Lost in rules!

Greg Hennessy Greg.Hennessy at nviz.net
Sat Mar 26 16:46:10 UTC 2011 

You've enabled routing ? 

What are the logs telling you ? 

Change this 

	"block in log on $ext_if all"

to
	block log all

there maybe an egress block somewhere. 



> -----Original Message-----
> From: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-
> pf at freebsd.org] On Behalf Of Leslie Jensen
> Sent: 26 March 2011 4:18 PM
> To: freebsd-pf at freebsd.org
> Subject: Lost in rules!
> 
> Hello list.
> 
> I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy
> server on a network with 10 pc behind it for some years.
> 
> Now I've got some new hardware and have installed Freebsd 8.2-RELEASE
> with exactly the same set-up.
> 
> My problem is that PF is not acting the same. Everything is blocked, if I
> remove the first rule "block in log on $ext_if all" I get some functionality but it
> won't redirect the traffic to Squid for example.
> 
> I've been trying to fix it but I need some new eyes to help me.
> 
> Below are the pf.conf on the new 8.2 machine and further below is the
> original pf.conf from the 7.2 system
> 
> I'm aware that there has been some changes to the pf syntax, but when
> doing pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong.
> 
> Will you Please take a look and see if you can see what's wrong.
> 
> Thank you :-)
> 
> /Leslie
> 
> 
> 
> My new pf.conf
> ---------------------------------------------------------------
> 
> #
> # macros
> ext_if="xl0"
> int_if="bfe0"
> 
> tcp_services="{ 22, 993, 5910:5917 }"
> tcp_priv_services="{ 389, 443 }"
> proxy_services = "{ 21, 80 }"
> icmp_types="{ echoreq unreach squench timex }"
> internal_net = "172.17.0/16"
> proxy = "127.0.0.1"
> vncports="{ 5900, 5901 }"
> 
> # tables
> table <goodguys> persist
> table <sshguard> persist
> 
> # options
> set block-policy return		# ports are closed but can be seen
> set loginterface $ext_if
> 
> set skip on lo0
> 
> # scrub
> scrub in
> 
> # Testing for VNC!
> # Translate incoming packets' destination addresses.
> # As an example, redirect a TCP and UDP port to an internal machine.
> # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
> #           -> 172.17.0.160 port 5900
> 
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -
> > $proxy port 8080
> 
> # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from
> !($ext_if) to any -> ($ext_if)
> 
> # filter rules
> block in log on $ext_if all
> 
> block drop in log quick proto ipv6 all
> 
> block drop out log quick proto ipv6 all
> 
> block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
> 
> pass in log on $int_if inet proto tcp from $internal_net to $proxy port
> 8080 keep state
> 
> pass out log on $ext_if inet proto tcp from $proxy to any port
> $proxy_services keep state
> 
> pass out log
> 
> # Let the goodguys access the machine from the outside pass in log on
> $ext_if inet proto tcp from <goodguys> to ($ext_if) port $tcp_services flags
> S/SA keep state
> 
> # We need this for the rdr to VNC (change of portnumber) pass in on $ext_if
> inet proto tcp from <goodguys> to $internal_net port $vncports flags S/SA
> synproxy state
> 
> # ICMP answers (traffic) needs to be passed:
> pass in inet proto icmp all icmp-type $icmp_types keep state
> 
> # traffic must be passed to and from the internal network pass in quick on
> $int_if #
> 
> __________________________________________________________
> _____________
> 
> 
> The original pf.conf
> --------------------------------------------------------------------------
> 
> 
> # macros
> ext_if="xl0"
> int_if="bfe0"
> 
> tcp_services="{ 22, 993, 5910:5917 }"
> tcp_priv_services="{ 389, 443 }"
> proxy_services = "{ 21, 80 }"
> icmp_types="echoreq"
> internal_net = "172.17.0/16"
> proxy = "127.0.0.1"
> 
> # tables
> table <goodguys> persist
> table <sshguard> persist
> 
> # options
> set block-policy return		# ports are closed but can be seen
> set loginterface $ext_if
> 
> set skip on lo0
> 
> # scrub
> scrub in
> 
> # Testing for VNC!
> # Translate incoming packets' destination addresses.
> # As an example, redirect a TCP and UDP port to an internal machine.
> # rdr on $ext_if inet proto tcp from <goodguys> to ($ext_if) port 5910 \
> #           -> 172.17.0.160 port 5900
> 
> # redirect www trafic to proxy
> rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services -
> > $proxy port 8080
> 
> # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from
> !($ext_if) to any -> ($ext_if)
> 
> # filter rules
> block in log (all)
> 
> block drop in log quick proto ipv6 all
> 
> block drop out log quick proto ipv6 all
> 
> block in log quick on $ext_if from <sshguard> label "ssh bruteforce"
> 
> pass in log on $int_if inet proto tcp from $internal_net to $proxy port
> 8080 keep state
> 
> pass out log on $ext_if inet proto tcp from $proxy to any port
> $proxy_services keep state
> 
> pass out keep state
> 
> # Let the goodguys access the machine from the outside pass in on $ext_if
> inet proto tcp from <goodguys> to ($ext_if) \ port $tcp_services flags S/SA
> keep state
> 
> # We need this for the rdr to VNC (change of portnumber) pass in on $ext_if
> inet proto tcp from <goodguys> to $internal_net \ port $vncports flags S/SA
> synproxy state
> 
> # ICMP answers (traffic) needs to be passed:
> # pass in inet proto icmp all icmp-type $icmp_types keep state
> 
> # traffic must be passed to and from the internal network pass in quick on
> $int_if #
> 
> 
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

More information about the freebsd-pf mailing list