Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 26 Sep 2010 17:43:33 +0200
From:      =?ISO-8859-1?Q?Samuel_Mart=EDn_Moro?= <faust64@gmail.com>
To:        Michael Powell <nightrecon@hotmail.com>
Cc:        freebsd-hackers@freebsd.org, freebsd-questions@freebsd.org
Subject:   Re: pf
Message-ID:  <AANLkTi=SoHHrFGiBrtdGmPqd5Go3qSzL=SogHRPXmZB-@mail.gmail.com>
In-Reply-To: <i7ni0m$ids$1@dough.gmane.org>
References:  <AANLkTingNA5V4b9UdE_Yotqtuy1RMx190phMzn5UrMdi@mail.gmail.com> <i7ni0m$ids$1@dough.gmane.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 26, 2010 at 3:34 PM, Michael Powell <nightrecon@hotmail.com>wro=
te:

> Samuel Mart=EDn Moro wrote:
>
> > Hello,
> >
> >
> > I'm trying to set up pf on my soon-to-be new gateway (8.1-RELEASE amd64=
).
> > I used the sample configuration file available on
> > calomel<https://calomel.org/pf_config.html>;
> > After a few tests, it appears that the gate has fully access to the
> > internet, but I can't open connections from clients to distant servers
> > (web, ssh, ...).
> > Checking pflog log file, I can't see anything about those timeouts, eve=
n
> > if I added the log directive in every block/pass command.
> > Everything else seems to work, I can talk with my DNS from the internet=
,
> > ssh redirections to another pc also seems to works.
> > I just can't access the Internet from a client of my network...
> >
> > For debugging, I commented out the options and the 'block all in/out'
> > directives.
> >
> > Here's my config file http://pastebin.com/Nim2zBCx
> >
> > Is there someone understanding what I'm doing wrong?
> >
> The firewall ruleset is a trifle overly complex for a quick glance; study
> and analysis would take some doing. However, if you can reach the interne=
t
> from the firewall box and other client computers behind your NAT can't
> (which is what it sounds like you're describing) it may be just that you
> are
> missing gateway_enable=3D"YES" in your /etc/rc.conf.
>
> Turning this "ON" makes your firewall box into a router. The status of th=
is
> can be checked with: sysctl net.inet.ip.forwarding  - a "0" means no
> gateway
> and a "1" means gateway.
>
> -Mike
>
>
>
> _______________________________________________
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscribe@freebsd.org"
>

the gateway is already enabled (and forwarding is correctly set)
whatever, I had to do quick, I started again
I think the missing thing on my old conf was the 'scrub' (at least)
I made a more simple configuration, as following:

ext_if=3D"bge0"
int_if=3D"bge1"
localnet =3D $int_if:network
emma=3D"10.242.42.200"
alpha=3D"10.42.42.42"
delta=3D"10.42.42.44"
set skip on lo0
scrub in on $ext_if all fragment reassemble
#INTERNETZ
nat         on $ext_if from $localnet to any -> ($ext_if)
#EMMA
rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1101 ->
$emma port 22
rdr         on $ext_if inet proto tcp from any to ($ext_if) port 307 ->
$emma port 80
#WHAT.CD
rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1666 ->
$alpha port 1666
#REMOTE ADM
rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1667 ->
$delta port 22
rdr         on $ext_if inet proto tcp from any to ($ext_if) port 1668 ->
$alpha port 22
pass in log on $ext_if inet proto tcp from any to $ext_if port 22
pass in log on $ext_if inet proto tcp from any to $ext_if port 53
pass in log on $ext_if inet proto udp from any to $ext_if port 53
pass in log on $ext_if inet proto tcp from any to $ext_if port 1664
pass in log on $int_if inet proto tcp from any to any
pass in log on $int_if inet proto udp from any to any
block in log on $ext_if inet proto icmp from any to $ext_if

it's basically working
i'll stuff it when I'll have time.

Samuel Mart=EDn Moro
{EPITECH.} tek5



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AANLkTi=SoHHrFGiBrtdGmPqd5Go3qSzL=SogHRPXmZB->