Help with pf ruleset

Sun Mar 9 15:41:03 UTC 2008

On Sunday 09 March 2008 08:22:07 am erik Wilson wrote:
> I'm pulling my hair out here. I've been working on this for days without
> any success.
>
> I've whittled the ruleset down to the barest possible rules and even that
> doesn't work. I'm at my wits end. I would really appreciate it if someone
> could show me where i'm being a complete and total moron.
>
> Here's the situation. I have a somewhat unique environment. It consists of
> 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need
> to be accessible from the internet, but not to each other). This runs in a
> VMWare esx server, but that's not really important.
>
> FreeBSD 7.0-RELEASE
>
> em0 = lan (10.0.0.x)
> em2 = WAN1 (y.y.y.y) (dhcp)
> em3 = WAN2 (x.x.x.x) (static /28 subnet)
>
> the default gateway is on nic2. nic3 will need to forward ip:port's to
> various vlans. nic2 is used for all outbound lan traffic (internet). nic2
> will need to failover to nic3 eventually, and nic3 will have to failover to
> nic2 (for outbound, obviously no choice for inbound).
>
> So here's the problem. I can't even get nic2 or nic3 to respond to a ping
> request from outside my network when pf is enabled. I know the interfaces
> are set up correct, as I can ping the default gateways of both interfaces.
>
> Also, outbound NAT works perfectly on wan1.
>
> Here's my ruleset.
>
> lan_if="em0"
> wan1_if="em2"
> wan2_if="em3"
> set block-policy return
> set skip on lo0
> nat on $wan1_if from $lan_if:network to any -> ($wan1_if)
> block in log
> pass out log keep state
> pass in log inet proto icmp all icmp-type echoreq keep state
> pass in log quick on $lan_if
>
> Looks simple enough, right? Why won't it work? All i want is to get a ping
> from both of the firewalls WAN's from outside the network.
>
> Any ideas?
>
> Routing tables
>
> Internet:
> Destination        Gateway            Flags    Refs      Use  Netif Expire
> default            y.y.y.129       UGS         0     4433    em2
> 10.0.0.0/24        link#1             UC          0        0    em0
> 10.0.0.1           00:0c:29:a9:e5:75  UHLW        1      338    em0   1177
> 10.0.0.2           00:0c:29:c0:74:57  UHLW        1     3291    em0   1041
> 10.0.0.10          00:19:db:b1:07:78  UHLW        1     4827    em0   1185
> 10.0.1.0/24        link#7             UC          0        0  vlan0
> 10.0.2.0/24        link#8             UC          0        0  vlan1
> 10.0.2.2           00:0c:29:e9:8c:d2  UHLW        1      251  vlan1   1190
> 10.0.3.0/24        link#9             UC          0        0  vlan2
> 10.0.3.2           00:50:56:9c:53:89  UHLW        1      420  vlan2   1152
> 10.0.4.0/24        link#10            UC          0        0  vlan3
> 10.0.5.0/24        link#11            UC          0        0  vlan4
> 127.0.0.1          127.0.0.1          UH          0        0    lo0
> y.y.y.128/25    link#3             UC          0        0    em2
> x.x.x.144/28 link#4             UC          0        0    em3
> x.x.x.146    00:0c:29:b5:0e:bb  UHLW        1        6    lo0

The obfusication is making it harder for my brain to deal with than it should 
be.  At any rate, em3 isn't going to work properly without a route-to rule to 
get it to answer back to pings out the proper gateway.  I'm not entirely sure 
why you can't ping the ip on em2, could you provide the output of tcpdump -i 
em2 while you ping it?

Also, what did you do with em1? :)

-- 
Thanks,

Josh Paetzel

PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part.
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20080309/c964f7de/attachment.pgp