PF RULES! But mine doesn't ...
Robert Marella
rmarella at gmail.com
Sun May 8 13:22:37 PDT 2005
Fafa Hafiz Krantz wrote:
> Hello.
>
> My ruleset is all twisted.
> Unless I disable the default deny policy, this is what happens:
>
> * My nameserver setup goes disfunctional.
> * My web, mail and fileserver goes disfunctional.
> * I cannot SSH and FTP into certain servers.
> * I cannot ping my IP from the outside.
>
> Can anyone tell what's wrong?
> And maybe also how I can simplify my ruleset?
>
> int_if="ep0"
> ext_if="lnc0"
>
> # *** Options
> #
> set block-policy drop
>
> # *** Scrub incoming packets
> #
> scrub in all
>
> # *** NAT
> #
> nat on $ext_if from $int_if:network to any -> ($ext_if)
> rdr on $int_if proto tcp from any to any \
> port 21 -> 127.0.0.1 port 8021
>
> # *** Default deny policy
> #
> # block drop log all
>
> # *** Pass loopback traffic
> #
> pass quick on { lo0 $int_if }
>
> # *** Outgoing
> #
> pass out on $ext_if inet proto { tcp, udp, icmp } \
> from ($ext_if) to any keep state
>
> # *** Bootstrap
> #
> pass out on $ext_if inet proto udp \
> from any port 68 to any port 67 keep state
>
> # *** DNS and NTP
> #
> pass out on $ext_if inet proto udp \
> from ($ext_if) to any port { 53, 123 } keep state
>
> # *** SSH, HTTP and Ident
> #
> pass in on $ext_if inet proto tcp \
> from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state
>
> # *** Active FTP
> #
> pass in on $ext_if inet proto tcp \
> from port 20 to ($ext_if) user proxy flags S/SA keep state
>
> Thank you so much.
> Keep in touch!
>
> --
>
> Fafa Hafiz Krantz
> Research Designer @ http://www.bleed.no
>
Perhaps you should check the archives. :)
More information about the freebsd-questions
mailing list