PF FW/ Drop Connections

Roger Miranda (Digital Relay) rmiranda at digitalrelay.ca
Mon Sep 25 06:06:51 PDT 2006 

First Poster here. 

I have a system with a Static IP on the WAN/EXT_IF Interface.
But we are having some issues and my last area to check is the pf.conf file 
(below)

1) Every 24-36 Hours we get drop connection on the WAN interface, a simple 
reboot fixes it.
2) running Monitoring software outside the network shows the 6-8 time a hour 
the a ping will get lost. 

We have tried everything with the ISP to try to get this resolved. My last try 
is this pf.conf file.
I'm running freebsd 6.1 with PF enabled in the kernel.

Thank you


--- 
pf.conf ------------------------------------------------------------------------------------
ext_if = "rl0"
int_if = "rl1"
dmz_if = "xl0"
privnet = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
webserv = "192.168.0.6"
gateway = "192.168.0.1"
tc = "192.168.55.99"
tcp_services = "{ 2205, 443, 80 }"
icmp_types = "echoreq"

scrub in all

nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $dmz_if:network to any -> ($ext_if)

rdr on $ext_if proto tcp from any to any port www -> $webserv port 80
rdr on $ext_if proto tcp from any to any port 443 -> $webserv port 443
rdr on $ext_if proto tcp from any to any port 2205 -> $gateway port 2205
rdr on $ext_if proto tcp from $int_if:network to any port 8080 -> $gateway 
port 8080
rdr on $int_if proto tcp from $int_if:network to any port www -> $gateway port 
3128


rdr on $ext_if proto tcp from any to any port 3306 -> $tc port 3306
rdr on $ext_if proto tcp from any to any port 22 -> $tc port 3306

block in log on $ext_if from any to any
pass out from any to any keep state
pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 8080 flags 
S/SA
pass in log on $ext_if inet proto tcp from any to 192.168.0.1 port 2812 flags 
S/SA
pass in log on $ext_if inet proto tcp from any to any port $tcp_services flags 
S/SA keep state
pass in log on $ext_if inet proto tcp from any to $webserv port 80 flags S/SA 
synproxy state
pass in log on $ext_if inet proto tcp from any to $webserv port 443 flags S/SA 
keep state
pass in log on $ext_if inet proto tcp from any to any port 2205 flags S/SA 
keep state

pass in log on $ext_if inet proto tcp from any to any port 3306 flags S/SA 
keep state
pass in log on $ext_if inet proto tcp from any to any port 22 flags S/SA keep 
state
pass in log inet proto icmp all icmp-type $icmp_types keep state

pass out log on $int_if from any to $int_if:network keep state
pass out log on $dmz_if from any to $dmz_if:network keep state
pass log quick  on $int_if from any to any
pass log quick  on $dmz_if from any to $ext_if:network keep state
---------------------------------------------------------------------------------------------------------------------------


--ifconfig 
output-------------------------------------------------------------------------------------------------------

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet6 fe80::211:95ff:fe66:698e%rl0 prefixlen 64 scopeid 0x1
        inet XXX.XXX.XXX.XXX netmask 0xfffffc00 broadcast XXX.XXX.XXX.XXX
        ether 00:11:95:66:69:8e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet6 fe80::211:95ff:fe61:93f0%rl1 prefixlen 64 scopeid 0x2
        inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
        ether 00:11:95:61:93:f0
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet6 fe80::206:5bff:feae:83fe%xl0 prefixlen 64 scopeid 0x3
        inet 192.168.55.1 netmask 0xffffff00 broadcast 192.168.55.255
        ether 00:06:5b:ae:83:fe
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
pflog0: flags=0<> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
pfsync0: flags=0<> mtu 2020

---------------------------------------------------------------------------------------------------------------------------

More information about the freebsd-pf mailing list