Date: Sun, 27 Mar 2011 05:28:52 -0400 From: "J. Hellenthal" <jhell@DataIX.net> To: Leslie Jensen <leslie@eskk.nu> Cc: freebsd-pf@freebsd.org Subject: Re: Lost in rules! Message-ID: <alpine.BSF.2.00.1103270510460.92275@qvfongpu.qngnvk.ybpny> In-Reply-To: <4D8E11CB.2070501@eskk.nu> References: <4D8E11CB.2070501@eskk.nu>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sat, 26 Mar 2011 12:18, leslie@ wrote: > Hello list. > > I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy > server on a network with 10 pc behind it for some years. > > Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with > exactly the same set-up. > > My problem is that PF is not acting the same. Everything is blocked, if I > remove the first rule "block in log on $ext_if all" I get some functionality > but it won't redirect the traffic to Squid for example. > > I've been trying to fix it but I need some new eyes to help me. > > Below are the pf.conf on the new 8.2 machine and further below is the > original pf.conf from the 7.2 system > > I'm aware that there has been some changes to the pf syntax, but when doing > pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong. > > Will you Please take a look and see if you can see what's wrong. > > Thank you :-) > Hi Leslie, I just extracted your rules sets from the email and from what I gather I hope its just not a formatting issue with your mailer that I have seen in coincidence. After pulling out the patch pipe and loading with a diff this is what I've come up with: (-)=New Config (+)=Old Config # Let the goodguys access the machine from the outside - -pass in log on $ext_if inet proto tcp from <goodguys> to ($ext_if) +pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \ port $tcp_services flags S/SA keep state # We need this for the rdr to VNC (change of portnumber) - -pass in on $ext_if inet proto tcp from <goodguys> to $internal_net +pass in on $ext_if inet proto tcp from <goodguys> to $internal_net \ port $vncports flags S/SA synproxy state You mentioned that when removing your block rule that you would get some functionality back and this stuck out like a sore thumb!. Pay close attention to the new line character at the new or in other words "don't forget the backslash" Also you used to have: # filter rules - -block in log on $ext_if all +block in log (all) but that is probably not relative to what you are seeing in your rule sets at this time. If this all is not a formatting error you should be able to verify that all your rules are loaded with ( pfctl -s rules ) and manually inspect the ones in question whether the backslash really makes the difference. Good luck. - -- Regards, J. Hellenthal (0x89D8547E) JJH48-ARIN -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89D8547E iQEcBAEBAgAGBQJNjwNeAAoJEJBXh4mJ2FR+02EH/RUG17OuvE1ltgIMtGJpTy17 26oLFCiWY0AlH7LR8L1hImXFL8VPdsrybsCN6F7YgKFOpKtAPYoqV50zI5gF81cI FOGErW1I8rNB4aHZsjBlQyARlSFtJO5uRr/desuCrL4SIK8FzD9QPb8qdEoWaehc fMjHPhC5277NljkHH22HPKKRb1yA2+jvrZ91LOjUVO8AanPHDcXWvmNGOmbnTcB9 yG8K1gJymxzs4Atlw1m0PPCxmrwYzw4IbLB1TGzsZIhnGcmfR8M0eKCi/G98uyCP LWXr8f/qL8lE4tjbr3jiKXEqeQWNXACI2vjqCEn6QG4t24U2gZtOrlnssneAY/M= =vzmL -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?alpine.BSF.2.00.1103270510460.92275>