Date: Sun, 26 Sep 2010 16:45:06 -0400 From: jhell <jhell@DataIX.net> To: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= <faust64@gmail.com> Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: pf Message-ID: <4C9FB0D2.1010205@DataIX.net> In-Reply-To: <AANLkTi=SoHHrFGiBrtdGmPqd5Go3qSzL=SogHRPXmZB-@mail.gmail.com> References: <AANLkTingNA5V4b9UdE_Yotqtuy1RMx190phMzn5UrMdi@mail.gmail.com> <i7ni0m$ids$1@dough.gmane.org> <AANLkTi=SoHHrFGiBrtdGmPqd5Go3qSzL=SogHRPXmZB-@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
This is more for questions@ or pf@ On 09/26/2010 11:43, Samuel Martín Moro wrote: > On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell <nightrecon@hotmail.com>wrote: > >> Samuel Martín Moro wrote: >> >>> Hello, >>> >>> >>> I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64). >>> I used the sample configuration file available on >>> calomel<https://calomel.org/pf_config.html>; >>> After a few tests, it appears that the gate has fully access to the >>> internet, but I can't open connections from clients to distant servers >>> (web, ssh, ...). >>> Checking pflog log file, I can't see anything about those timeouts, even >>> if I added the log directive in every block/pass command. >>> Everything else seems to work, I can talk with my DNS from the internet, >>> ssh redirections to another pc also seems to works. >>> I just can't access the Internet from a client of my network... >>> >>> For debugging, I commented out the options and the 'block all in/out' >>> directives. >>> >>> Here's my config file http://pastebin.com/Nim2zBCx >>> >>> Is there someone understanding what I'm doing wrong? >>> >> The firewall ruleset is a trifle overly complex for a quick glance; study >> and analysis would take some doing. However, if you can reach the internet >> from the firewall box and other client computers behind your NAT can't >> (which is what it sounds like you're describing) it may be just that you >> are >> missing gateway_enable="YES" in your /etc/rc.conf. >> >> Turning this "ON" makes your firewall box into a router. The status of this >> can be checked with: sysctl net.inet.ip.forwarding - a "0" means no >> gateway >> and a "1" means gateway. >> >> -Mike >> >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > the gateway is already enabled (and forwarding is correctly set) > whatever, I had to do quick, I started again > I think the missing thing on my old conf was the 'scrub' (at least) > I made a more simple configuration, as following: > > ext_if="bge0" > int_if="bge1" > localnet = $int_if:network > emma="10.242.42.200" > alpha="10.42.42.42" > delta="10.42.42.44" > set skip on lo0 > scrub in on $ext_if all fragment reassemble > #INTERNETZ > nat on $ext_if from $localnet to any -> ($ext_if) > #EMMA > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1101 -> > $emma port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 307 -> > $emma port 80 > #WHAT.CD > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -> > $alpha port 1666 > #REMOTE ADM > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -> > $delta port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -> > $alpha port 22 > pass in log on $ext_if inet proto tcp from any to $ext_if port 22 > pass in log on $ext_if inet proto tcp from any to $ext_if port 53 > pass in log on $ext_if inet proto udp from any to $ext_if port 53 > pass in log on $ext_if inet proto tcp from any to $ext_if port 1664 > pass in log on $int_if inet proto tcp from any to any > pass in log on $int_if inet proto udp from any to any > block in log on $ext_if inet proto icmp from any to $ext_if > > it's basically working > i'll stuff it when I'll have time. > > Samuel Martín Moro > {EPITECH.} tek5 -- jhell,v
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4C9FB0D2.1010205>