Date: Thu, 6 Mar 2008 10:54:30 -0300 From: "Alaor Barroso de Carvalho Neto" <alaorneto@gmail.com> To: freebsd-questions@freebsd.org Subject: Please help me with my PF config Message-ID: <2949641c0803060554q2ecba5e7g7920bf0b252277c9@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi guyz, let me explain what I have. I work in a school, we have access to
the internet, two internal networks (academic and administrative) and we
have to connect to some servers in another school because we share databases
and to video-conference. I have a FreeBSD box with PF and squid, i want all
my web traffic to pass through the squid, it's working. I want to academic
net don't be able to communicate with administrative net, and the inverse,
it's working. But I would like to my adm net to communicate with some
servers in the other school network, and only this servers, no other ip
would be accessible, it's NOT working. I can ping to the servers but I can't
connect to the services ports (SQL Server, and so on).
Here's my pf.conf:
BEGIN OF CONFIG
ext_if="em0"
adm_if="xl0"
acad_if="xl1"
cefet_if="xl2"
all_if="{ em0, xl0, xl1, xl2 }"
ext_net="XXX.XXX.XXX.XXX/XX"
adm_net="192.168.1.0/24"
acad_net="192.168.2.0/24"
cefet_net="10.10.0.0/16"
cefet_servers="{ 10.10.0.10, 10.10.0.15, 10.10.0.213 }"
internal_nets="{ 192.168.1.0/24, 192.168.2.0/24 }"
tcp_services="{ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3,
pop3s, auth, 3128 }" }"
udp_services="{ domain, ntp }"
proxy_ports="{ 80, 8000, 8080, 3128 }"
martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
set block-policy return
scrub in all
nat on $ext_if from $internal_nets to any -> ($ext_if)
nat on $cefet_if from $adm_net to any -> ($cefet_if)
rdr on $all_if proto tcp from any to any port $proxy_ports -> 127.0.0.1 port
3128
block all
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop quick from $acad_net to $adm_net
block drop quick from $adm_net to $acad_net
pass quick proto icmp from any to any keep state
pass quick from $adm_net to $cefet_servers keep state
pass quick from $cefet_servers to $adm_net keep state
block quick from any to $cefet_net
block quick from $cefet_net to any
pass proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
antispoof for $all_if
END OF CONFIG
cefet_net is the network of the other school, and cefet_servers are the
servers I want to communicate with, I want all ports and protocols to these
servers, but it's not working. I need a light guyz.
Thankz, and sorry my poor english.
Alaor Neto
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2949641c0803060554q2ecba5e7g7920bf0b252277c9>
