This is the first time I have tried to use pf on FreeBSD, I usually use
ipfw, however I have been using pf on OpenBSD, and wanted change over on
my FreeBSD boxes.
I am having problems with a very basic rule set for a nat-ed small
network. Currently no traffic is being passed between the internal and
public networks.
I am using the same rule set (see below) on a pf firewall running on a
OpenBSD 3.8 box, with the exception of the to last rule (pass out....) I
had to add to the freebsd boxes I am working on to be able to initiate
outbound connections during configuration. This alone confuses me, I
was under the impression that pf was default pass unless blocked, hence
the starting of filter blocks of rules with "block in all" and/or "block
out all"
I did try adding a "pass out all" rule, but it had no effect.
The freebsd box is a running 6.1p3 on a Dell PowerEdge 1850 single
dual-core proc, with SMP kernel, if pertinent, IPSEC options are also in
the kernel including filtergif, this box will eventually become the
perimeter firewall between our public ip space and the ISP (with
queuing/traffic shaping requirements), while an identical box will
replace it as firewall between our public and private ip spaces and
provide ipsec vpn tunnels as well.
shown below in order are the rc.conf entries, the compiled kernel
options, the pf.conf, and the pfctl -sa output. I would appreciate any
assistance, I really don't want to have to go back to ipfw.
kern options:
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ
options ALTQ_RED
options ALTQ_RIO
options ALTQ_HFSC
options ALTQ_PRIQ
options ALTQ_NOPCC
rc.conf entries:
defaultrouter="o.o.33.41"
hostname="me.domain.com"
sshd_enable="YES"
ifconfig_em0="inet o.o.33.46 netmask 255.255.255.248"
ifconfig_em1="inet i.i.10.1 netmask 255.255.255.0"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""
pf.conf entries:
oif="em0"
onwr="o.o.33.40/29"
oip="o.o.33.46"
iif="em1"
inwr="i.i.10.0/24"
iip="i.i.10.1"
is1="i.i.10.15"
scrub in all
nat on $oif from $inwr to any -> $oif
rdr on $oif proto tcp from any to $oip port 1000 -> $is1 port 22
block in log all
pass in on $oif proto tcp from any to $is1 port 22 keep state
pass in on $oif proto tcp from any to $oip port 22 keep state
pass in on $iif inet from $inwr to any keep state
pass out on $oif inet from $oip to any keep state (additional rule
referred to above that needed to be added to enable outbound
connections, should not be needed?)
antispoof for $oif
antispoof for $iif
pfctl -sa output:
TRANSLATION RULES:
nat on em0 inet from i.i.10.0/24 to any -> o.o.33.46
rdr on em0 inet proto tcp from any to o.o.33.46 port = cadlock2 ->
i.i.10.15 port 22
FILTER RULES:
scrub in all fragment reassemble
block drop in log all
pass in on em0 inet proto tcp from any to i.i.10.15 port = ssh keep state
pass in on em0 inet proto tcp from any to o.o.33.46 port = ssh keep state
pass in on em1 inet from i.i.10.0/24 to any keep state
pass out on em0 inet from o.o.33.46 to any keep state
block drop in on ! em0 inet from o.o.33.i/29 to any
block drop in on em0 inet6 from fe80::213:72ff:fe5f:6e6b to any
block drop in inet from o.o.33.46 to any
block drop in on ! em1 inet from i.i.10.0/24 to any
block drop in on em1 inet6 from fe80::213:72ff:fe5f:6e6c to any
block drop in inet from i.i.10.1 to any
No queue in use
STATES:
self tcp i.i.10.1:56727 <- i.i.10.15:22 FIN_WAIT_2:FIN_WAIT_2
self tcp o.o.33.46:22 <- x.x.239.104:62760 ESTABLISHED:ESTABLISHED
self pfsync o.o.33.46 -> 0.0.0.0 SINGLE:NO_TRAFFIC
INFO:
Status: Enabled for 0 days 00:02:47 Debug: Urgent
Hostid: 0xfb5oe08
State Table Total Rate
current entries 3
searches 838 5.0/s
inserts 20 0.1/s
removals 17 0.1/s
Counters
match 45 0.3/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 0 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
TIMEOUTS:
tcp.first 120s
tcp.opening os
tcp.established 86i0s
tcp.closing 900s
tcp.finwait 45s
tcp.closed 90s
tcp.tsdiff os
udp.first 60s
udp.single os
udp.multiple 60s
icmp.first 20s
icmp.error 10s
other.first 60s
other.single os
other.multiple 60s
frag os
interval 10s
adaptive.start 0 states
adaptive.end 0 states
src.track 0s
LIMITS:
states hard limit 10000
src-nodes hard limit 10000
frags hard limit 5000
OS FINGERPRINTS:
345 fingerprints loaded
_______________________________________________
freebsd-pf@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
