Date: Fri, 7 Dec 2007 17:23:44 +0100 From: Roland Smith <rsmith@xs4all.nl> To: ajtiM <lumiwa@gmail.com> Cc: freebsd-questions@freebsd.org Subject: Re: PF firewall Message-ID: <20071207162344.GA13752@slackbox.xs4all.nl> In-Reply-To: <200712070620.37273.lumiwa@gmail.com> References: <200712070620.37273.lumiwa@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--RnlQjJ0d97Da+TV1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Dec 07, 2007 at 06:20:37AM -0600, ajtiM wrote: > Hi! >=20 > I am a new FreeBSD 7.0 beta3 user and I have standalone computer connecte= d to=20 > the internet (cable). I use both, console and KDE desktop. I tried to se= tup=20 > PF firewall for the standalone computer but I have a problem with interna= l=20 > messages (mail) which are blocked if firewall running. > This is from /var/log/mail: > "sm-msp-queue[15113]: lB493C1i007320: to=3Droot, ctladdr=3Droot (0/0),=20 > delay=3D1+21:37:55, xdelay=3D00:00:00, mailer=3Drelay, pri > =3D2552408, relay=3D[127.0.0.1], dsn=3D4.0.0, stat=3DDeferred: Operation = not=20 > permitted" >=20 > My pf.conf looks like: >=20 > pass out quick inet from (sk0) to any keep state label "RULE 0 -- ACC= EPT " > block drop in quick inet all label "RULE 1 -- DROP " > block drop out quick inet all label "RULE 1 -- DROP " > block drop in quick inet all label "RULE 10000 -- DROP " > block drop out quick inet all label "RULE 10000 -- DROP " You're dropping all incoming traffic, also on the local interface! Try adding: set skip on lo furthermore, your ruleset has duplicates, especially since you use the quick keyword. Below is a commented example a pf.conf for a workstation (mine :-) -------------------- /etc/pf.conf --------------------- # /etc/pf.conf # Macros: define common values, so they can be referenced and changed easil= y. ext_if =3D "rl0" int_if =3D "rl1" # Addresses that can't be routed externally.=20 # See http://www.rfc-editor.org/rfc/rfc3330.txt # (10.0.0.138 is my router, so it should be reachable!) table <unroutable> const { 0.0.0.0/8, 10.0.0.0/8, !10.0.0.138, 127.0.0.0/8,= \ 169.254.0.0/16, 172.16.0.0/12, 192.0.2.0/24, 192.168.0.0/16, 240.0.0.0/4 } # Options: tune the behavior of pf. set optimization normal set block-policy drop set loginterface $ext_if set skip on lo # Normalization: reassemble fragments etc. scrub in all # Translate outgoing packets' source addresses (any protocol). # In this case, any address but the gateway's external address is mapped. # The sysctl net.inet.ip.forwarding should be set for this to work. # Alternatively, set gateway_enable=3D"YES" in /etc/rc.conf. nat pass on $ext_if inet from $int_if:network to any -> $ext_if # Filtering antispoof quick for $int_if # Nobody gets in from the outside! block in log quick on $ext_if all label "inblock" # Block packets to unroutable addresses block out log quick on $ext_if from any to <unroutable> label "unroutable" # Block by default. block out log on $ext_if all label "outblock" # Internal "network" is trusted. pass in on $int_if all=20 # Let outgoing traffic through, and keep state # 'modulate state' only works with TCP! pass out on $ext_if inet proto tcp all flags S/SA modulate state pass out on $ext_if inet proto udp all keep state # Let pings through. pass out on $ext_if inet proto icmp all icmp-type 8 code 0 keep state -------------------- /etc/pf.conf --------------------- HTH, Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --RnlQjJ0d97Da+TV1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHWXOQEnfvsMMhpyURAmiKAJ4oByyvD8C2AdPZkFTT9s2qFF2wIgCfbv+u nHW/SmDgOZRUJQmOqjWWjOY= =WmxZ -----END PGP SIGNATURE----- --RnlQjJ0d97Da+TV1--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20071207162344.GA13752>