newbie to pf

Daniel Bye freebsd-questions at slightlystrange.org
Sun Dec 3 22:22:01 PST 2006 

On Sun, Dec 03, 2006 at 12:25:36PM +0100, Niklas Saers wrote:
> 
> I've been reading a bit and using examples I've found good, and so far
> my pf.conf looks like this. Nat seems to work fine for the internal
> network, not for the business network. Incoming traffic to 10.0.3.2
> does not work, neither does incoming to 10.0.2.2, and setting up an
> ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds.
> Do you have any suggestions on how I can solve these problems? Are
> there any problems with this setup that I have not discovered yet?
> 
> # macros
> ext_if = "sis0"
> int_if = "sis1"
> bus_if = "sis2"
> internal_net = "10.0.2.0/24"
> business_net = "10.0.3.0/24"
> soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }"
> 
> # tables
> table <firewall> const { self }
> 
> # options
> set block-policy drop
> set state-policy if-bound
> 
> # scrub incoming packets
> scrub all reassemble tcp fragment reassemble
> 
> # nat
> nat on $ext_if from $internal_net to any -> ($ext_if)
> no nat on $ext_if from $internal_net to $business_net
> no nat on $ext_if from $internal_net to $soekris
> 
> # redirection
> rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } -> 
> 10.0.3.2
> rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2
> 
> # setup a default deny policy
> block drop log all
> 
> # pass traffic on the loopback interface in either direction
> pass quick on lo0 all
> pass quick on $int_if all
> pass quick on $bus_if all
> 
> # outgoing dns, ntp
> pass out quick on $ext_if inet proto udp from ($ext_if) to any port {
> 53, 123 } keep state
> 
> # outgoing from firewall
> pass out log quick on $ext_if inet proto tcp from ($ext_if) to any
> flags S/SA keep state
> pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if)
> to any keep state
> 
> # incoming active ftp-data (this is required for active ftp to work)
> pass in log quick on $ext_if inet proto tcp from any port 20 to
> ($ext_if) port >= 1024 flags S/SA keep state
> 
> # incoming tcp and udp from the internal network to the internet
> pass in log quick on $int_if inet proto tcp from $internal_net to
> !<firewall> flags S/SA modulate state
> pass in log quick on $int_if inet proto udp from $internal_net to
> !<firewall> keep state

<disclaimer>I'm also a pf n00b, so please don't regard this as expert
opinion!</disclaimer>

From reading the excellent documentation at the OpenBSD site, I think
you are missing a `pass' rule for your redirected traffic.  You can
either add a `pass' keyword to the rdr rules (which will mean they
don't get filtered /at all/), or you can write dedicated `pass' rules
for the redirected traffic.  Remember that the filtering engine will
see the redirected packets /after/ translation occurs, so take that
into account if you write dedicated rules.

As for your ssh problem - this may be related to a DNS timeout.
Try disabling DNS in ssh (by default, it will try to look up the name
of a remote host from its IP and check that it resolves back to the same
address).  Alternatively, you can edit your /etc/hosts, or start running
a local name server.

Anyway, like I said - IANAE!

Dan

-- 
Daniel Bye

PGP Key: http://www.slightlystrange.org/pgpkey-dan.asc
PGP Key fingerprint: D349 B109 0EB8 2554 4D75  B79A 8B17 F97C 1622 166A
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20061204/a48ff2f1/attachment.pgp

More information about the freebsd-pf mailing list