Date: Sun, 9 Mar 2008 10:40:58 -0500 From: Josh Paetzel <josh@tcbug.org> To: freebsd-questions@freebsd.org Cc: erik Wilson <erik.mlists@gmail.com> Subject: Re: Help with pf ruleset Message-ID: <200803091041.03862.josh@tcbug.org> In-Reply-To: <f5bda4b80803090622n607853fey965b814c772080be@mail.gmail.com> References: <f5bda4b80803090622n607853fey965b814c772080be@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart109575625.voINgCYF9X Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Sunday 09 March 2008 08:22:07 am erik Wilson wrote: > I'm pulling my hair out here. I've been working on this for days without > any success. > > I've whittled the ruleset down to the barest possible rules and even that > doesn't work. I'm at my wits end. I would really appreciate it if someone > could show me where i'm being a complete and total moron. > > Here's the situation. I have a somewhat unique environment. It consists of > 2 WAN's, an internal LAN, and numerous VLANS (isolated clients, which need > to be accessible from the internet, but not to each other). This runs in a > VMWare esx server, but that's not really important. > > FreeBSD 7.0-RELEASE > > em0 =3D lan (10.0.0.x) > em2 =3D WAN1 (y.y.y.y) (dhcp) > em3 =3D WAN2 (x.x.x.x) (static /28 subnet) > > the default gateway is on nic2. nic3 will need to forward ip:port's to > various vlans. nic2 is used for all outbound lan traffic (internet). nic2 > will need to failover to nic3 eventually, and nic3 will have to failover = to > nic2 (for outbound, obviously no choice for inbound). > > So here's the problem. I can't even get nic2 or nic3 to respond to a ping > request from outside my network when pf is enabled. I know the interfaces > are set up correct, as I can ping the default gateways of both interfaces. > > Also, outbound NAT works perfectly on wan1. > > Here's my ruleset. > > lan_if=3D"em0" > wan1_if=3D"em2" > wan2_if=3D"em3" > set block-policy return > set skip on lo0 > nat on $wan1_if from $lan_if:network to any -> ($wan1_if) > block in log > pass out log keep state > pass in log inet proto icmp all icmp-type echoreq keep state > pass in log quick on $lan_if > > Looks simple enough, right? Why won't it work? All i want is to get a ping > from both of the firewalls WAN's from outside the network. > > Any ideas? > > Routing tables > > Internet: > Destination Gateway Flags Refs Use Netif Expire > default y.y.y.129 UGS 0 4433 em2 > 10.0.0.0/24 link#1 UC 0 0 em0 > 10.0.0.1 00:0c:29:a9:e5:75 UHLW 1 338 em0 1177 > 10.0.0.2 00:0c:29:c0:74:57 UHLW 1 3291 em0 1041 > 10.0.0.10 00:19:db:b1:07:78 UHLW 1 4827 em0 1185 > 10.0.1.0/24 link#7 UC 0 0 vlan0 > 10.0.2.0/24 link#8 UC 0 0 vlan1 > 10.0.2.2 00:0c:29:e9:8c:d2 UHLW 1 251 vlan1 1190 > 10.0.3.0/24 link#9 UC 0 0 vlan2 > 10.0.3.2 00:50:56:9c:53:89 UHLW 1 420 vlan2 1152 > 10.0.4.0/24 link#10 UC 0 0 vlan3 > 10.0.5.0/24 link#11 UC 0 0 vlan4 > 127.0.0.1 127.0.0.1 UH 0 0 lo0 > y.y.y.128/25 link#3 UC 0 0 em2 > x.x.x.144/28 link#4 UC 0 0 em3 > x.x.x.146 00:0c:29:b5:0e:bb UHLW 1 6 lo0 The obfusication is making it harder for my brain to deal with than it shou= ld=20 be. At any rate, em3 isn't going to work properly without a route-to rule = to=20 get it to answer back to pings out the proper gateway. I'm not entirely su= re=20 why you can't ping the ip on em2, could you provide the output of tcpdump -= i=20 em2 while you ping it? Also, what did you do with em1? :) =2D-=20 Thanks, Josh Paetzel PGP: 8A48 EF36 5E9F 4EDA 5A8C 11B4 26F9 01F1 27AF AECB --nextPart109575625.voINgCYF9X Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQBH1AUPJvkB8SevrssRAqkoAJ9th07bo7gPl1Co3d27iXSU2mAMJgCeN7yt vYyNQ/LVnIZwLvJgZcC8LN0= =IMgX -----END PGP SIGNATURE----- --nextPart109575625.voINgCYF9X--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200803091041.03862.josh>