Strange bridge problem with pf

Rob Lensen rob at bsdfreaks.nl
Sat Jan 8 16:56:47 PST 2005 

Hello,

The problem which I had with FreeBSD and the bridged setup is solved.
I solved it by switching the transparent bridge machine to OpenBSD 3.6.

So the same ruleset is working perfect on OpenBSD. So I think PF and 
bridge do not work well on FreeBSD.

Best,
Rob


 >
 > I have strange problem with pf on a bridged setup.
 >
 > Did read the previous thread about the pf problem with a bridge, 
since sysctl value of ipf bridge should be enabled.
 >
 > In the attached file the pf.conf is given. (fxp0 is the outside nic)
 >
 > The firewall is working for all machines behind the firewall except 
sf1, nothing seem to go this machine if the firewall is enanbled.
 >
 > If I look at the output of pfctl -sr I can see the rules for this 
machine are loaded:
 >
 > @7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh 
flags S/SA keep state
 > @16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http 
flags S/SA keep state
 > @17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https 
flags S/SA keep state
 >
 > This should open the ports for ssh and http to machine X.6 (sf1), 
however no connection can be made.
 > Nmap shows:
 > 22/tcp  open     ssh
 > 80/tcp  open     http
 >
 > #telnet X.6 22
 > gives a time out
 >
 > All other hosts are working fine.
 >
 > Doe anyone have any clue on this problem?
 >
 > Best
 > Rob Lensen
 >
 >
 > ------------------------------------------------------------------------
 >
 > outside="fxp0"
 > ext_if="fxp0"
 > inside="fxp1"
 > local="rl0"
 >
 > ext_ip=""
 > local_net ="X.0/24"
 >
 > # Tables: similar to macros, but more flexible for many addresses.
 > table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 
10.0.0.0/8 }
 >
 > set loginterface $outside
 > set block-policy return
 >
 > # Normalization: reassemble fragments and resolve or reduce traffic 
ambiguities.
 > #scrub in all
 >
 > web_A_2     = "X.2"
 > web_A_3     = "X.3"  web_A_4     = "X.4"
 > web_A_7     = "X.7"
 > web_A_8     = "X.8"
 > web_A_9     = "X.9"
 > web_A_20    = "X.20"
 > sf1   = "X.6"
 > sf2             = "X.30"
 > mysql2          = "X.14"
 > extranet        = "X.13"
 > firewall        = "X.254"
 > sec_dns         = "X"
 >
 > http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}"
 > ssh_servers = "{"  $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}"
 > ftp_servers = "{" $web_A_2 $sf1 "}"
 > mail_servers = "{" $extranet "}"
 > samba_servers = "{" $extranet "}"
 > dns_servers = "{" $web_A_3 "}"
 >
 > ssh_ports = "{ 22 }"
 > http_ports = "{ 80 , 443 }"
 > ftp_ports = "{ 20, 21  }"
 > ftp_ports_pasv = "{ 65000:65500 }"
 > snmp_ports = "{ 161 }"
 > mysql_ports = "{ 3306 }"
 > dns_ports = "{ 53 }"
 > email_ports = "{ 25, 110, 143, 993, 995 }"
 > samba_udp_ports = "{ 137, 138, 587 }"
 > samba_tcp_ports = "{ 139, 445, 587 }"
 >
 > # filtering done on public side of bridge, so allow everything
 > # on the protected side of things
 > pass  in  quick on $inside all
 > pass  out quick on $inside all
 >
 > # block everything by default on bridge
 > block in log  on $outside all
 > pass out on $outside all
 > #block out log on $outside all
 >
 > pass in quick on $local all
 > pass out quick on $local all
 >
 > ############
 > # IN RULES
 > ############
 >
 > #allow ssh to defined servers
 > pass in quick on $outside proto tcp from any to $ssh_servers \
 >     port $ssh_ports  flags S/SA keep state
 >
 >
 > #allow http for the defined servers
 > pass in quick on $outside proto tcp from any to $http_servers \
 >     port $http_ports  flags S/SA keep state
 >
 > #allow ftp for defined servers
 > pass in quick on $outside proto tcp from any to $ftp_servers \
 >     port $ftp_ports #flags S/SA keep state
 > pass in quick on $outside proto tcp from any to $ftp_servers \
 >     port $ftp_ports_pasv #keep state
 >
 > #allow email for defined server
 > pass in quick on $outside proto tcp from any to $mail_servers \
 >     port $email_ports #flags S/SA keep state
 >
 > #allow samba for defined server
 > pass in quick on $outside proto tcp from any to $samba_servers \
 >     port $samba_tcp_ports #flags S/SA keep state
 >
 > pass in quick on $outside proto udp from any to $samba_servers \
 >     port $samba_udp_ports #keep state
 >
 > #allow dns for defined server
 > pass in quick on $outside proto { tcp, udp } from any to $dns_servers \
 >     port domain keep state
 >
 > #snmp on firewall
 > #pass in quick on $outside proto {tcp, udp } from any to $local_ip \
 > #    port $snmp_ports
 >
 > #pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \
 > #        port $snmp_ports
 > # Allow ICMP (ping) IN
 > # pass out/in certain ICMP queries and keep state (ping)
 > pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
 >
 >
 > ############
 > # OUT RULES
 > ############
 > # Allow ICMP (ping) OUT
 > pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
 >         # Pass (Allow) all UDP/TCP OUT and keep state
 > pass out on $outside proto udp all #keep state
 > pass out on $outside proto tcp all
 >
 >
 > ------------------------------------------------------------------------
 >
 > _______________________________________________
 > freebsd-pf at freebsd.org mailing list
 > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
 > To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list