From owner-freebsd-pf@FreeBSD.ORG Mon Oct 20 18:57:54 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B73361065672 for ; Mon, 20 Oct 2008 18:57:54 +0000 (UTC) (envelope-from xuchen66@gmail.com) Received: from mail-gx0-f16.google.com (mail-gx0-f16.google.com [209.85.217.16]) by mx1.freebsd.org (Postfix) with ESMTP id 4E62D8FC18 for ; Mon, 20 Oct 2008 18:57:54 +0000 (UTC) (envelope-from xuchen66@gmail.com) Received: by gxk9 with SMTP id 9so3997553gxk.19 for ; Mon, 20 Oct 2008 11:57:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=GS7+5cjK5lOyzg+B9KeG9pRrjTgAMuTj45azi/K5rRU=; b=NC6Ra+THl5D3vwcz1JxNxaLBb6+rBOn9ghgGf9g8U1IPj28gbTXVY0Tye8P7wNI3jz YOihm1+Gz7V8rtbh6hbsK2x5tPW/SauWh+o67hAFtO5aDr4XIl0m6W5JnBQDAMOZTWbg ijCuTPW76aZ7Alml2LdOX6XkOWur3Tpn9XZ+Q= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=NDVybUcy/2GdZehwXyKwZafGiTC1/JAes+aaMmLWJFpx/s+YhGc5UfkpDIHur6okwG Cy/6cjZboNYhrkCWLfMs+Ox01xE6V/hbGEmXcnN1u88/NwxulmVT4lJnKd7lB/VjqNQH EKsQofNGq5Rb3ZZ9T2brpU+m1cz+uU9OFE0A4= Received: by 10.90.29.13 with SMTP id c13mr7674365agc.68.1224527124419; Mon, 20 Oct 2008 11:25:24 -0700 (PDT) Received: by 10.90.73.7 with HTTP; Mon, 20 Oct 2008 11:25:24 -0700 (PDT) Message-ID: <184b087c0810201125y20714aa9y276d26a9e7e8a3b1@mail.gmail.com> Date: Mon, 20 Oct 2008 14:25:24 -0400 From: "Chen Xu" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: my firewall doesn't work X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Oct 2008 18:57:54 -0000 Dear List, I am new to PF, but I have experience with FreeBSD in general. I took a look at the example1 from PF FAQ, since my network is almost exact the same. However, I have problem to connect any where after loading the /etc/pf.conf, I can not ping even myself 127.0.0.1 and 192.168.1.1 which is my internal NIC. Can anyone give me an hint what is wrong? Many thanks in advance. Information about the setup: 1. FreeBSD 5.3-release-p26 2. with those line compiled in kernel # device pf device pflog device pfsync # 3. here are line in /etc/rc.conf # pf_enable="YES" pf_rules="/etc/pf.conf" pf_flags="" pflog_enable="YES" pflog_logfile="/var/log/pflog" pflog_flags="" # 4. /etc/pf.conf # ------------------------------- # # macros ext_if = "fxp0" int_if = "em0" tcp_services = "{ 22, 113 }" icmp_type = "echoreq" tecnai = "192.168.1.2" leginon = "192.168.1.3" # next is the web enable data logging device that record temp and RH% tr_72w = "192.168.1.10" # we might need brandeis DNS local_dns = "{ 129.64.99.11 129.64.99.12 }" # options set block-policy return set loginterface $ext_if # 5.3 doesn't have it. #set skip on lo0 # scrob scrub in # nat/rdr nat on $ext_if from !($ext_if) -> ($ext_if:0) #nat-anchor "ftp-proxy/*" #rdr-anchor "ftp-proxy/*" #rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to any port 80 -> $tr_72w # filter rules pass quick on lo0 block in pass inet proto tcp from $int_if:network to any keep state pass out keep state block out on $ext_if proto { tcp, udp } from $tecnai to any port http #anchor "ftp-proxy/*" #antispoof quick for $int_if pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in on $ext_if inet proto tcp from any to $tr_72w \ port 80 flags S/SA synproxy state # may or may not need this, need test pass in on $ext_if inet proto udp from $local_dns to any port 53 pass in inet proto icmp all icmp-type $icmp_type keep state pass in quick on $int_if # the end ------------------------------ Chen