Date: Thu, 26 May 2005 16:13:15 -0500 From: "Edwin L. Culp" <eculp@encontacto.net> To: pf@freebsd.org Subject: problem with dns on all and squid on some. Message-ID: <20050526161315.4997ejvpxwswowsc@mail.encontacto.net>
next in thread | raw e-mail | index | archive | help
# macros
I am trying to learn to use pf. I basically took this from a home
office example and made some modifications. That is probably the
problem ;)
I have installed this on three different servers and the only change
from one to another are the int_if and ex_if values. The three servers
are primary and secondary dns' for each other and when all are running
this configuration there is no dns resolution. The first problem.
The second problem is that the redirect for squid initially worked for
all three servers but now only works for one. The other two give an
error in the squid.log with 1117043675.879 5 192.168.1.2
TCP_DENIED/400 1807 GET error:pf-open-failed - NONE/-
text/html [] [HTTP/1.0 40
0 Bad Request\r\nServer: squid/2.5.STABLE10\r\nMime-Version:
1.0\r\nDate: Wed, 25 May
2005 17:54:35 GMT\r\nConten
t-Type: text/html\r\nContent-Length: 1509\r\nExpires: Wed, 25 May 2005
17:54:35
GMT\r\nX-Squid-Error: ERR_INVALID
_REQ 0\r\n\r]
The squid configurations are more or less identical also.
The following is my pf.conf file.
int_if = "rl1"
ext_if = "rl0"
tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }"
icmp_types = "echoreq"
priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8,
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
224.0.0.0/3 }"
# options
set block-policy return
set loginterface $ext_if
# scrub
scrub in all
# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
# rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021
# filter rules
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Thanks in advance for any and all suggestions. Hopefully, I'll learn
something ;) and have a better firewall for it.
Thanks,
ed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050526161315.4997ejvpxwswowsc>