my firewall doesn't work

Chen Xu xuchen66 at gmail.com
Mon Oct 20 18:57:54 UTC 2008


Dear List,

I am new to PF, but I have experience with FreeBSD in general.

I took a look at the example1 from PF FAQ, since my network is
almost exact the same.

However, I have problem to connect any where after loading the
/etc/pf.conf, I can not ping even myself 127.0.0.1 and 192.168.1.1
which is my internal NIC.

Can anyone give me an hint what is wrong? Many thanks in advance.

Information about the setup:

1. FreeBSD 5.3-release-p26
2. with those line compiled in kernel
#
device     pf
device     pflog
device     pfsync
#

3. here are line in /etc/rc.conf
#
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
#

4. /etc/pf.conf
# -------------------------------
#
# macros
ext_if = "fxp0"
int_if = "em0"

tcp_services = "{ 22, 113 }"
icmp_type = "echoreq"

tecnai = "192.168.1.2"
leginon = "192.168.1.3"
# next is the web enable data logging device that record temp and RH%
tr_72w = "192.168.1.10"

# we might need brandeis DNS
local_dns = "{ 129.64.99.11 129.64.99.12 }"

# options
set block-policy return
set loginterface $ext_if

# 5.3 doesn't have it.
#set skip on lo0

# scrob
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
#nat-anchor "ftp-proxy/*"
#rdr-anchor "ftp-proxy/*"

#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $tr_72w

# filter rules
pass quick on lo0

block in

pass inet proto tcp from $int_if:network to any keep state

pass out keep state
block out on $ext_if proto { tcp, udp } from $tecnai to any port http

#anchor "ftp-proxy/*"
#antispoof quick for  $int_if

pass in on $ext_if inet proto tcp from any to ($ext_if) \
        port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from any to $tr_72w \
        port 80 flags S/SA synproxy state

# may or may not need this, need test
pass in on $ext_if inet proto udp from $local_dns to any port 53

pass in inet proto icmp all icmp-type $icmp_type keep state

pass in quick on $int_if

# the end
------------------------------

Chen


More information about the freebsd-pf mailing list