Thanks all guys Sorry for my bad English I , only understand is this pf.conf work in openbsd 5 or no .? Which part I must edit and change it Is this pf.conf is correct ? Thanks in advance On Nov 8, 2011 7:35 AM, "John Tate" <j...@johntate.org> wrote:
> There is only one way to do a job like this: Write down what it does in > clear English (or your own language), and do the whole thing from scratch. > It will only be tediously slow for the first half of the job. > > On Wed, Nov 2, 2011 at 10:29 AM, Gholam Mostafa Faridi < > mostafafar...@gmail.com> wrote: > >> Hi >> In work place , we have over 24 computer and all of them are windows and >> , I have NAT server . this NAT server use FreeBSD 8.2 AMD 64 , and I use PF >> for NAT with FreeBSD 8.2 . after many search in google , I find this pf.conf >> >> ==================================================== >> ns# cat /usr/local/pf/pf.conf >> # $FreeBSD: src/share/examples/pf/faq-example1,v 1.1 2004/09/14 01:07:18 >> mlaier Exp $ >> # $OpenBSD: faq-example1,v 1.2 2003/08/06 16:04:45 henning Exp $ >> # Edited by: mfaridi >> >> ################################ MACROS >> ############################################################ >> >> ext_if = "sk0" >> int_if = "re0" >> External_net = "10.10.10.192/27" >> Local_net = "192.168.0.0/24" >> Local_Web = "192.168.0.10" >> Local_Srv = "192.168.0.1" >> Prtcol = "{ tcp, udp }" >> Admin_IP = "{ 10.10.10.192/27, 11.11.11.0/21, 12.12.12.0/18 }" >> ICMP_Types = "{ echorep, unreach, squench, echoreq, timex }" >> >> #Define ports for common internet services >> #TCP_SRV = "{ 25, 53, 80, 110, 143, 443, 465, 587, 993, 995, 8443 >> }" >> #UDP_SRV = "{ 53 }" >> TCP_SRV = "{ 80, 443 }" >> UDP_SRV = "{ }" >> Samba_TCP = "{ 139, 445 }" >> Samba_UDP = "{ 137, 138 }" >> >> >> SERVER = "10.10.10.200" >> NAT1 = "10.10.10.194" >> NAT2 = "10.10.10.195" >> NAT3 = "10.10.10.196" >> NAT4 = "10.10.10.197" >> NAT5 = "10.10.10.198" >> NAT6 = "10.10.10.199" >> NAT7 = "10.10.10.201" >> NAT8 = "10.10.10.202" >> NAT9 = "10.10.10.203" >> NAT10 = "10.10.10.204" >> NAT11 = "10.10.10.205" >> NAT12 = "10.10.10.206" >> NAT13 = "10.10.10.207" >> NAT14 = "10.10.10.208" >> NAT15 = "10.10.10.209" >> NAT16 = "10.10.10.210" >> NAT17 = "10.10.10.211" >> NAT18 = "10.10.10.212" >> NAT19 = "10.10.10.213" >> NAT20 = "10.10.10.214" >> NAT21 = "10.10.10.215" >> NAT22 = "10.10.10.216" >> NAT23 = "10.10.10.217" >> NAT24 = "10.10.10.218" >> NAT25 = "10.10.10.219" >> >> #### All IP of Groups which can be connect to Internet >> paltalk1 = "{ 192.168.0.20, 192.168.0.21, 192.168.0.22 }" >> paltalk2 = "{ 192.168.0.23, 192.168.0.24, 192.168.0.25 }" >> paltalk3 = "{ 192.168.0.26, 192.168.0.27, 192.168.0.28, >> 192.168.0.29 }" >> webdsgn1 = "{ 192.168.0.30, 192.168.0.31, 192.168.0.32 }" >> webdsgn2 = "{ 192.168.0.33, 192.168.0.34, 192.168.0.35 }" >> webdsgn3 = "{ 192.168.0.36, 192.168.0.37, 192.168.0.38 }" >> webdsgn4 = "{ 192.168.0.39, 192.168.0.40, 192.168.0.41 }" >> webdsgn5 = "{ 192.168.0.42, 192.168.0.43, 192.168.0.44 }" >> webdsgn6 = "{ 192.168.0.45, 192.168.0.46, 192.168.0.47 }" >> webdsgn7 = "{ 192.168.0.48, 192.168.0.49, 192.168.0.50 }" >> webdsgn8 = "{ 192.168.0.51, 192.168.0.52, 192.168.0.53, >> 192.168.0.54 }" >> rased1 = "{ 192.168.0.60, 192.168.0.61, 192.168.0.62 }" >> rased2 = "{ 192.168.0.63, 192.168.0.64, 192.168.0.65 }" >> rased3 = "{ 192.168.0.66, 192.168.0.67, 192.168.0.68 }" >> rased4 = "{ 192.168.0.69, 192.168.0.70 }" >> rased5 = "{ 192.168.0.200, 192.168.0.201, 192.168.0.202, >> 192.168.0.203, 192.168.0.204, 192.168.0.205 }" >> rased6 = "{ 192.168.0.206, 192.168.0.207, 192.168.0.208, >> 192.168.0.209, 192.168.0.210, 192.168.0.211 }" >> rased7 = "{ 192.168.0.212, 192.168.0.213, 192.168.0.214, >> 192.168.0.215, 192.168.0.216, 192.168.0.217 }" >> rased8 = "{ 192.168.0.218, 192.168.0.219, 192.168.0.220, >> 192.168.0.221, 192.168.0.222, 192.168.0.223, 192.168.0.224, 192.168.0.225 >> }" >> admin1 = "{ 192.168.0.55, 192.168.0.56, 192.168.0.57 }" >> admin2 = "{ 192.168.0.58, 192.168.0.59 }" >> >> ############################### TABLES >> ############################################################ >> >> #Define privileged network address sets >> table <priv_nets> const { 127.0.0.0/8, 192.168.0.0/16, 13.13.0.0/12, >> 10.0.0.0/8, 0.0.0.0/8, \ >> 14.14.0.0/16, 192.0.2.0/24, 15.15.15.0/23, >> 224.0.0.0/3 } >> table <badguys> persist file "/usr/local/pf/Network/blocklist.lst" >> table <hackers> persist file "/usr/local/pf/Network/hackers.lst" >> >> #Define Favoured client hosts >> table <Admin> persist file "/usr/local/pf/Network/Admin.lst" >> table <Paltalk> persist file "/usr/local/pf/Network/Paltalk.lst" >> table <WebDsgn> persist file "/usr/local/pf/Network/WebDsgn.lst" >> table <Rased> persist file "/usr/local/pf/Network/Rased.lst" >> table <LocalHost> const { self } >> >> ############################### OPTIONS >> ############################################################ >> #Default behaviour >> set timeout { interval 10, frag 30 } >> set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 } >> set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 } >> set timeout { udp.first 60, udp.single 30, udp.multiple 60 } >> set timeout { icmp.first 20, icmp.error 10 } >> set timeout { other.first 60, other.single 30, other.multiple 60 } >> set timeout { adaptive.start 0, adaptive.end 0 } >> set limit { states 10000, frags 5000 } >> set loginterface $ext_if >> set optimization normal >> set block-policy drop >> set require-order yes >> set fingerprints "/etc/pf.os" >> set skip on lo0 >> #set state-policy if-bound >> >> >> ############################### TRAFFIC NORMALIZATION >> ############################################## >> #Filter traffic for unusual packets >> scrub in all >> >> >> ############################### TRANSLATION >> ###################################################### >> >> #NAT for the external traffic >> #Mask internal ip addresses with actual external ip address >> #nat pass on $ext_if from $Local_net to any -> $SERVER >> >> nat pass on $ext_if from $paltalk1 to any -> $NAT1 >> nat pass on $ext_if from $paltalk2 to any -> $NAT2 >> nat pass on $ext_if from $paltalk3 to any -> $NAT3 >> nat pass on $ext_if from $webdsgn1 to any -> $NAT4 >> nat pass on $ext_if from $webdsgn2 to any -> $NAT5 >> nat pass on $ext_if from $webdsgn3 to any -> $NAT6 >> nat pass on $ext_if from $webdsgn4 to any -> $NAT7 >> nat pass on $ext_if from $webdsgn5 to any -> $NAT8 >> nat pass on $ext_if from $webdsgn6 to any -> $NAT9 >> nat pass on $ext_if from $webdsgn7 to any -> $NAT10 >> nat pass on $ext_if from $webdsgn8 to any -> $NAT11 >> nat pass on $ext_if from $rased1 to any -> $NAT12 >> nat pass on $ext_if from $rased2 to any -> $NAT13 >> nat pass on $ext_if from $rased3 to any -> $NAT14 >> nat pass on $ext_if from $rased4 to any -> $NAT15 >> nat pass on $ext_if from $rased5 to any -> $NAT16 >> nat pass on $ext_if from $rased6 to any -> $NAT17 >> nat pass on $ext_if from $rased7 to any -> $NAT18 >> nat pass on $ext_if from $rased8 to any -> $NAT19 >> nat pass on $ext_if from $admin1 to any -> $NAT20 >> nat pass on $ext_if from $admin2 to any -> $NAT21 >> >> >> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 5900 -> >> 192.168.0.100 port 5900 >> #rdr on $ext_if proto tcp from $Admin_IP to $SERVER port 2222 -> >> 192.168.0.50 port 22 >> >> ############################### PACKET FILTERING >> ################################################# >> >> # Default Rule >> pass quick on { $ext_if, $int_if } all keep state >> >> >> >> >> # End of File: pf.conf >> >> =========================================================================================================================== >> I have 27 valid or static IPs, >> all users in my work place use paltalk , paltalk is messenger like yahoo >> messenger and use for voice chat , and paltalk like yahoo has many rooms >> for voice chat , but paltalk servers do not let users login with three >> different room from one valid IP or static IP . or paltalk server only let >> user login to three room from only one IP , and from one IP only three >> computer can login to paltalk server and use it . so we get 27 valid or >> static IPs from ISP ,and I put all of them in my pf.conf .and set many NAT >> line in my pf.conf. >> but I think my pf.conf has problem and I do not know why sometimes some >> users in work place can not use internet , when they open firefox and start >> browse web pages ,they see error , but when they can not browse web pages , >> their paltalk messenger is ON and they have voice chat , but they can not >> browse webpages , this problem can solve when I reboot server or disable >> and enable PF. but after one days or more this problem happen again , and >> some user can not browse web pages with firefox and other browser but they >> can voice chat >> sometimes another problem happen , users can browse web pages , but they >> can not chat with paltalk messnger and I have to reboot server or disable >> and enable PF. >> >> my knowledege about PF is not a lot >> and I find this pf.conf from internet and make it with many test . >> >> I want only do NAT with PF and I do not want block ports or other policy >> . I want only PF for NAT. >> please help me to solve this problem. >> >> >> after search google I understand PF version in FreeBSD 8.2 is very old , >> and after that I want use OpenBSD 5 for NAT server. and I want use it , but >> after search in google I understand NAT config in old PF is much different >> with new PF , and I know we can find new PF in OpenBSD 5 >> >> please help me to use my pf.conf in OpenBSD 5 ? >> can I use this pf.conf in OpenBSD 5 or no ? >> do I make mistake in my pf.conf ? >> >> >> >> please help me to make best pf for NAT with OpenBSD 5 >> >> thanks