Please help me with my PF config

Alaor Barroso de Carvalho Neto alaorneto at
Thu Mar 6 14:19:22 UTC 2008

Hi guyz, let me explain what I have. I work in a school, we have access to
the internet, two internal networks (academic and administrative) and we
have to connect to some servers in another school because we share databases
and to video-conference. I have a FreeBSD box with PF and squid, i want all
my web traffic to pass through the squid, it's working. I want to academic
net don't be able to communicate with administrative net, and the inverse,
it's working. But I would like to my adm net to communicate with some
servers in the other school network, and only this servers, no other ip
would be accessible, it's NOT working. I can ping to the servers but I can't
connect to the services ports (SQL Server, and so on).

Here's my pf.conf:


all_if="{ em0, xl0, xl1, xl2 }"
cefet_servers="{,, }"
internal_nets="{, }"
tcp_services="{ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3,
pop3s, auth, 3128 }" }"
udp_services="{ domain, ntp }"
proxy_ports="{ 80, 8000, 8080, 3128 }"
martians="{,,,,,,, }"

set block-policy return

scrub in all

nat on $ext_if from $internal_nets to any -> ($ext_if)
nat on $cefet_if from $adm_net to any -> ($cefet_if)

rdr on $all_if proto tcp from any to any port $proxy_ports -> port

block all
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop quick from $acad_net to $adm_net
block drop quick from $adm_net to $acad_net
pass quick proto icmp from any to any keep state
pass quick from $adm_net to $cefet_servers keep state
pass quick from $cefet_servers to $adm_net keep state
block quick from any to $cefet_net
block quick from $cefet_net to any
pass proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
antispoof for $all_if

cefet_net is the network of the other school, and cefet_servers are the
servers I want to communicate with, I want all ports and protocols to these
servers, but it's not working. I need a light guyz.

Thankz, and sorry my poor english.
Alaor Neto

More information about the freebsd-questions mailing list