Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 08 May 2005 10:22:33 -1000
From:      Robert Marella <rmarella@gmail.com>
To:        Fafa Hafiz Krantz <fteg@london.com>
Cc:        questions@freebsd.org
Subject:   Re: PF RULES! But mine doesn't ...
Message-ID:  <427E7509.1020602@gmail.com>
In-Reply-To: <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com>
References:  <20050508102226.5380B4BEAD@ws1-1.us4.outblaze.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Fafa Hafiz Krantz wrote:
> Hello.
> 
> My ruleset is all twisted.
> Unless I disable the default deny policy, this is what happens:
> 
> *  My nameserver setup goes disfunctional.
> *  My web, mail and fileserver goes disfunctional.
> *  I cannot SSH and FTP into certain servers.
> *  I cannot ping my IP from the outside.
> 
> Can anyone tell what's wrong?
> And maybe also how I can simplify my ruleset?
> 
> int_if="ep0"
> ext_if="lnc0"
> 
> # *** Options
> #
> set     block-policy drop
> 
> # *** Scrub incoming packets
> #
> scrub   in all
> 
> # *** NAT
> #
> nat     on $ext_if from $int_if:network to any -> ($ext_if)
> rdr     on $int_if proto tcp from any to any \
>         port 21 -> 127.0.0.1 port 8021
> 
> # *** Default deny policy
> #
> # block drop log all
> 
> # *** Pass loopback traffic
> #
> pass    quick on { lo0 $int_if }
> 
> # *** Outgoing
> #
> pass    out on $ext_if inet proto { tcp, udp, icmp } \
>         from ($ext_if) to any keep state
> 
> # *** Bootstrap
> #
> pass    out on $ext_if inet proto udp \
>         from any port 68 to any port 67 keep state
> 
> # *** DNS and NTP
> #
> pass    out on $ext_if inet proto udp \
>         from ($ext_if) to any port { 53, 123 } keep state
> 
> # *** SSH, HTTP and Ident
> #
> pass    in on $ext_if inet proto tcp \
>         from any to ($ext_if) port { 22, 80, 113 } flags S/SA keep state
> 
> # *** Active FTP
> #
> pass    in on $ext_if inet proto tcp \
>         from port 20 to ($ext_if) user proxy flags S/SA keep state
> 
> Thank you so much.
> Keep in touch!
> 
> --
> 
> Fafa Hafiz Krantz
>   Research Designer @ http://www.bleed.no
> 
Perhaps you should check the archives. :)

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?427E7509.1020602>