From owner-freebsd-questions@FreeBSD.ORG Sun Sep 26 20:45:12 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 460B7106566B; Sun, 26 Sep 2010 20:45:12 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-qy0-f182.google.com (mail-qy0-f182.google.com [209.85.216.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2FD318FC1B; Sun, 26 Sep 2010 20:45:10 +0000 (UTC) Received: by qyk7 with SMTP id 7so3797432qyk.13 for ; Sun, 26 Sep 2010 13:45:10 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:message-id:date:from :user-agent:mime-version:to:cc:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=wrVzsPCQw7gmKIxRlNgxMcJKg7suaJALl7/7Vi6H0R8=; b=ppQzUvtEBbKcso8zBnSonGfHF3O6zVKtLd0xjT227+UlxrUxHZIaOksMZdNJfp2ymK jGIGbF5pvFbAtPTamwkWKYruo9xYXpGJtLqjIZkNqLynXzTTp4lUUk1E+4MGNwKOJifG jeE57Ho+ril6TcNogXhCFd3VP252WZD7Ln2Do= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=txjnTtDdzQKkoYGkkR8/CvloViAi7QM+LYdZjBV43D6fCA9Mp7QOVo0GuLoNe/kWdt lA/C22fCkiTQymiDnSttngFs45jbsVWJcuRpnTXyaEn9Y+7lukL6BlS6kHBqDRRwOnKR BKOZlqVADrQtEHz7VQ8Zcfs9pnX5hn9lwMO1o= Received: by 10.220.60.10 with SMTP id n10mr2049215vch.45.1285533909528; Sun, 26 Sep 2010 13:45:09 -0700 (PDT) Received: from centel.dataix.local (adsl-99-19-43-205.dsl.klmzmi.sbcglobal.net [99.19.43.205]) by mx.google.com with ESMTPS id t13sm1017229vcj.20.2010.09.26.13.45.07 (version=SSLv3 cipher=RC4-MD5); Sun, 26 Sep 2010 13:45:08 -0700 (PDT) Sender: "J. Hellenthal" Message-ID: <4C9FB0D2.1010205@DataIX.net> Date: Sun, 26 Sep 2010 16:45:06 -0400 From: jhell User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.9.2.9) Gecko/20100917 Lightning/1.0b1 Thunderbird MIME-Version: 1.0 To: =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= References: In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org Subject: Re: pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 26 Sep 2010 20:45:12 -0000 This is more for questions@ or pf@ On 09/26/2010 11:43, Samuel Martín Moro wrote: > On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell wrote: > >> Samuel Martín Moro wrote: >> >>> Hello, >>> >>> >>> I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64). >>> I used the sample configuration file available on >>> calomel >>> After a few tests, it appears that the gate has fully access to the >>> internet, but I can't open connections from clients to distant servers >>> (web, ssh, ...). >>> Checking pflog log file, I can't see anything about those timeouts, even >>> if I added the log directive in every block/pass command. >>> Everything else seems to work, I can talk with my DNS from the internet, >>> ssh redirections to another pc also seems to works. >>> I just can't access the Internet from a client of my network... >>> >>> For debugging, I commented out the options and the 'block all in/out' >>> directives. >>> >>> Here's my config file http://pastebin.com/Nim2zBCx >>> >>> Is there someone understanding what I'm doing wrong? >>> >> The firewall ruleset is a trifle overly complex for a quick glance; study >> and analysis would take some doing. However, if you can reach the internet >> from the firewall box and other client computers behind your NAT can't >> (which is what it sounds like you're describing) it may be just that you >> are >> missing gateway_enable="YES" in your /etc/rc.conf. >> >> Turning this "ON" makes your firewall box into a router. The status of this >> can be checked with: sysctl net.inet.ip.forwarding - a "0" means no >> gateway >> and a "1" means gateway. >> >> -Mike >> >> >> >> _______________________________________________ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to " >> freebsd-questions-unsubscribe@freebsd.org" >> > > the gateway is already enabled (and forwarding is correctly set) > whatever, I had to do quick, I started again > I think the missing thing on my old conf was the 'scrub' (at least) > I made a more simple configuration, as following: > > ext_if="bge0" > int_if="bge1" > localnet = $int_if:network > emma="10.242.42.200" > alpha="10.42.42.42" > delta="10.42.42.44" > set skip on lo0 > scrub in on $ext_if all fragment reassemble > #INTERNETZ > nat on $ext_if from $localnet to any -> ($ext_if) > #EMMA > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1101 -> > $emma port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 307 -> > $emma port 80 > #WHAT.CD > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1666 -> > $alpha port 1666 > #REMOTE ADM > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1667 -> > $delta port 22 > rdr on $ext_if inet proto tcp from any to ($ext_if) port 1668 -> > $alpha port 22 > pass in log on $ext_if inet proto tcp from any to $ext_if port 22 > pass in log on $ext_if inet proto tcp from any to $ext_if port 53 > pass in log on $ext_if inet proto udp from any to $ext_if port 53 > pass in log on $ext_if inet proto tcp from any to $ext_if port 1664 > pass in log on $int_if inet proto tcp from any to any > pass in log on $int_if inet proto udp from any to any > block in log on $ext_if inet proto icmp from any to $ext_if > > it's basically working > i'll stuff it when I'll have time. > > Samuel Martín Moro > {EPITECH.} tek5 -- jhell,v