Strange bridge problem with pf
Rob Lensen
rob at bsdfreaks.nl
Fri Dec 10 07:07:17 PST 2004
Hello,
I have strange problem with pf on a bridged setup.
Did read the previous thread about the pf problem with a bridge, since
sysctl value of ipf bridge should be enabled.
In the attached file the pf.conf is given. (fxp0 is the outside nic)
The firewall is working for all machines behind the firewall except sf1,
nothing seem to go this machine if the firewall is enanbled.
If I look at the output of pfctl -sr I can see the rules for this
machine are loaded:
@7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags
S/SA keep state
@16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http
flags S/SA keep state
@17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https
flags S/SA keep state
This should open the ports for ssh and http to machine X.6 (sf1),
however no connection can be made.
Nmap shows:
22/tcp open ssh
80/tcp open http
#telnet X.6 22
gives a time out
All other hosts are working fine.
Doe anyone have any clue on this problem?
Best
Rob Lensen
-------------- next part --------------
outside="fxp0"
ext_if="fxp0"
inside="fxp1"
local="rl0"
ext_ip=""
local_net ="X.0/24"
# Tables: similar to macros, but more flexible for many addresses.
table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 }
set loginterface $outside
set block-policy return
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all
web_A_2 = "X.2"
web_A_3 = "X.3"
web_A_4 = "X.4"
web_A_7 = "X.7"
web_A_8 = "X.8"
web_A_9 = "X.9"
web_A_20 = "X.20"
sf1 = "X.6"
sf2 = "X.30"
mysql2 = "X.14"
extranet = "X.13"
firewall = "X.254"
sec_dns = "X"
http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}"
ssh_servers = "{" $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}"
ftp_servers = "{" $web_A_2 $sf1 "}"
mail_servers = "{" $extranet "}"
samba_servers = "{" $extranet "}"
dns_servers = "{" $web_A_3 "}"
ssh_ports = "{ 22 }"
http_ports = "{ 80 , 443 }"
ftp_ports = "{ 20, 21 }"
ftp_ports_pasv = "{ 65000:65500 }"
snmp_ports = "{ 161 }"
mysql_ports = "{ 3306 }"
dns_ports = "{ 53 }"
email_ports = "{ 25, 110, 143, 993, 995 }"
samba_udp_ports = "{ 137, 138, 587 }"
samba_tcp_ports = "{ 139, 445, 587 }"
# filtering done on public side of bridge, so allow everything
# on the protected side of things
pass in quick on $inside all
pass out quick on $inside all
# block everything by default on bridge
block in log on $outside all
pass out on $outside all
#block out log on $outside all
pass in quick on $local all
pass out quick on $local all
############
# IN RULES
############
#allow ssh to defined servers
pass in quick on $outside proto tcp from any to $ssh_servers \
port $ssh_ports flags S/SA keep state
#allow http for the defined servers
pass in quick on $outside proto tcp from any to $http_servers \
port $http_ports flags S/SA keep state
#allow ftp for defined servers
pass in quick on $outside proto tcp from any to $ftp_servers \
port $ftp_ports
#flags S/SA keep state
pass in quick on $outside proto tcp from any to $ftp_servers \
port $ftp_ports_pasv
#keep state
#allow email for defined server
pass in quick on $outside proto tcp from any to $mail_servers \
port $email_ports
#flags S/SA keep state
#allow samba for defined server
pass in quick on $outside proto tcp from any to $samba_servers \
port $samba_tcp_ports
#flags S/SA keep state
pass in quick on $outside proto udp from any to $samba_servers \
port $samba_udp_ports
#keep state
#allow dns for defined server
pass in quick on $outside proto { tcp, udp } from any to $dns_servers \
port domain keep state
#snmp on firewall
#pass in quick on $outside proto {tcp, udp } from any to $local_ip \
# port $snmp_ports
#pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \
# port $snmp_ports
# Allow ICMP (ping) IN
# pass out/in certain ICMP queries and keep state (ping)
pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
############
# OUT RULES
############
# Allow ICMP (ping) OUT
pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
# Pass (Allow) all UDP/TCP OUT and keep state
pass out on $outside proto udp all
#keep state
pass out on $outside proto tcp all
More information about the freebsd-pf
mailing list