From owner-freebsd-pf@FreeBSD.ORG Thu Mar 6 13:49:16 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0628106566C for ; Thu, 6 Mar 2008 13:49:16 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: from wa-out-1112.google.com (wa-out-1112.google.com [209.85.146.178]) by mx1.freebsd.org (Postfix) with ESMTP id 930C88FC1F for ; Thu, 6 Mar 2008 13:49:16 +0000 (UTC) (envelope-from alaorneto@gmail.com) Received: by wa-out-1112.google.com with SMTP id k17so2191409waf.3 for ; Thu, 06 Mar 2008 05:49:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:mime-version:content-type; bh=j3j7zN4e+K9YEib+Idr0DOJnYH3k9mrsP4DWUtI5Jm0=; b=o9OIJfiaEp0rY5urC9OuHv9jvMnkxCWNoRxo1f/CrUJr3uu2F84JQwu53qqhEAHLU22WI7FRDvqY1YviiKJXlpS/UE3KxAgGqMmjE+dZRnARWN4yW5gZHdb+iDpNXYZ9haXSv7Z/GtdyOMA8PMHZAX/qM0vAjg3CvWSqTurJWoo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:mime-version:content-type; b=yIKqt1Aap7bNSoUj9fNHygsw5cYeohdWzDWzpS4Mn0AoiLjtz0eRl6KcrmiuWAn25v3a+xwHgI4S1PxDe3vujuMLAv34TZkG1sxK8NsRN9cAfMzHvMQiJqMtIelA6wIjzaHwT5z98bEn3JJXOC2VvNkr+kVtdgOOmrAWAQLRSUY= Received: by 10.114.134.20 with SMTP id h20mr6847479wad.91.1204809679224; Thu, 06 Mar 2008 05:21:19 -0800 (PST) Received: by 10.114.235.15 with HTTP; Thu, 6 Mar 2008 05:21:19 -0800 (PST) Message-ID: <2949641c0803060521t3b4fb141u3201065639f68304@mail.gmail.com> Date: Thu, 6 Mar 2008 10:21:19 -0300 From: "Alaor Barroso de Carvalho Neto" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Subject: Please help me with my config X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Mar 2008 13:49:16 -0000 Hi guyz, let me explain what I have. I work in a school, we have access to the internet, two internal networks (academic and administrative) and we have to connect to some servers in another school because we share databases and to video-conference. I have a FreeBSD box with PF and squid, i want all my web traffic to pass through the squid, it's working. I want to academic net don't be able to communicate with administrative net, and the inverse, it's working. But I would like to my adm net to communicate with some servers in the other school network, and only this servers, no other ip would be accessible, it's NOT working. I can ping to the servers but I can't connect to the services ports (SQL Server, and so on). Here's my pf.conf: BEGIN OF CONFIG ext_if="em0" adm_if="xl0" acad_if="xl1" cefet_if="xl2" all_if="{ em0, xl0, xl1, xl2 }" ext_net="XXX.XXX.XXX.XXX/XX" adm_net="192.168.1.0/24" acad_net="192.168.2.0/24" cefet_net="10.10.0.0/16" cefet_servers="{ 10.10.0.10, 10.10.0.15, 10.10.0.213 }" internal_nets="{ 192.168.1.0/24, 192.168.2.0/24 }" tcp_services="{ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3, pop3s, auth, 3128 }" }" udp_services="{ domain, ntp }" proxy_ports="{ 80, 8000, 8080, 3128 }" martians="{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }" set block-policy return scrub in all nat on $ext_if from $internal_nets to any -> ($ext_if) nat on $cefet_if from $adm_net to any -> ($cefet_if) rdr on $all_if proto tcp from any to any port $proxy_ports -> 127.0.0.1 port 3128 block all block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block drop quick from $acad_net to $adm_net block drop quick from $adm_net to $acad_net pass quick proto icmp from any to any keep state pass quick from $adm_net to $cefet_servers keep state pass quick from $cefet_servers to $adm_net keep state block quick from any to $cefet_net block quick from $cefet_net to any pass proto tcp to any port $tcp_services keep state pass proto udp to any port $udp_services keep state antispoof for $all_if END OF CONFIG cefet_net is the network of the other school, and cefet_servers are the servers I want to communicate with, I want all ports and protocols to these servers, but it's not working. I need a light guyz. Thankz, and sorry my poor english. Alaor Neto