From owner-freebsd-pf@FreeBSD.ORG Tue Jan 17 06:32:57 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AD73B16A429 for ; Tue, 17 Jan 2006 06:32:57 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from mail-02.jhb.wbs.co.za (mail-02.jhb.wbs.co.za [196.30.31.197]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9238B43DF4 for ; Tue, 17 Jan 2006 06:32:28 +0000 (GMT) (envelope-from derth@wbs.co.za) Received: from localhost ([127.0.0.1] helo=webmail.wbs.co.za) by mail-02.jhb.wbs.co.za with esmtp (Exim 4.50) id 1EykNM-00069B-6y for freebsd-pf@freebsd.org; Tue, 17 Jan 2006 08:31:33 +0200 Received: from 196.2.148.70 (SquirrelMail authenticated user derth@wbs.co.za) by webmail.wbs.co.za with HTTP; Tue, 17 Jan 2006 08:31:28 +0200 (SAST) Message-ID: <16246.196.2.148.70.1137479488.squirrel@webmail.wbs.co.za> Date: Tue, 17 Jan 2006 08:31:28 +0200 (SAST) From: derth@wbs.co.za To: "freebsd-pf@freebsd.org" User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal X-Original-Subject: Re: PF + PPPoE Subject: Re: PF + PPPoE X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 17 Jan 2006 06:32:58 -0000 >Without the ruleset it's going to be kind of difficult to help. This >does work, which means there's something wrong with your rules. > >--Bill My apologies, here is my pf.conf file: #define Macros ext_if = "tun0" int_if = "fxp0" tcp_services = "22" priv_net = "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }" secure_mail ="196.*.*.*" tech_net ="196.*.*.*/24" admin_mweb ="196.*.*.*" allow_web ="{ 196.*.*.*, 196.*.*.*, 196.*.*.*, 196.*.*.*, tun0 }" #options set block-policy return set loginterface $ext_if #Scrubs scrub in all #Nat nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 6161 #Rules pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port 6161 keep state # immediately prevent IPv6 traffic from entering or leaving all interfaces block log quick inet6 all #default to deny block in log all block out log all # Block bad tcp flags from malicious people and nmap scans block in log quick on $ext_if proto tcp from any to any flags /S block in log quick on $ext_if proto tcp from any to any flags /SFRA block in log quick on $ext_if proto tcp from any to any flags /SFRAU block in log quick on $ext_if proto tcp from any to any flags A/A block in log quick on $ext_if proto tcp from any to any flags F/SFRA block in log quick on $ext_if proto tcp from any to any flags U/SFRAU block in log quick on $ext_if proto tcp from any to any flags SF/SF block in log quick on $ext_if proto tcp from any to any flags SF/SFRA block in log quick on $ext_if proto tcp from any to any flags SR/SR block in log quick on $ext_if proto tcp from any to any flags FUP/FUP block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP block in log quick on $ext_if proto tcp all flags FUP/FUP #allow loopback pass quick on lo0 all #block private networks from inside out block drop in log quick on $ext_if from $priv_net to any block drop out log quick on $ext_if from any to $priv_net #allow interal network out pass in log on $int_if from $int_if:network to any keep state #VPN out from internal network pass in log on $int_if proto gre keep state pass in log on $int_if proto tcp from any to any port 1723 keep state pass out log on $ext_if proto gre keep state pass out log on $ext_if proto tcp from any to any port 1723 keep state #allow admin.mweb.net inside pass in log on $ext_if proto tcp from $admin_mweb to $ext_if port 22 keep state pass in log on $ext_if proto tcp from $tech_net to $ext_if port 22 keep state #allow mweb staff web inside pass in log on $ext_if proto tcp from $allow_web to $ext_if port 80 keep state pass out log on $ext_if from $int_if:network to any keep state #allow from fw to out pass out on $ext_if inet proto tcp from any to any port www keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state