Date: Sun, 3 Dec 2006 12:25:36 +0100 From: "Niklas Saers" <niklassaers@gmail.com> To: freebsd-pf@freebsd.org Subject: newbie to pf Message-ID: <491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi guys,
I'm setting up a Soekris 4801 box to deal with my home network. I've
been using ipfw for a very long time and took this as an opportunity
to try out pf.
The soekris has the interfaces sis0 (10.0.0.4) that is connected to my
ADSL router, sis1 that is connected to my home computers (10.0.2.0/24)
and sis2 that is connected to the computers that run my home business
(10.0.3.0/24).
The ADSL router is set up so that it forwards any incoming traffic to
the Soekris box' sis0. I would like to set up pf so that any incoming
traffic to ports 22, 443 and 3306 go to a computer on the business
network (10.0.3.2) and the rest goes to 10.0.2.2 (the wireless
adapter)
In addition to forwarding, I need to set up nat for my
internal/wireless network and for the business network so that they
can reach the rest of the world.
I've been reading a bit and using examples I've found good, and so far
my pf.conf looks like this. Nat seems to work fine for the internal
network, not for the business network. Incoming traffic to 10.0.3.2
does not work, neither does incoming to 10.0.2.2, and setting up an
ssh connection between 10.0.2.2 and 10.0.3.2 takes about 26 seconds.
Do you have any suggestions on how I can solve these problems? Are
there any problems with this setup that I have not discovered yet?
# macros
ext_if = "sis0"
int_if = "sis1"
bus_if = "sis2"
internal_net = "10.0.2.0/24"
business_net = "10.0.3.0/24"
soekris = "{ 10.0.0.4, 10.0.2.1, 10.0.3.1 }"
# tables
table <firewall> const { self }
# options
set block-policy drop
set state-policy if-bound
# scrub incoming packets
scrub all reassemble tcp fragment reassemble
# nat
nat on $ext_if from $internal_net to any -> ($ext_if)
no nat on $ext_if from $internal_net to $business_net
no nat on $ext_if from $internal_net to $soekris
# redirection
rdr on $ext_if proto tcp from any to $ext_if port { 22, 443, 3306 } -> 10.0.3.2
rdr on $ext_if proto tcp from any to $ext_if -> 10.0.2.2
# setup a default deny policy
block drop log all
# pass traffic on the loopback interface in either direction
pass quick on lo0 all
pass quick on $int_if all
pass quick on $bus_if all
# outgoing dns, ntp
pass out quick on $ext_if inet proto udp from ($ext_if) to any port {
53, 123 } keep state
# outgoing from firewall
pass out log quick on $ext_if inet proto tcp from ($ext_if) to any
flags S/SA keep state
pass out log quick on $ext_if inet proto { udp, icmp } from ($ext_if)
to any keep state
# incoming active ftp-data (this is required for active ftp to work)
pass in log quick on $ext_if inet proto tcp from any port 20 to
($ext_if) port >= 1024 flags S/SA keep state
# incoming tcp and udp from the internal network to the internet
pass in log quick on $int_if inet proto tcp from $internal_net to
!<firewall> flags S/SA modulate state
pass in log quick on $int_if inet proto udp from $internal_net to
!<firewall> keep state
Cheers
Nik
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?491ac4fb0612030325x2bbbb88br65ad4c3a2f4c8f43>