Date: Fri, 8 Jul 2005 08:07:34 +0200 From: Nekdo Nekje <umeglic@gmail.com> To: freebsd-questions@freebsd.org Subject: FreeBSD 5.4 release firewall/router and PF not loading rule sets Message-ID: <515659fd0507072307f1f7de2@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello list...
I have a few questions I would like to ask. Some may sound stupid, but
please bear with me since I'm new to FreeBSD and networking for that
matter...
So, I'm trying to build this router/firewall thingy for our local
network. The box has 3 NIC's, one for the Internet and two for the
local subnets. I have to build it so that the two subnets can not
comunicate with each other. I would also like to implement NAT for the
both subnets so that only the routers IP is visible on the net. The
subnet hosts all have C-class adresses and not private network
addresses. I would also like to disable any connections from the
outside to the host and only allow the basic net services to be passed
out on the Internet, like web, smtp, etc...
The problem is I can not seem to get the firewall (PF) to work. The
computers IP's are all seen from the internet, NAT is not working...
if I type pfctl -s rules I only get two lines saying "ALTQ support not
compiled in the kernel. Disabling ALTQ support." Do I need ALTQ
support for what I'm trying to do.
Any ideas on what should I check on my system? I read the man for
pfctl but couldn't find the command for just checking the pf.conf file
for syntax errors. I was using pf -f /etc/pf.conf for that, and it's
not outputting any errors only the ALTQ thingy and the ssh session
disconnects so than I have to reconnect.
I have pf enabled in rc.conf and as far as I can tell it's loading
fine and the pflogd is also running. It's just not working... guess
I'm measing something or am just plain stupid...
Maybe I didn't understend how this is supposed to be so here is my
first attempt at PF rule set building... ;) Here is my pf.conf
----------------------------------------------------------
ext_if=3D"rl0"
ped_if=3D"xl0"
adm_if=3D"xl1"
priv_nets=3D"{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
porti=3D"{ 20 21 25 80 443 }"
set loginterface $ext_if
scrub in all
nat on $ext_if from $ped_if:network to any -> ($ext_if)
nat on $ext_if from $adm_if:network to any -> ($ext_if)
block all
pass quick on lo0 all
antispoof quick for $ped_if inet
antispoof quick for $adm_if inet
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in quick on $ped_if from $ped_if:network to $adm_if
block drop in quick on $adm_if from $adm_if:network to $ped_if
pass in on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if
port $porti keep state
pass out on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if
port $porti keep state
pass in on $adm_if proto {tcp, udp } from $adm_if:network to $ext_if
port $porti keep state
pass out on $adm_if proto {tcp, udp} from $adm_if:network to $ext_if
port $porti keep state
pass in on $ext_if proto {tcp, udp} from any port { 22 } keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
---------------------------------------------------------------------------=
------
I you have any ideas please help. Thanks for your time and answers...
best regards,
Uros
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?515659fd0507072307f1f7de2>