Another problem with pf..
Dimitry Andric
dimitry at andric.com
Thu Oct 21 13:57:18 PDT 2004
On 2004-10-21 at 22:49:14 Matteo Riondato wrote:
> ext_if = "tun0"
> wifi_if = "rl0"
> eth_if = "fxp1"
> wifi_net = "192.168.1.0/27"
> eth_net = "192.168.0.0/29"
> tcp_services = "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }"
> icmp_types = "{ 0, 3, 8, 11 }"
> scrub in all fragment reassemble
> block drop all
> pass quick on lo0 all
> block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any
> block drop in log quick inet from 192.168.1.1 to any
> block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any
> block drop in quick inet from 192.168.0.1 to any
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = ssh flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = http flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = smtp flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683 flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901 flags S/SA keep state
> pass inet proto icmp all icmp-type echorep
> pass inet proto icmp all icmp-type unreach
> pass inet proto icmp all icmp-type echoreq
> pass inet proto icmp all icmp-type timex
> pass in on rl0 inet from 192.168.1.0/27 to any keep state
> pass out on rl0 inet from any to 192.168.1.0/27 keep state
> pass in on fxp1 inet from 192.168.0.0/29 to any keep state
> pass out on fxp1 inet from any to 192.168.0.0/29 keep state
> pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state
> pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state
> pass out on tun0 proto tcp all flags S/SA modulate state
> pass out on tun0 proto udp all keep state
> pass out on tun0 proto icmp all keep state
Hm, so your rules seem to be okay. Do I miss something, or don't I
see any NAT rule in there?
Next question is: what happens if you manually run /etc/rc.d/pf start
or reload?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 183 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20041021/74530d44/attachment.bin
More information about the freebsd-pf
mailing list