pf rules not allowing traffic

dave dmehler26 at woh.rr.com
Thu Apr 21 07:24:03 PDT 2005


Hello,
    I'm trying to get the below working on a 5.3 router. Internal traffic
dhcp, at least is working, but external stuff, ntp, web browsing, etc. is
not. When i load this ruleset i am unable to get out. Checking pflog doesn't
help as i am not getting log information. There are no errors when i try to
load this ruleset, any help appreciated.
Thanks.
Dave.


# Macros: define common values, so they can be referenced and changed
easily.
EXT = "fxp0"
LAN = "ep0"
LAN_NET = "192.168.0.0/24"
LAN_SERVER = "192.168.0.3"
LAN_FIREWALL = "192.168.0.254"
LAN_ADMIN = "192.168.0.2"
TCP_INCOMING_SERVICES = "{ 22, 25, 80, 110, 143, 443, 465, 587, 873, 993,
995, 1723, 2401, 3306, 5432, 8000, 9101, 9102, 9103 }"
TCP_OUTGOING_SERVICES = "{ 20, 21, 22, 25, 43, 53, 80, 110, 119, 143, 443,
1790, 1791, 1792, 1793, 1794, 1795, 2401, 5190, 5191, 5192, 5193, 5999,
8880 }"
UDP_INCOMING_SERVICES = "{ 53, 68, 123 }"
UDP_OUTGOING_SERVICES = "{ 53, 67, 123 }"

# Tables: similar to macros, but more flexible for many addresses.
table <nameservers> { x.x.x.x, x.x.x.x }
table <noroute> { 10.0.0.0/8, 127.0.0.0/8, 172.16.0.0/12, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3 }

# Options: tune the behavior of pf
set optimization aggressive
set block-policy drop
set require-order yes
set fingerprints "/etc/pf.os"

# Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
# Max-mss is needed due to mpd's poor mss handling
scrub on $EXT all reassemble tcp
scrub out all random-id max-mss 1440

# Queueing: rule-based bandwidth control.
#altq on $EXT priq bandwidth 128Kb queue {bt_out, std_out, http_out,
ssh_out, dns_out, ack_out}
#queue bt_out on $EXT priority 0 priq(red)
#queue std_out on $EXT priority 3 priq(default)
#queue http_out on $EXT priority 5 priq
#queue ssh_out on $EXT priority 7 priq
#queue dns_out on $EXT priority 9 priq
#queue ack_out on $EXT priority 11 priq

# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $EXT with source address $internal_net will
# get translated as coming from the address of $EXT, a state is created for
# such packets, and incoming packets will be redirected to the internal
address.
nat on $EXT from $LAN_NET to any -> ($EXT)

# redirections
# rdr outgoing FTP requests to the ftp-proxy
rdr on $LAN proto tcp from any to any port ftp -> 127.0.0.1 port 8021
#rdr on $EXT proto tcp from any to any port 80 -> $LAN_SERVER port 80

# spam table setup and implementation
# table < spammers
#no rdr on { lo0, lo1 } from any to any
# rdr < spammers

# antispoof rules
antispoof for $EXT inet

# immediately prevent IPv6 traffic from entering or leaving all interfaces
block quick inet6 all
block all

# loopback
pass quick on lo0 all

# incoming on $EXT
# block by default
#block in on $EXT all
block in quick on $EXT from <noroute>

#DNS
pass in quick on $EXT proto udp from <nameservers> port 53 to $EXT keep
state

#Incoming tcp
pass in quick on $EXT proto tcp from any to $EXT port $TCP_INCOMING_SERVICES
flags S/AUPRFS modulate state

#dhcp from isp
pass in quick on $EXT proto udp from any port 67 to 255.255.255.255 port 68
keep state queue(ack_out)

#pptp
pass in quick on $EXT proto gre from any to $LAN_SERVER keep state


#-----------outgoing on $EXT----------------
#block out on $EXT all
block out quick on $EXT from any to <noroute>
pass out quick on $EXT proto udp from $EXT to <nameservers> port 53 keep
state
pass out quick on $EXT proto tcp from $EXT to $LAN_NET port
$TCP_OUTGOING_SERVICES keep state
pass out quick on $EXT proto udp from $EXT to $LAN_NET port
$UDP_OUTGOING_SERVICES keep state


#-----------incoming on $LAN----------------
block in on $LAN all
# allow broadcast
pass quick on $LAN from any to 192.168.0.255

# allow in tcp and udp incoming
pass in quick on $LAN proto tcp from $LAN_NET to any port
$TCP_INCOMING_SERVICES flags S/AUPRFS modulate state
pass in quick on $LAN proto udp from $LAN_NET to any port
$UDP_INCOMING_SERVICES modulate state

#allow out CDDB
pass in quick on $LAN proto {tcp,udp} from $LAN_NET to any port 8880 flags
S/SAFR keep state


#-----------outgoing on $LAN----------------
block out on $LAN all

# tcp and udp out
pass out quick on $LAN proto tcp from $LAN_NET to $EXT port
$TCP_OUTGOING_SERVICES flags S/AUPRFS modulate state
pass out quick on $LAN proto udp from $LAN_NET to $EXT port
$UDP_OUTGOING_SERVICES modulate state



More information about the freebsd-pf mailing list