Thanks all guys
Sorry for my bad English I , only understand is this pf.conf work in
openbsd 5 or no .? Which part I must edit and change it
Is this pf.conf is correct ?
Thanks in advance
On Nov 8, 2011 7:35 AM, "John Tate" <j...@johntate.org> wrote:
> There is only one way to do a job like this: Write down what it does in
> clear English (or your own language), and do the whole thing from scratch.
> It will only be tediously slow for the first half of the job.
>
> On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi <
> mostafafar...@gmail.com> wrote:
>
>> Hi
>> In work place , we have over 24 computer and all of them are windows and
>> , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF
>> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf
>>
>> ====================================================
>> ns# cat /usr/local/pf/pf.conf
>> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18
>> mlaier Exp $
>> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $
>> # Edited by: mfaridi
>>
>> ################################ MACROS
>> ############################################################
>>
>> ext_if = "sk0"
>> int_if = "re0"
>> External_net = "10.10.10.192/27"
>> Local_net = "192.168.0.0/24"
>> Local_Web = "192.168.0.10"
>> Local_Srv = "192.168.0.1"
>> Prtcol = "{ tcp, udp }"
>> Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }"
>> ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }"
>>
>> #Define ports for common internet services
>> #TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443
>> }"
>> #UDP_SRV = "{ 53 }"
>> TCP_SRV = "{ 80, 443 }"
>> UDP_SRV = "{ }"
>> Samba_TCP = "{ 139, 445 }"
>> Samba_UDP = "{ 137, 138 }"
>>
>>
>> SERVER = "10.10.10.200"
>> NAT1 = "10.10.10.194"
>> NAT2 = "10.10.10.195"
>> NAT3 = "10.10.10.196"
>> NAT4 = "10.10.10.197"
>> NAT5 = "10.10.10.198"
>> NAT6 = "10.10.10.199"
>> NAT7 = "10.10.10.201"
>> NAT8 = "10.10.10.202"
>> NAT9 = "10.10.10.203"
>> NAT10 = "10.10.10.204"
>> NAT11 = "10.10.10.205"
>> NAT12 = "10.10.10.206"
>> NAT13 = "10.10.10.207"
>> NAT14 = "10.10.10.208"
>> NAT15 = "10.10.10.209"
>> NAT16 = "10.10.10.210"
>> NAT17 = "10.10.10.211"
>> NAT18 = "10.10.10.212"
>> NAT19 = "10.10.10.213"
>> NAT20 = "10.10.10.214"
>> NAT21 = "10.10.10.215"
>> NAT22 = "10.10.10.216"
>> NAT23 = "10.10.10.217"
>> NAT24 = "10.10.10.218"
>> NAT25 = "10.10.10.219"
>>
>> #### All IP of Groups which can be connect to Internet
>> paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }"
>> paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }"
>> paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28,
>> 192.168.0.29 }"
>> webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }"
>> webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }"
>> webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }"
>> webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }"
>> webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }"
>> webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }"
>> webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }"
>> webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53,
>> 192.168.0.54 }"
>> rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }"
>> rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }"
>> rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }"
>> rased4 = "{ 192.168.0.69, 192.168.0.70 }"
>> rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202,
>> 192.168.0.203, 192.168.0.204, 192.168.0.205 }"
>> rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208,
>> 192.168.0.209, 192.168.0.210, 192.168.0.211 }"
>> rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214,
>> 192.168.0.215, 192.168.0.216, 192.168.0.217 }"
>> rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220,
>> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225
>> }"
>> admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }"
>> admin2 = "{ 192.168.0.58, 192.168.0.59 }"
>>
>> ############################### TABLES
>> ############################################################
>>
>> #Define privileged network address sets
>> table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12,
>> 10.0.0.0/8, 0.0.0.0/8, \
>> 14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23,
>> 224.0.0.0/3 }
>> table <badguys> persist file "/usr/local/pf/Network/blocklist.lst"
>> table <hackers> persist file "/usr/local/pf/Network/hackers.lst"
>>
>> #Define Favoured client hosts
>> table <Admin> persist file "/usr/local/pf/Network/Admin.lst"
>> table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst"
>> table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst"
>> table <Rased> persist file "/usr/local/pf/Network/Rased.lst"
>> table <LocalHost> const { self }
>>
>> ############################### OPTIONS
>> ############################################################
>> #Default behaviour
>> set timeout { interval 10, frag 30 }
>> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
>> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
>> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>> set timeout { icmp.first 20, icmp.error 10 }
>> set timeout { other.first 60, other.single 30, other.multiple 60 }
>> set timeout { adaptive.start 0, adaptive.end 0 }
>> set limit { states 10000, frags 5000 }
>> set loginterface $ext_if
>> set optimization normal
>> set block-policy drop
>> set require-order yes
>> set fingerprints "/etc/pf.os"
>> set skip on lo0
>> #set state-policy if-bound
>>
>>
>> ############################### TRAFFIC NORMALIZATION
>> ##############################################
>> #Filter traffic for unusual packets
>> scrub in all
>>
>>
>> ############################### TRANSLATION
>> ######################################################
>>
>> #NAT for the external traffic
>> #Mask internal ip addresses with actual external ip address
>> #nat pass on $ext_if from $Local_net to any -> $SERVER
>>
>> nat pass on $ext_if from $paltalk1 to any -> $NAT1
>> nat pass on $ext_if from $paltalk2 to any -> $NAT2
>> nat pass on $ext_if from $paltalk3 to any -> $NAT3
>> nat pass on $ext_if from $webdsgn1 to any -> $NAT4
>> nat pass on $ext_if from $webdsgn2 to any -> $NAT5
>> nat pass on $ext_if from $webdsgn3 to any -> $NAT6
>> nat pass on $ext_if from $webdsgn4 to any -> $NAT7
>> nat pass on $ext_if from $webdsgn5 to any -> $NAT8
>> nat pass on $ext_if from $webdsgn6 to any -> $NAT9
>> nat pass on $ext_if from $webdsgn7 to any -> $NAT10
>> nat pass on $ext_if from $webdsgn8 to any -> $NAT11
>> nat pass on $ext_if from $rased1 to any -> $NAT12
>> nat pass on $ext_if from $rased2 to any -> $NAT13
>> nat pass on $ext_if from $rased3 to any -> $NAT14
>> nat pass on $ext_if from $rased4 to any -> $NAT15
>> nat pass on $ext_if from $rased5 to any -> $NAT16
>> nat pass on $ext_if from $rased6 to any -> $NAT17
>> nat pass on $ext_if from $rased7 to any -> $NAT18
>> nat pass on $ext_if from $rased8 to any -> $NAT19
>> nat pass on $ext_if from $admin1 to any -> $NAT20
>> nat pass on $ext_if from $admin2 to any -> $NAT21
>>
>>
>> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 ->
>> 192.168.0.100 port 5900
>> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 ->
>> 192.168.0.50 port 22
>>
>> ############################### PACKET FILTERING
>> #################################################
>>
>> # Default Rule
>> pass quick on { $ext_if, $int_if } all keep state
>>
>>
>>
>>
>> # End of File: pf.conf
>>
>> ===========================================================================================================================
>> I have 27 valid or static IPs,
>> all users in my work place use paltalk , paltalk is messenger like yahoo
>> messenger and use for voice chat , and paltalk like yahoo has many rooms
>> for voice chat , but paltalk servers do not let users login with three
>> different room from one valid IP or static IP . or paltalk server only let
>> user login to three room from only one IP , and from one IP only three
>> computer can login to paltalk server and use it . so we get 27 valid or
>> static IPs from ISP ,and I put all of them in my pf.conf .and set many NAT
>> line in my pf.conf.
>> but I think my pf.conf has problem and I do not know why sometimes some
>> users in work place can not use internet , when they open firefox and start
>> browse web pages ,they see error , but when they can not browse web pages ,
>> their paltalk messenger is ON and they have voice chat , but they can not
>> browse webpages , this problem can solve when I reboot server or disable
>> and enable PF. but after one days or more this problem happen again , and
>> some user can not browse web pages with firefox and other browser but they
>> can voice chat
>> sometimes another problem happen , users can browse web pages , but they
>> can not chat with paltalk messnger and I have to reboot server or disable
>> and enable PF.
>>
>> my knowledege about PF is not a lot
>> and I find this pf.conf from internet and make it with many test .
>>
>> I want only do NAT with PF and I do not want block ports or other policy
>> . I want only PF for NAT.
>> please help me to solve this problem.
>>
>>
>> after search google I understand PF version in FreeBSD 8.2 is very old ,
>> and after that I want use OpenBSD 5 for NAT server. and I want use it , but
>> after search in google I understand NAT config in old PF is much different
>> with new PF , and I know we can find new PF in OpenBSD 5
>>
>> please help me to use my pf.conf in OpenBSD 5 ?
>> can I use this pf.conf in OpenBSD 5 or no ?
>> do I make mistake in my pf.conf ?
>>
>>
>>
>> please help me to make best pf for NAT with OpenBSD 5
>>
>> thanks
