Date: Fri, 25 Dec 2009 17:02:28 -0800 (PST) From: =?iso-8859-1?Q?D=E1nielisz_L=E1szl=F3?= <laszlo_danielisz@yahoo.com> To: "Michael K. Smith" <mksmith@adhost.com>, Anh Ky Huynh <kyanh@viettug.org> Cc: freebsd-pf@freebsd.org Subject: Re: pf vs. afp Message-ID: <206966.91825.qm@web30802.mail.mud.yahoo.com> In-Reply-To: <C75A7621.DFEC1%mksmith@adhost.com> References: <C75A7621.DFEC1%mksmith@adhost.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Hi,=0A=0AHere comes my pf.conf=0A=0A#MACROS=0Aext_if=3D"tun0"=0Aint_if=3D"r=
l0"=0Alocalnet =3D $int_if:network=0Agood_ip=3D"{ ***** }"=0Aicmp_types=3D"=
echoreq"=0Abad_ports =3D "69,135,137,138,139,445,524,548,1433,6000,31337,66=
6,12345"=0Ano_route =3D "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0=
.0.0/8, 255.255.255.255/32 }"=0A=0A=0A#DEFAULT RULES=0Ascrub in all=0A=0A##=
#NAT=0Anat on $ext_if from $localnet to any -> ($ext_if)=0A=0A=0A# SPECIAL =
IMMEDIATE BLOCKS:=0A# block bad ports and external broadcasts=0Ablock in qu=
ick proto { udp,tcp } from any to any port { =3D $bad_ports }=0Ablock in =
quick on $ext_if from any to 255.255.255.255 =0A# block weird tcp=
packets on ext_if:=0Ablock in quick on $ext_if inet proto tcp from any to =
any flags FUP/FUP=0Ablock in quick on $ext_if inet proto tcp from any to an=
y flags SF/SFRA=0Ablock in quick on $ext_if inet proto tcp from any to any =
flags /SFRA=0A=0A# don't allow anyone to spoof non-routeable addresses=0Abl=
ock in quick on $ext_if from $no_route to any=0Ablock out quick on $ext_if=
from any to $no_route=0Ablock in all=0A=0A=0A### LOOPBACK=0Apass in quick =
on lo0 all=0Apass out quick on lo0 all=0A=0A=0A### EXTERNAL INTERFACE=0A###=
=0A#INCOMING: ssh, http=0Apass in log on $ext_if inet proto tcp from $good_=
ip to ($ext_if) port { 22 } flags S/SA keep state=0Apass in inet proto icm=
p all icmp-type $icmp_types keep state =0A#OUTGOING=0Apass out on $ext_if a=
ll=0A=0A### INTERNAL INTERFACE=0A# INCOMING: forward traffic to all over de=
stinations =0Apass in quick on $int_if from $int_if/24 to any=0A=0A#pass in=
et from { lo0, $localnet } to any=0A=0A#INCOMING: =0Apass in log on $int_i=
f inet proto { tcp, udp } from $localnet to ($int_if) port { 21, 22, 80 } f=
lags S/SA keep state=0Apass in log on $int_if inet proto { tcp, udp } from =
$localnet to ($int_if) port=3D548 flags S/SP keep state =0Apass in log on $=
int_if inet proto { tcp, udp } from $localnet to ($int_if) port=3D548 flags=
S/SU keep state =0A=0A#pass in dhcp=0Apass in log on $int_if proto { tcp,u=
dp } from 192.168.1.0/24 to $int_if port =3D 67 keep state=0A#pass in quick=
on $int_if proto { tcp,udp } from 192.168.1.0/24 to $int_if port =3D 67 ke=
ep state=0A=0A#incoming ftp=0Apass in log on $int_if proto tcp from $localn=
et to any port > 49151 keep state=0A=0A =0A# OUTGOING: pass all.=0Apass out=
quick on $int_if proto { tcp,udp,icmp } from any to $int_if/24 keep stat=
e=0A=0A=0A=0A=0A________________________________=0AFrom: Michael K. Smith <=
mksmith@adhost.com>=0ATo: D=E1nielisz L=E1szl=F3 <laszlo_danielisz@yahoo.co=
m>; Anh Ky Huynh <kyanh@viettug.org>=0ACc: freebsd-pf@freebsd.org=0ASent: F=
ri, December 25, 2009 11:01:05 PM=0ASubject: Re: pf vs. afp=0A=0AYou can us=
e the ($int_if) for traffic terminating on the firewall. Any=0Atraffic goi=
ng through to another host needs to have the destination defined.=0A=0ACoul=
d you include a complete copy (sanitized, of course) of your pf.conf=0Afile=
? There might be something else at work but it's hard to tell without=0Ath=
e file.=0A=0AKind Regards,=0A=0AMike=0A=0A=0AOn 12/25/09 8:13 AM, "D=E1niel=
isz L=E1szl=F3" <laszlo_danielisz@yahoo.com> wrote:=0A=0A> I am using "($i=
nt_if)" for ports 22, 80 too and they are working as charm.=0A> This is how=
I defined it in my pf.conf:=0A> int_if=3D"rl0"=0A> =0A> Right now I can no=
t try it but when I'll be able I'll try your idea and than I=0A> will let y=
ou know how it works.=0A> =0A> Thank you!=0A> =0A> =0A> =0A> ______________=
__________________=0A> From: Anh Ky Huynh <kyanh@viettug.org>=0A> To: D=E1n=
ielisz L=E1szl=F3 <laszlo_danielisz@yahoo.com>=0A> Cc: freebsd-pf@freebsd.o=
rg=0A> Sent: Fri, December 25, 2009 2:06:24 PM=0A> Subject: Re: pf vs. afp=
=0A> =0A> On Fri, 25 Dec 2009 04:33:03 -0800 (PST)=0A> D=E1nielisz L=E1szl=
=F3 <laszlo_danielisz@yahoo.com> wrote:=0A> =0A>> =0A>> ___________________=
_____________=0A>> =0A>> Hello,=0A>> =0A>> It's been a while I struggeling =
how to deal with apf/netatalk=0A>> passing trough my pf rules. If I disable=
pf everything is working=0A>> great (but I still do want firewall on my se=
rver). I tried the=0A>> following rule but it still don't lets me in:=0A>> =
=0A>> pass in log on $int_if inet proto { tcp, udp } from $localnet to=0A>>=
($int_if) port=3D548 flags S/SA keep state=0A> =0A> I think the problem i=
s "($int_if)". You should use, for e.g,=0A> =0A> from $localnet to 192.=
168.1.123=0A> =0A>> When I try a telnet on port 548 I got "Operation timed =
out", in=0A>> pflog I can see that my Mac tries to connect but I have no cl=
ue why=0A>> it can't when the coresponding port is open, do you have any id=
ea?=0A> =0A> Regards,=0A=0A=0A
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?206966.91825.qm>