well on FreeBSD. Best, Rob > > I have strange problem with pf on a bridged setup. > > Did read the previous thread about the pf problem with a bridge, since sysctl value of ipf bridge should be enabled. > > In the attached file the pf.conf is given. (fxp0 is the outside nic) > > The firewall is working for all machines behind the firewall except sf1, nothing seem to go this machine if the firewall is enanbled. > > If I look at the output of pfctl -sr I can see the rules for this machine are loaded: > > @7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags S/SA keep state > @16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http flags S/SA keep state > @17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https flags S/SA keep state > > This should open the ports for ssh and http to machine X.6 (sf1), however no connection can be made. > Nmap shows: > 22/tcp open ssh > 80/tcp open http > > #telnet X.6 22 > gives a time out > > All other hosts are working fine. > > Doe anyone have any clue on this problem? > > Best > Rob Lensen > > > ------------------------------------------------------------------------ > > outside="fxp0" > ext_if="fxp0" > inside="fxp1" > local="rl0" > > ext_ip="" > local_net ="X.0/24" > > # Tables: similar to macros, but more flexible for many addresses. > table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 } > > set loginterface $outside > set block-policy return > > # Normalization: reassemble fragments and resolve or reduce traffic ambiguities. > #scrub in all > > web_A_2 = "X.2" > web_A_3 = "X.3" web_A_4 = "X.4" > web_A_7 = "X.7" > web_A_8 = "X.8" > web_A_9 = "X.9" > web_A_20 = "X.20" > sf1 = "X.6" > sf2 = "X.30" > mysql2 = "X.14" > extranet = "X.13" > firewall = "X.254" > sec_dns = "X" > > http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}" > ssh_servers = "{" $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}" > ftp_servers = "{" $web_A_2 $sf1 "}" > mail_servers = "{" $extranet "}" > samba_servers = "{" $extranet "}" > dns_servers = "{" $web_A_3 "}" > > ssh_ports = "{ 22 }" > http_ports = "{ 80 , 443 }" > ftp_ports = "{ 20, 21 }" > ftp_ports_pasv = "{ 65000:65500 }" > snmp_ports = "{ 161 }" > mysql_ports = "{ 3306 }" > dns_ports = "{ 53 }" > email_ports = "{ 25, 110, 143, 993, 995 }" > samba_udp_ports = "{ 137, 138, 587 }" > samba_tcp_ports = "{ 139, 445, 587 }" > > # filtering done on public side of bridge, so allow everything > # on the protected side of things > pass in quick on $inside all > pass out quick on $inside all > > # block everything by default on bridge > block in log on $outside all > pass out on $outside all > #block out log on $outside all > > pass in quick on $local all > pass out quick on $local all > > ############ > # IN RULES > ############ > > #allow ssh to defined servers > pass in quick on $outside proto tcp from any to $ssh_servers \ > port $ssh_ports flags S/SA keep state > > > #allow http for the defined servers > pass in quick on $outside proto tcp from any to $http_servers \ > port $http_ports flags S/SA keep state > > #allow ftp for defined servers > pass in quick on $outside proto tcp from any to $ftp_servers \ > port $ftp_ports #flags S/SA keep state > pass in quick on $outside proto tcp from any to $ftp_servers \ > port $ftp_ports_pasv #keep state > > #allow email for defined server > pass in quick on $outside proto tcp from any to $mail_servers \ > port $email_ports #flags S/SA keep state > > #allow samba for defined server > pass in quick on $outside proto tcp from any to $samba_servers \ > port $samba_tcp_ports #flags S/SA keep state > > pass in quick on $outside proto udp from any to $samba_servers \ > port $samba_udp_ports #keep state > > #allow dns for defined server > pass in quick on $outside proto { tcp, udp } from any to $dns_servers \ > port domain keep state > > #snmp on firewall > #pass in quick on $outside proto {tcp, udp } from any to $local_ip \ > # port $snmp_ports > > #pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \ > # port $snmp_ports > # Allow ICMP (ping) IN > # pass out/in certain ICMP queries and keep state (ping) > pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11} > > > ############ > # OUT RULES > ############ > # Allow ICMP (ping) OUT > pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11} > # Pass (Allow) all UDP/TCP OUT and keep state > pass out on $outside proto udp all #keep state > pass out on $outside proto tcp all > > > ------------------------------------------------------------------------ > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?41E08244.2070409>