Re: I want copy pf.conf from FreeBSD 8.2 to OpenBSD 5 and use it

Mon, 07 Nov 2011 20:12:13 -0800 

There is only one way to do a job like this: Write down what it does in
clear English (or your own language), and do the whole thing from scratch.
It will only be tediously slow for the first half of the job.

On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
mostafafar...@gmail.com> wrote:

> Hi
> In work place , we have over 24 computer and all of them are windows and ,
> I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>
> ====================================================
> ns# cat  /usr/local/pf/pf.conf
> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
> mlaier Exp $
> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
> # Edited by: mfaridi
>
> ################################ MACROS
> ############################################################
>
> ext_if          = "sk0"
> int_if          = "re0"
> External_net    = "10.10.10.192/27"
> Local_net       = "192.168.0.0/24"
> Local_Web       = "192.168.0.10"
> Local_Srv       = "192.168.0.1"
> Prtcol          = "{ tcp, udp }"
> Admin_IP        = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
> ICMP_Types      = "{ echorep, unreach, squench, echoreq, timex }"
>
> #Define ports for common internet services
> #TCP_SRV         = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
> }"
> #UDP_SRV         = "{ 53 }"
> TCP_SRV         = "{ 80, 443 }"
> UDP_SRV         = "{ }"
> Samba_TCP       = "{ 139, 445 }"
> Samba_UDP       = "{ 137, 138 }"
>
>
> SERVER          = "10.10.10.200"
> NAT1            = "10.10.10.194"
> NAT2            = "10.10.10.195"
> NAT3            = "10.10.10.196"
> NAT4            = "10.10.10.197"
> NAT5            = "10.10.10.198"
> NAT6            = "10.10.10.199"
> NAT7            = "10.10.10.201"
> NAT8            = "10.10.10.202"
> NAT9            = "10.10.10.203"
> NAT10           = "10.10.10.204"
> NAT11           = "10.10.10.205"
> NAT12           = "10.10.10.206"
> NAT13           = "10.10.10.207"
> NAT14           = "10.10.10.208"
> NAT15           = "10.10.10.209"
> NAT16           = "10.10.10.210"
> NAT17           = "10.10.10.211"
> NAT18           = "10.10.10.212"
> NAT19           = "10.10.10.213"
> NAT20           = "10.10.10.214"
> NAT21           = "10.10.10.215"
> NAT22           = "10.10.10.216"
> NAT23           = "10.10.10.217"
> NAT24           = "10.10.10.218"
> NAT25           = "10.10.10.219"
>
> #### All IP of Groups which can be connect to Internet
> paltalk1        = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
> paltalk2        = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
> paltalk3        = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
> 192.168.0.29 }"
> webdsgn1        = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
> webdsgn2        = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
> webdsgn3        = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
> webdsgn4        = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
> webdsgn5        = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
> webdsgn6        = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
> webdsgn7        = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
> webdsgn8        = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
> 192.168.0.54 }"
> rased1          = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
> rased2          = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
> rased3          = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
> rased4          = "{ 192.168.0.69, 192.168.0.70 }"
> rased5          = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
> rased6          = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
> rased7          = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
> rased8          = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
>  }"
> admin1          = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
> admin2          = "{ 192.168.0.58, 192.168.0.59 }"
>
> ############################### TABLES
> ############################################################
>
> #Define privileged network address sets
> table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
> 10.0.0.0/8, 0.0.0.0/8, \
>                          14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
> 224.0.0.0/3 }
> table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
> table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
>
> #Define Favoured client hosts
> table <Admin>   persist file "/usr/local/pf/Network/Admin.lst"
> table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
> table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
> table <Rased>   persist file "/usr/local/pf/Network/Rased.lst"
> table <LocalHost> const { self }
>
> ############################### OPTIONS
> ############################################################
> #Default behaviour
> set timeout { interval 10, frag 30 }
> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
> set timeout { icmp.first 20, icmp.error 10 }
> set timeout { other.first 60, other.single 30, other.multiple 60 }
> set timeout { adaptive.start 0, adaptive.end 0 }
> set limit { states 10000, frags 5000 }
> set loginterface $ext_if
> set optimization normal
> set block-policy drop
> set require-order yes
> set fingerprints "/etc/pf.os"
> set skip on lo0
> #set state-policy if-bound
>
>
> ############################### TRAFFIC NORMALIZATION
> ##############################################
> #Filter traffic for unusual packets
> scrub in all
>
>
> ############################### TRANSLATION
> ######################################################
>
> #NAT for the external traffic
> #Mask internal ip addresses with actual external ip address
> #nat pass on $ext_if from $Local_net to any -> $SERVER
>
> nat pass on $ext_if from $paltalk1 to any -> $NAT1
> nat pass on $ext_if from $paltalk2 to any -> $NAT2
> nat pass on $ext_if from $paltalk3 to any -> $NAT3
> nat pass on $ext_if from $webdsgn1 to any -> $NAT4
> nat pass on $ext_if from $webdsgn2 to any -> $NAT5
> nat pass on $ext_if from $webdsgn3 to any -> $NAT6
> nat pass on $ext_if from $webdsgn4 to any -> $NAT7
> nat pass on $ext_if from $webdsgn5 to any -> $NAT8
> nat pass on $ext_if from $webdsgn6 to any -> $NAT9
> nat pass on $ext_if from $webdsgn7 to any -> $NAT10
> nat pass on $ext_if from $webdsgn8 to any -> $NAT11
> nat pass on $ext_if from $rased1   to any -> $NAT12
> nat pass on $ext_if from $rased2   to any -> $NAT13
> nat pass on $ext_if from $rased3   to any -> $NAT14
> nat pass on $ext_if from $rased4   to any -> $NAT15
> nat pass on $ext_if from $rased5   to any -> $NAT16
> nat pass on $ext_if from $rased6   to any -> $NAT17
> nat pass on $ext_if from $rased7   to any -> $NAT18
> nat pass on $ext_if from $rased8   to any -> $NAT19
> nat pass on $ext_if from $admin1   to any -> $NAT20
> nat pass on $ext_if from $admin2   to any -> $NAT21
>
>
> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
> 192.168.0.100 port 5900
> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
> 192.168.0.50 port 22
>
> ############################### PACKET FILTERING
> #################################################
>
> # Default Rule
> pass quick on { $ext_if, $int_if } all keep state
>
>
>
>
> # End of File: pf.conf
>
> ===========================================================================================================================
> I have 27 valid or static IPs,
> all users  in my work place use paltalk , paltalk is messenger like yahoo
> messenger and use for voice chat , and paltalk like yahoo has many rooms
> for voice chat , but paltalk servers do not let users login with three
> different room from one valid IP or static IP . or paltalk server only let
> user login to three room from only one IP , and from one IP only three
> computer can login to paltalk server and use it . so we get 27 valid or
> static IPs from ISP ,and I put all of them in my pf.conf .and set many NAT
> line in my pf.conf.
> but I think my pf.conf has problem and I do not know why sometimes some
> users in work place can not use internet , when they open firefox and start
> browse web pages ,they see error , but when they can not browse web pages ,
> their paltalk messenger is ON and they have voice chat , but they can not
> browse webpages , this problem can solve when I reboot server or disable
> and enable PF. but after one days or more this problem happen again , and
> some user can not browse web pages with firefox and other browser but they
> can voice chat
> sometimes another problem happen , users can browse web pages , but they
> can not chat with paltalk messnger and I have to reboot server or disable
> and enable PF.
>
> my knowledege about PF is not a lot
> and I find this pf.conf from internet and  make it with many test .
>
> I want only do NAT with PF and I do not want block ports or other policy .
> I want only PF for NAT.
> please help me to solve this problem.
>
>
> after search  google I understand PF version in FreeBSD 8.2 is very old ,
> and after that I want use OpenBSD 5 for NAT server. and I want use it , but
> after search in google I understand NAT config in old PF is much different
> with new PF , and I know we can find new PF in OpenBSD 5
>
> please help me to use my pf.conf in OpenBSD 5 ?
> can I use this pf.conf in OpenBSD 5 or no ?
> do I make mistake in my pf.conf ?
>
>
>
> please help me to make best pf for NAT with OpenBSD 5
>
> thanks

Reply via email to