Date: Tue, 17 Jan 2006 08:31:28 +0200 (SAST) From: derth@wbs.co.za To: "freebsd-pf@freebsd.org" <freebsd-pf@freebsd.org> Subject: Re: PF + PPPoE Message-ID: <16246.196.2.148.70.1137479488.squirrel@webmail.wbs.co.za>
next in thread | raw e-mail | index | archive | help
>Without the ruleset it's going to be kind of difficult to help. This
>does work, which means there's something wrong with your rules.
>
>--Bill
My apologies, here is my pf.conf file:
#define Macros
ext_if = "tun0"
int_if = "fxp0"
tcp_services = "22"
priv_net = "{ 127.0.0.0/8, 192.168.0.0/24, 172.16.0.0/12, 10.0.0.0/8 }"
secure_mail ="196.*.*.*"
tech_net ="196.*.*.*/24"
admin_mweb ="196.*.*.*"
allow_web ="{ 196.*.*.*, 196.*.*.*, 196.*.*.*, 196.*.*.*, tun0 }"
#options
set block-policy return
set loginterface $ext_if
#Scrubs
scrub in all
#Nat
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 6161
#Rules
pass in log quick on $int_if inet proto tcp from any to 127.0.0.1 port
6161 keep state
# immediately prevent IPv6 traffic from entering or leaving all interfaces
block log quick inet6 all
#default to deny
block in log all
block out log all
# Block bad tcp flags from malicious people and nmap scans
block in log quick on $ext_if proto tcp from any to any flags /S
block in log quick on $ext_if proto tcp from any to any flags /SFRA
block in log quick on $ext_if proto tcp from any to any flags /SFRAU
block in log quick on $ext_if proto tcp from any to any flags A/A
block in log quick on $ext_if proto tcp from any to any flags F/SFRA
block in log quick on $ext_if proto tcp from any to any flags U/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SF/SF
block in log quick on $ext_if proto tcp from any to any flags SF/SFRA
block in log quick on $ext_if proto tcp from any to any flags SR/SR
block in log quick on $ext_if proto tcp from any to any flags FUP/FUP
block in log quick on $ext_if proto tcp from any to any flags FUP/SFRAUPEW
block in log quick on $ext_if proto tcp from any to any flags SFRAU/SFRAU
block in log quick on $ext_if proto tcp from any to any flags SFRAUP/SFRAUP
block in log quick on $ext_if proto tcp all flags FUP/FUP
#allow loopback
pass quick on lo0 all
#block private networks from inside out
block drop in log quick on $ext_if from $priv_net to any
block drop out log quick on $ext_if from any to $priv_net
#allow interal network out
pass in log on $int_if from $int_if:network to any keep state
#VPN out from internal network
pass in log on $int_if proto gre keep state
pass in log on $int_if proto tcp from any to any port 1723 keep state
pass out log on $ext_if proto gre keep state
pass out log on $ext_if proto tcp from any to any port 1723 keep state
#allow admin.mweb.net inside
pass in log on $ext_if proto tcp from $admin_mweb to $ext_if port 22 keep
state
pass in log on $ext_if proto tcp from $tech_net to $ext_if port 22 keep
state
#allow mweb staff web inside
pass in log on $ext_if proto tcp from $allow_web to $ext_if port 80 keep
state
pass out log on $ext_if from $int_if:network to any keep state
#allow from fw to out
pass out on $ext_if inet proto tcp from any to any port www keep state
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?16246.196.2.148.70.1137479488.squirrel>