Help with <other_clients> issue

Isaac Grover isaac.grover at gmail.com
Fri Dec 8 06:39:35 PST 2006 

Good morning from Wisconsin,

I have a wireless network set up as such: the gateway/proxy/firewall
is a FreeBSD 6.1 box running pf and squid with three NICs (xl0 isn't
used yet),xl2 connects to the outside world, xl1 connects to the
wireless access point, and my laptop (192.168.100.X) should have
unrestricted access to everything while all other wireless clients are
restricted to tcp_services and udp_services.

I built this pf.conf from the ground up using Peter's PF tutorial at
http://home.nuug.no/~peter/pf/ , and I'm sure it's not a fault of
Peter's fine tutorial, but that my understanding of how traffic flows
through pf is somewhat lacking.

I can ping from my WinXP laptop to the FreeBSD box and to the outside
world, but I am not able to use any tcp or udp services.  The rules
involving tcp_services and udp_services seem to be correct; however, I
am suspecting that the table <other_clients> isn't defined correctly,
but I can't stay connected long enough to see where the problem is, as
pfctl -f pf.conf resets my ssh connection.

Could a more experienced person take a look at what I have below and
point out any problems?

Thanks in advance.

---8<---
ext_if="xl2"
ext_net=$ext_if:network
wireless_if="xl1"
wireless_if_addr="192.168.100.1"
wireless_net=$wireless_if:network
my_laptop="192.168.100.X"
table <other_clients> { $wireless_net, !$my_laptop }
tcp_services="{ ssh, domain, smtp, pop3, auth, https }"
udp_services="{ domain, ntp }"
icmp_types= "echoreq"

set block-policy return

nat on $ext_if from <other_clients> to any port $tcp_services -> ($ext_if)
nat on $ext_if from $my_laptop to any -> ($ext_if)

rdr on $wireless_if inet proto tcp from $wireless_net to any port 80
-> $wireless_if_addr port 3080

block all

pass in on $wireless_if inet proto tcp from $wireless_net to
$wireless_if_addr port 3080 keep state
state

pass out on $ext_if inet proto tcp from $wireless_net to any port 3080
keep state
pass out on $ext_if inet proto tcp from <other_clients> to any port
$tcp_services keep state
pass out on $ext_if inet proto tcp from $my_laptop to any keep state
pass out on $ext_if inet proto udp from $wireless_net to any port
$udp_services keep state
pass inet proto icmp from any to any
---8<---

-- 
Isaac Grover, Owner
Quality Computer Services of River Falls, Wisconsin
Affordable I. T. Consulting, Web Design, and Web Hosting.
Commercial and Residential Inquiries Welcomed.
Web: http://www.qcs-rf.com

More information about the freebsd-pf mailing list