Strange bridge problem with pf

Rob Lensen rob at bsdfreaks.nl
Fri Dec 10 07:07:17 PST 2004 

Hello,

I have strange problem with pf on a bridged setup.

Did read the previous thread about the pf problem with a bridge, since 
sysctl value of ipf bridge should be enabled.

In the attached file the pf.conf is given. (fxp0 is the outside nic)

The firewall is working for all machines behind the firewall except sf1, 
nothing seem to go this machine if the firewall is enanbled.

If I look at the output of pfctl -sr I can see the rules for this 
machine are loaded:

@7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh flags 
S/SA keep state
@16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http 
flags S/SA keep state
@17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https 
flags S/SA keep state

This should open the ports for ssh and http to machine X.6 (sf1), 
however no connection can be made.
Nmap shows:
22/tcp  open     ssh
80/tcp  open     http

#telnet X.6 22
gives a time out

All other hosts are working fine.

Doe anyone have any clue on this problem?

Best
Rob Lensen
-------------- next part --------------
outside="fxp0"
ext_if="fxp0"
inside="fxp1"
local="rl0"

ext_ip=""
local_net ="X.0/24"

# Tables: similar to macros, but more flexible for many addresses.
table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12, 10.0.0.0/8 }

set loginterface $outside
set block-policy return

# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
#scrub in all

web_A_2     = "X.2"
web_A_3     = "X.3"  
web_A_4     = "X.4"
web_A_7     = "X.7"
web_A_8     = "X.8"
web_A_9     = "X.9"
web_A_20    = "X.20"
sf1   = "X.6"
sf2             = "X.30"
mysql2          = "X.14"
extranet        = "X.13"
firewall        = "X.254"
sec_dns         = "X"

http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}"
ssh_servers = "{"  $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}"
ftp_servers = "{" $web_A_2 $sf1 "}"
mail_servers = "{" $extranet "}"
samba_servers = "{" $extranet "}"
dns_servers = "{" $web_A_3 "}"

ssh_ports = "{ 22 }"
http_ports = "{ 80 , 443 }"
ftp_ports = "{ 20, 21  }"
ftp_ports_pasv = "{ 65000:65500 }"
snmp_ports = "{ 161 }"
mysql_ports = "{ 3306 }"
dns_ports = "{ 53 }"
email_ports = "{ 25, 110, 143, 993, 995 }"
samba_udp_ports = "{ 137, 138, 587 }"
samba_tcp_ports = "{ 139, 445, 587 }"

# filtering done on public side of bridge, so allow everything
# on the protected side of things
pass  in  quick on $inside all
pass  out quick on $inside all

# block everything by default on bridge
block in log  on $outside all
pass out on $outside all
#block out log on $outside all

pass in quick on $local all
pass out quick on $local all

############
# IN RULES
############

#allow ssh to defined servers
pass in quick on $outside proto tcp from any to $ssh_servers \
	port $ssh_ports  flags S/SA keep state


#allow http for the defined servers
pass in quick on $outside proto tcp from any to $http_servers \
	port $http_ports  flags S/SA keep state

#allow ftp for defined servers
pass in quick on $outside proto tcp from any to $ftp_servers \
	port $ftp_ports 
#flags S/SA keep state
pass in quick on $outside proto tcp from any to $ftp_servers \
	port $ftp_ports_pasv 
#keep state	
	
#allow email for defined server
pass in quick on $outside proto tcp from any to $mail_servers \
	port $email_ports 
#flags S/SA keep state

#allow samba for defined server
pass in quick on $outside proto tcp from any to $samba_servers \
	port $samba_tcp_ports 
#flags S/SA keep state

pass in quick on $outside proto udp from any to $samba_servers \
	port $samba_udp_ports 
#keep state

#allow dns for defined server
pass in quick on $outside proto { tcp, udp } from any to $dns_servers \
	port domain keep state

#snmp on firewall
#pass in quick on $outside proto {tcp, udp } from any to $local_ip \
#	port $snmp_ports

#pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \
#        port $snmp_ports 

# Allow ICMP (ping) IN
# pass out/in certain ICMP queries and keep state (ping)
pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11}


############
# OUT RULES
############
# Allow ICMP (ping) OUT
pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
        
# Pass (Allow) all UDP/TCP OUT and keep state
pass out on $outside proto udp all 
#keep state
pass out on $outside proto tcp all

More information about the freebsd-pf mailing list