freebsd-pf Digest, Vol 266, Issue 4
Nico De Dobbeleer
nico at elico-it.be
Sat Oct 31 21:00:13 UTC 2009
Hello,
I have an issue with pf bridge.
This is my setup
Wan --> pf-bridge --> servers (mail, webserver with public IP)
When I activate my pf-bridge FW It allows the things as it should be (http, rdp, ssh, ...) But when I try to send a mail for example it cannot find hostname or when I'm connected to the webserver over RDP I cannot browse.
It's like I can get in to the correct ports but from the inside I'm not allowed to do stuff.
Here's pf-bridge.conf:
#
####################
# Macro's
####################
ext_if="em0"
int_if="em1"
mng_if="rl0"
loop_if="lo0"
public_services="{ ssh, http, https, smtp, pop3, imap, 7071, 53, 3389 }"
admin_services="{ ssh, http, https }"
power_services="{ telnet, http }"
# TCP Options
#TCP_Options="flags S/SAFRUP modulate state"
# UDP Options
#UDP_Options="keep state"
#######################
# Tables
#######################
table <all_public_ips> { 62.213.196.XXX/xx }
table <customer_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx }
table <admin_ips> { 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx, 62.213.196.xxx }
table <power_ips> { 62.213.196.xxx, 62.213.196.xxx }
############################################################################
# Normalization rules:
############################################################################
#set block-policy drop
#set fingerprints "/etc/pf.os"
set block-policy return
# scrub incoming packets
scrub in on { $ext_if, $int_if } all fragment reassemble min-ttl 15 max-mss 1400
scrub in on { $ext_if, $int_if } all no-df
scrub on { $ext_if, $int_if } all reassemble tcp
# Don't filter on the loopback interface
set skip on $loop_if
# this should block OS fingerprints??
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
# thwart nmap scans
block in log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
block out log quick on { $ext_if, $int_if, $mng_if } proto tcp all flags SEFUP/SEFUP
############################################################################
# Filter rules:
############################################################################
# Allow public services to customers IP
pass in quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services
pass out quick on { $ext_if, $int_if } inet proto { tcp, udp } from any to <customer_ips> port $public_services
# Allow admin services to admin servers
pass in quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services
pass out quick on { $ext_if, $int_if, $mng_if } inet proto tcp from any to <admin_ips> port $admin_services
# Allow access to powerboots
pass in quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services
pass out quick on { $ext_if, $int_if } inet proto tcp from any to <power_ips> port $power_services
block drop in on $ext_if all
block drop out on $ext_if all
block drop in on $int_if all
block drop out on $int_if all
Any idea's?
More information about the freebsd-pf
mailing list