pf

jhell jhell at DataIX.net
Sun Sep 26 20:45:12 UTC 2010 

This is more for questions@ or pf@

On 09/26/2010 11:43, Samuel Martín Moro wrote:
> On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell <nightrecon at hotmail.com>wrote:
> 
>> Samuel Martín Moro wrote:
>>
>>> Hello,
>>>
>>>
>>> I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64).
>>> I used the sample configuration file available on
>>> calomel<https://calomel.org/pf_config.html>
>>> After a few tests, it appears that the gate has fully access to the
>>> internet, but I can't open connections from clients to distant servers
>>> (web, ssh, ...).
>>> Checking pflog log file, I can't see anything about those timeouts, even
>>> if I added the log directive in every block/pass command.
>>> Everything else seems to work, I can talk with my DNS from the internet,
>>> ssh redirections to another pc also seems to works.
>>> I just can't access the Internet from a client of my network...
>>>
>>> For debugging, I commented out the options and the 'block all in/out'
>>> directives.
>>>
>>> Here's my config file http://pastebin.com/Nim2zBCx
>>>
>>> Is there someone understanding what I'm doing wrong?
>>>
>> The firewall ruleset is a trifle overly complex for a quick glance; study
>> and analysis would take some doing. However, if you can reach the internet
>> from the firewall box and other client computers behind your NAT can't
>> (which is what it sounds like you're describing) it may be just that you
>> are
>> missing gateway_enable="YES" in your /etc/rc.conf.
>>
>> Turning this "ON" makes your firewall box into a router. The status of this
>> can be checked with: sysctl net.inet.ip.forwarding  - a "0" means no
>> gateway
>> and a "1" means gateway.
>>
>> -Mike
>>
>>
>>
>> _______________________________________________
>> freebsd-questions at freebsd.org mailing list
>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
>> To unsubscribe, send any mail to "
>> freebsd-questions-unsubscribe at freebsd.org"
>>
> 
> the gateway is already enabled (and forwarding is correctly set)
> whatever, I had to do quick, I started again
> I think the missing thing on my old conf was the 'scrub' (at least)
> I made a more simple configuration, as following:
> 
> ext_if="bge0"
> int_if="bge1"
> localnet = $int_if:network
> emma="10.242.42.200"
> alpha="10.42.42.42"
> delta="10.42.42.44"
> set skip on lo0
> scrub in on $ext_if all fragment reassemble
> #INTERNETZ
> nat         on $ext_if from $localnet to any -> ($ext_if)
> #EMMA
> rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1101 ->
> $emma port 22
> rdr         on $ext_if inet proto tcp from any to ($ext_if) port 307 ->
> $emma port 80
> #WHAT.CD
> rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1666 ->
> $alpha port 1666
> #REMOTE ADM
> rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1667 ->
> $delta port 22
> rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1668 ->
> $alpha port 22
> pass in log on $ext_if inet proto tcp from any to $ext_if port 22
> pass in log on $ext_if inet proto tcp from any to $ext_if port 53
> pass in log on $ext_if inet proto udp from any to $ext_if port 53
> pass in log on $ext_if inet proto tcp from any to $ext_if port 1664
> pass in log on $int_if inet proto tcp from any to any
> pass in log on $int_if inet proto udp from any to any
> block in log on $ext_if inet proto icmp from any to $ext_if
> 
> it's basically working
> i'll stuff it when I'll have time.
> 
> Samuel Martín Moro
> {EPITECH.} tek5


-- 

 jhell,v

More information about the freebsd-questions mailing list