Strange bridge problem with pf
Rob Lensen
rob at bsdfreaks.nl
Sat Jan 8 16:56:47 PST 2005
Hello,
The problem which I had with FreeBSD and the bridged setup is solved.
I solved it by switching the transparent bridge machine to OpenBSD 3.6.
So the same ruleset is working perfect on OpenBSD. So I think PF and
bridge do not work well on FreeBSD.
Best,
Rob
>
> I have strange problem with pf on a bridged setup.
>
> Did read the previous thread about the pf problem with a bridge,
since sysctl value of ipf bridge should be enabled.
>
> In the attached file the pf.conf is given. (fxp0 is the outside nic)
>
> The firewall is working for all machines behind the firewall except
sf1, nothing seem to go this machine if the firewall is enanbled.
>
> If I look at the output of pfctl -sr I can see the rules for this
machine are loaded:
>
> @7 pass in quick on fxp0 inet proto tcp from any to X.6 port = ssh
flags S/SA keep state
> @16 pass in quick on fxp0 inet proto tcp from any to X.6 port = http
flags S/SA keep state
> @17 pass in quick on fxp0 inet proto tcp from any to X.6 port = https
flags S/SA keep state
>
> This should open the ports for ssh and http to machine X.6 (sf1),
however no connection can be made.
> Nmap shows:
> 22/tcp open ssh
> 80/tcp open http
>
> #telnet X.6 22
> gives a time out
>
> All other hosts are working fine.
>
> Doe anyone have any clue on this problem?
>
> Best
> Rob Lensen
>
>
> ------------------------------------------------------------------------
>
> outside="fxp0"
> ext_if="fxp0"
> inside="fxp1"
> local="rl0"
>
> ext_ip=""
> local_net ="X.0/24"
>
> # Tables: similar to macros, but more flexible for many addresses.
> table <priv_nets> {127.0.0.0/8, 192.168.1.0/16, 172.16.0.0/12,
10.0.0.0/8 }
>
> set loginterface $outside
> set block-policy return
>
> # Normalization: reassemble fragments and resolve or reduce traffic
ambiguities.
> #scrub in all
>
> web_A_2 = "X.2"
> web_A_3 = "X.3" web_A_4 = "X.4"
> web_A_7 = "X.7"
> web_A_8 = "X.8"
> web_A_9 = "X.9"
> web_A_20 = "X.20"
> sf1 = "X.6"
> sf2 = "X.30"
> mysql2 = "X.14"
> extranet = "X.13"
> firewall = "X.254"
> sec_dns = "X"
>
> http_servers = "{" $web_A_2 $web_A_4 $sf1 $web_A_8 $web_A_9 $extranet "}"
> ssh_servers = "{" $web_A_2 $sf1 $sf2 $extranet $mysql2 $firewall "}"
> ftp_servers = "{" $web_A_2 $sf1 "}"
> mail_servers = "{" $extranet "}"
> samba_servers = "{" $extranet "}"
> dns_servers = "{" $web_A_3 "}"
>
> ssh_ports = "{ 22 }"
> http_ports = "{ 80 , 443 }"
> ftp_ports = "{ 20, 21 }"
> ftp_ports_pasv = "{ 65000:65500 }"
> snmp_ports = "{ 161 }"
> mysql_ports = "{ 3306 }"
> dns_ports = "{ 53 }"
> email_ports = "{ 25, 110, 143, 993, 995 }"
> samba_udp_ports = "{ 137, 138, 587 }"
> samba_tcp_ports = "{ 139, 445, 587 }"
>
> # filtering done on public side of bridge, so allow everything
> # on the protected side of things
> pass in quick on $inside all
> pass out quick on $inside all
>
> # block everything by default on bridge
> block in log on $outside all
> pass out on $outside all
> #block out log on $outside all
>
> pass in quick on $local all
> pass out quick on $local all
>
> ############
> # IN RULES
> ############
>
> #allow ssh to defined servers
> pass in quick on $outside proto tcp from any to $ssh_servers \
> port $ssh_ports flags S/SA keep state
>
>
> #allow http for the defined servers
> pass in quick on $outside proto tcp from any to $http_servers \
> port $http_ports flags S/SA keep state
>
> #allow ftp for defined servers
> pass in quick on $outside proto tcp from any to $ftp_servers \
> port $ftp_ports #flags S/SA keep state
> pass in quick on $outside proto tcp from any to $ftp_servers \
> port $ftp_ports_pasv #keep state
>
> #allow email for defined server
> pass in quick on $outside proto tcp from any to $mail_servers \
> port $email_ports #flags S/SA keep state
>
> #allow samba for defined server
> pass in quick on $outside proto tcp from any to $samba_servers \
> port $samba_tcp_ports #flags S/SA keep state
>
> pass in quick on $outside proto udp from any to $samba_servers \
> port $samba_udp_ports #keep state
>
> #allow dns for defined server
> pass in quick on $outside proto { tcp, udp } from any to $dns_servers \
> port domain keep state
>
> #snmp on firewall
> #pass in quick on $outside proto {tcp, udp } from any to $local_ip \
> # port $snmp_ports
>
> #pass in quick on $local proto {tcp,udp } from any to $firewall_bridge \
> # port $snmp_ports
> # Allow ICMP (ping) IN
> # pass out/in certain ICMP queries and keep state (ping)
> pass in on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
>
>
> ############
> # OUT RULES
> ############
> # Allow ICMP (ping) OUT
> pass out on $outside inet proto icmp all icmp-type {0,3 ,8, 11}
> # Pass (Allow) all UDP/TCP OUT and keep state
> pass out on $outside proto udp all #keep state
> pass out on $outside proto tcp all
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
More information about the freebsd-pf
mailing list