Date: Fri, 8 Jul 2005 08:07:34 +0200 From: Nekdo Nekje <umeglic@gmail.com> To: freebsd-questions@freebsd.org Subject: FreeBSD 5.4 release firewall/router and PF not loading rule sets Message-ID: <515659fd0507072307f1f7de2@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hello list... I have a few questions I would like to ask. Some may sound stupid, but please bear with me since I'm new to FreeBSD and networking for that matter... So, I'm trying to build this router/firewall thingy for our local network. The box has 3 NIC's, one for the Internet and two for the local subnets. I have to build it so that the two subnets can not comunicate with each other. I would also like to implement NAT for the both subnets so that only the routers IP is visible on the net. The subnet hosts all have C-class adresses and not private network addresses. I would also like to disable any connections from the outside to the host and only allow the basic net services to be passed out on the Internet, like web, smtp, etc... The problem is I can not seem to get the firewall (PF) to work. The computers IP's are all seen from the internet, NAT is not working... if I type pfctl -s rules I only get two lines saying "ALTQ support not compiled in the kernel. Disabling ALTQ support." Do I need ALTQ support for what I'm trying to do. Any ideas on what should I check on my system? I read the man for pfctl but couldn't find the command for just checking the pf.conf file for syntax errors. I was using pf -f /etc/pf.conf for that, and it's not outputting any errors only the ALTQ thingy and the ssh session disconnects so than I have to reconnect. I have pf enabled in rc.conf and as far as I can tell it's loading fine and the pflogd is also running. It's just not working... guess I'm measing something or am just plain stupid... Maybe I didn't understend how this is supposed to be so here is my first attempt at PF rule set building... ;) Here is my pf.conf ---------------------------------------------------------- ext_if=3D"rl0" ped_if=3D"xl0" adm_if=3D"xl1" priv_nets=3D"{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" porti=3D"{ 20 21 25 80 443 }" set loginterface $ext_if scrub in all nat on $ext_if from $ped_if:network to any -> ($ext_if) nat on $ext_if from $adm_if:network to any -> ($ext_if) block all pass quick on lo0 all antispoof quick for $ped_if inet antispoof quick for $adm_if inet block drop in quick on $ext_if from $priv_nets to any block drop out quick on $ext_if from any to $priv_nets block drop in quick on $ped_if from $ped_if:network to $adm_if block drop in quick on $adm_if from $adm_if:network to $ped_if pass in on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if port $porti keep state pass out on $ped_if proto {tcp, udp } from $ped_if:network to $ext_if port $porti keep state pass in on $adm_if proto {tcp, udp } from $adm_if:network to $ext_if port $porti keep state pass out on $adm_if proto {tcp, udp} from $adm_if:network to $ext_if port $porti keep state pass in on $ext_if proto {tcp, udp} from any port { 22 } keep state pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state ---------------------------------------------------------------------------= ------ I you have any ideas please help. Thanks for your time and answers... best regards, Uros
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?515659fd0507072307f1f7de2>