Date: Sat, 26 Mar 2011 17:18:19 +0100 From: Leslie Jensen <leslie@eskk.nu> To: freebsd-pf@freebsd.org Subject: Lost in rules! Message-ID: <4D8E11CB.2070501@eskk.nu>
next in thread | raw e-mail | index | archive | help
Hello list.
I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid
proxy server on a network with 10 pc behind it for some years.
Now I've got some new hardware and have installed Freebsd 8.2-RELEASE
with exactly the same set-up.
My problem is that PF is not acting the same. Everything is blocked, if
I remove the first rule "block in log on $ext_if all" I get some
functionality but it won't redirect the traffic to Squid for example.
I've been trying to fix it but I need some new eyes to help me.
Below are the pf.conf on the new 8.2 machine and further below is the
original pf.conf from the 7.2 system
I'm aware that there has been some changes to the pf syntax, but when
doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is
wrong.
Will you Please take a look and see if you can see what's wrong.
Thank you :-)
/Leslie
My new pf.conf
---------------------------------------------------------------
#
# macros
ext_if="xl0"
int_if="bfe0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="{ echoreq unreach squench timex }"
internal_net = "172.17.0/16"
proxy = "127.0.0.1"
vncports="{ 5900, 5901 }"
# tables
table <goodguys> persist
table <sshguard> persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
# Testing for VNC!
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
# rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
# -> 172.17.0.160 port 5900
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# filter rules
block in log on $ext_if all
block drop in log quick proto ipv6 all
block drop out log quick proto ipv6 all
block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
pass in log on $int_if inet proto tcp from $internal_net to $proxy port
8080 keep state
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
pass out log
# Let the goodguys access the machine from the outside
pass in log on $ext_if inet proto tcp from <goodguys> to ($ext_if) port
$tcp_services flags S/SA keep state
# We need this for the rdr to VNC (change of portnumber)
pass in on $ext_if inet proto tcp from <goodguys> to $internal_net port
$vncports flags S/SA synproxy state
# ICMP answers (traffic) needs to be passed:
pass in inet proto icmp all icmp-type $icmp_types keep state
# traffic must be passed to and from the internal network
pass in quick on $int_if
#
_______________________________________________________________________
The original pf.conf
--------------------------------------------------------------------------
# macros
ext_if="xl0"
int_if="bfe0"
tcp_services="{ 22, 993, 5910:5917 }"
tcp_priv_services="{ 389, 443 }"
proxy_services = "{ 21, 80 }"
icmp_types="echoreq"
internal_net = "172.17.0/16"
proxy = "127.0.0.1"
# tables
table <goodguys> persist
table <sshguard> persist
# options
set block-policy return # ports are closed but can be seen
set loginterface $ext_if
set skip on lo0
# scrub
scrub in
# Testing for VNC!
# Translate incoming packets' destination addresses.
# As an example, redirect a TCP and UDP port to an internal machine.
# rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
# -> 172.17.0.160 port 5900
# redirect www trafic to proxy
rdr on $int_if inet proto tcp from $internal_net to any port
$proxy_services -> $proxy port 8080
# ext_if IP address could be dynamic, hence ($ext_if)
nat on $ext_if from !($ext_if) to any -> ($ext_if)
# filter rules
block in log (all)
block drop in log quick proto ipv6 all
block drop out log quick proto ipv6 all
block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
pass in log on $int_if inet proto tcp from $internal_net to $proxy port
8080 keep state
pass out log on $ext_if inet proto tcp from $proxy to any port
$proxy_services keep state
pass out keep state
# Let the goodguys access the machine from the outside
pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
port $tcp_services flags S/SA keep state
# We need this for the rdr to VNC (change of portnumber)
pass in on $ext_if inet proto tcp from <goodguys> to $internal_net \
port $vncports flags S/SA synproxy state
# ICMP answers (traffic) needs to be passed:
# pass in inet proto icmp all icmp-type $icmp_types keep state
# traffic must be passed to and from the internal network
pass in quick on $int_if
#
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4D8E11CB.2070501>