From owner-freebsd-questions@FreeBSD.ORG Thu Mar 26 14:46:24 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1A3FC106566B for ; Thu, 26 Mar 2009 14:46:24 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: from mail-ew0-f171.google.com (mail-ew0-f171.google.com [209.85.219.171]) by mx1.freebsd.org (Postfix) with ESMTP id 6D8FB8FC0C for ; Thu, 26 Mar 2009 14:46:23 +0000 (UTC) (envelope-from emagutu@gmail.com) Received: by ewy19 with SMTP id 19so562361ewy.43 for ; Thu, 26 Mar 2009 07:46:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ds4eysdFTMMl0uQf06hHqVZFmgVIDGj38xqYLlOcOG8=; b=nWepIp6OYep8+2WFmDw0sN1Y+V9aDevi35Ysp9nsNtnbjRq/EfaIKNnpcZ21IRUt4C HS4pShgHdbRjMzt4Xqr1otLEe+uEuKnnV6HJE4FRc2q2/GeZATvzZuh3W0VyXIiabj1X rmvqiqU/6xIMTYmEMm+ZEU2+23qE4kxadE5WE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=xaIJVKGXPwCcr3U5OVFRaYnnnK9JqUS0Hd6rIycYMJFAPIAqaiWmv5o4sfVO1Tb5AO HaCWnvpHIduNSAJ3PUi6Gr8m4rfFl3QS9V4q2iFkAaT6FvFA2WBKj3ins/ACJz3mAgFC 9DGvTHf+5fU1oBUhCk8Kaeo2hzW+G4ijuyQPg= MIME-Version: 1.0 Received: by 10.216.47.201 with SMTP id t51mr347941web.198.1238077403065; Thu, 26 Mar 2009 07:23:23 -0700 (PDT) In-Reply-To: <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan> References: <53529.216.241.167.212.1237911183.squirrel@webmail.pknet.net> <17838240D9A5544AAA5FF95F8D52031605B4283F@ad-exh01.adhost.lan> Date: Thu, 26 Mar 2009 17:23:23 +0300 Message-ID: From: Eric Magutu To: "Michael K. Smith - Adhost" Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: first firewall with pf X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2009 14:46:24 -0000 Hi everyone, Thanks for all your input so far. I have tried to implement all you suggestions but have gotten stuck. I set up a test machine in the office with the ip 10.0.0.110 and encountered the following problems: when I enables antispoofing the firewall didn't work when I tried allowing the 10.0.0.0 subnet it worked ok but when i tried connecting from machines on the 172.16 subnet I was unable to connect. Can you please let me know what I'm doing wrong? ############# #interfaces # ############# ext_if="le0" #ext_if2="bce1" ##################### #ports to be opened # ##################### #tcp ports good_port_tcp="{ 80, 110, 143, 161, 443, 873 }" #udp ports good_port_udp="{ 161, 873 }" ########################## #block all other traffic # ########################## # should be the first rule block in on $ext_if all ################ #anti-spoofing # ################ #traffic can't come in on your IP's #antispoof quick for { lo0 $ext_if $ext_if2 } inet ############################################# #allow all connections from and to loopback # ############################################# pass in quick on lo0 all keep state pass out quick on lo0 all keep state ######################################################## #allow all connections out through external interfaces # ######################################################## pass out quick on $ext_if all keep state ############## #Blocked ips # ############## #put ips or ip blocks as below badguys="{ 192.168.1.100, 192.160.1.2, 192.168.200.0/24 }" block in quick on $ext_if from $badguys ############################ #smtp connections allowed # ############################ #European servers pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #American pass in quick on $ext_if proto tcp from x.x.x.0/26 to 10.0.0.110 port 25 keep state #from the old iptables??? pass in quick on $ext_if proto tcp from x.x.x.0/27 to 10.0.0.110 port 25 keep state ################################### # pass traffic from allowed ports # ################################### #pass traffic from allowed tcp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state #pass traffic from allowed udp ports pass in on $ext_if inet proto tcp from any to 10.0.0.110 port $good_port_tcp keep state ########################################## # allow connections from NMC and servers # ########################################## #my ip pass in quick on $ext_if inet proto { tcp, udp, icmp } from 10.0.0.58 to 10.0.0.110 keep state #172.16.0.0/12 are the ips NMC access with pass in on $ext_if inet proto { tcp, udp, icmp } from 172.16.0.0/8 to 10.0.0.110 keep state ################## # enable logging # ################## block in log on $ext_if # to view log run command below #tcpdump -n -e -ttt -i pflog0 ################################################## #for any questions contact me# ################################################## On Tue, Mar 24, 2009 at 8:00 PM, Michael K. Smith - Adhost < mksmith@adhost.com> wrote: > I also forgot to mention: > > You should probably log your block rule so that you can see what's going on > if things don't work as expected. > > So: > > block in log on $ext_if > > Note the lack of "quick" as well, as previously mentioned. > > With logging enabled, provided you have pflog running (which you should), > you can use the following to see what's being blocked. > > tcpdump -n -e -ttt -i pflog0 (provided pflog0 is your pflog interface). > > Regards, > > Mike > -- Regards, Eric Magutu