Whats wrong with this ruleset?

Hexren me at hexren.net
Tue Mar 1 23:44:16 GMT 2005 

GS> For some reason, port 53 is blocked going out of the external interface ->
GS> 000000 rule 0/0(match): block out on ed0: IP xx.xxx.xxx.xx.53 > 
GS> xx.xx.xx.xxx.4973

GS> Im still new to pf, but shouldn't the last two lines allow anything 
GS> going out
GS> to pass??
GS> Any ideas on how to fix?
GS> Thanks for your time

GS> ----
GS> # macros
GS> int_if = "fxp0"
GS> ext_if = "ed0"

GS> tcp_services = "{ 22, 113 }"
GS> icmp_types = "echoreq"

GS> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

GS> hivemind = "192.168.0.2"
GS> www      = "10.0.0.1"

GS> isp_dhcp = "xx.xx.xx.xx"

GS> # options
GS> set block-policy return
GS> set loginterface $ext_if

GS> # scrub
GS> scrub in all

GS> # nat/rdr
GS> nat on $ext_if from $int_if:network to any -> ($ext_if)

GS> rdr on $ext_if proto tcp from any to any port 22 -> $hivemind
GS> rdr on $ext_if proto tcp from any to any port 25 -> $hivemind
GS> rdr on $ext_if proto tcp from any to any port 80 -> $www
GS> rdr on $ext_if proto tcp from any to any port 110 -> $hivemind


GS> # filter rules
GS> block log all

GS> pass quick on lo0 all

GS> block drop in  quick on $ext_if from $priv_nets to any
GS> block drop out quick on $ext_if from any to $priv_nets

GS> pass in on $ext_if inet proto tcp from any to ($ext_if) port 
GS> $tcp_services flags S/SA keep state

GS> pass in on $ext_if proto {udp} from $isp_dhcp to any port 68

GS> pass in on $ext_if proto {tcp} from any to any port 22

GS> pass in on $ext_if proto {tcp, udp} from any to any port 53

GS> pass in on $ext_if proto {tcp} from any to any port 25
GS> pass in on $ext_if proto {tcp} from any to any port 110

GS> pass in on $ext_if proto tcp from any to $www port 80 flags S/SA 
GS> synproxy state

GS> pass in inet proto icmp all icmp-type $icmp_types keep state

GS> pass in on $int_if from $int_if:network to any keep state
GS> pass out on $int_if from any to $int_if:network keep state

GS> pass out on $ext_if proto tcp all modulate state flags S/SA
GS> pass out on $ext_if proto {udp, icmp} all keep state
GS> _______________________________________________
GS> freebsd-pf at freebsd.org mailing list
GS> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
GS> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"

---------------------------------------------

I am not that genius in pf, but try if it helps if you comment these
two rules out.

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

Hexren

More information about the freebsd-pf mailing list