Hi,
I'm stuck on some obvious pf table error but I can't see it.
I got a small test subnet 192.168.0.0 under my own subnet 10.1.0.0, where I
test this firewall.
Internet--[firewall]--10.1.0.0--[this test firewall]--192.168.0.0
Queues are not active yet, nor are web or ftp servers.
I added a test machine IP (192.138.0.2) to the managers table file, and
google.com to http-managers as allowed web sites for testing purposes.
I can ping them by both IP and domain name, but not browse. ipflog0 shows that
rule #6 catches the packets. (block drop out log on bge0 all)
Testing using a table or not, seem to narrow it down to the use of tables.
Without the table ref it works.
I've tried adding a blank line to the bottom but nothing seems to make a
difference as far as the content.
I tried replacing <managers> and <http-managers> lines with:
table <managers> { 192.168.0.2 }
table <http-managers> { google.com }
But it still fails (caught on: block drop out log on bge0 all). I'd appreciate
a hand with this one.
- - - - - - - - -
## Macros
# Interfaces
WAN="bge0"
LAN="xl0"
LANip="192.168.0.0/24"
#RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 }"
RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"
Web="{ 80, 443 }"
Web-server="192.168.0.10"
Ftp="21"
Ftp-server="192.168.0.11"
## Tables (File content shown in brackets)
table <admins> file "/etc/tAdmins" ( 192.168.0.3 )
table <managers> file "/etc/tManagers" (192.168.0.2)
table <operators> file "/etc/tOperators" (192.168.0.128)
table <http-managers> file "/etc/tHttp-managers" (google.com)
table <http-operators> file "/etc/tHttp-operators" (10.1.0.34)
table <customers> file "/etc/tCustomers" ( )
table <extadmin> file "/etc/tExtadmin" ( )
## Options
## Traffic Normalization
scrub in all
## Bandwidth Management
altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in,
ftp-out, mail, dns, misc }
#queue LOCAL bandwidth 98456Kb cbq(borrow)
queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
queue ftp-out bandwidth 15% priority 2 cbq(borrow ecn)
queue http-in bandwidth 13% priority 4 cbq(borrow red)
queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers,
normalusers }
queue develusers bandwidth 50% cbq(borrow)
queue normalusers bandwidth 50% cbq(borrow)
queue mail bandwidth 10% priority 1 cbq(borrow ecn)
queue dns bandwidth 5% priority 5 cbq(borrow ecn)
queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
queue ssh_interactive bandwidth 50% cbq(borrow)
queue ssh_bulk bandwidth 50% cbq(borrow)
queue misc bandwidth 10% cbq(borrow,default)
## Translations
#special = "{ 10.2.1.10 }"
#no nat on $WAN from $special to any
#nat on $WAN from $LAN to any -> $WAN
#binat on $WAN from $special to any -> $WAN
nat on $WAN from $LAN:network to any -> $WAN
## Redirection
## Packet Filtering
# Allow all loopback traffic.
pass quick on lo0
# Default deny.
block in log quick on $WAN from $RFC1918
block in log on $WAN
block out log on $WAN
# Allow basic networking communication
pass in log on $WAN proto icmp from any to any keep state
pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state
# Allow dns and ntp out
pass out log on $WAN proto udp from any to any port 53 keep state
pass out log on $WAN proto udp from any to any port 123 keep state
# Allow ssh in and out
pass in log on $WAN proto tcp from any to any port 22 keep state
pass out log on $WAN proto tcp from any to any port 22 keep state
# Allow web out based on tables
pass in log on $LAN proto tcp from <managers> to any port $Web keep state
pass out log on $WAN proto tcp from <admins> to any port $Web keep state
pass out log on $WAN proto tcp from <managers> to <http-managers> port $Web
keep state
pass out log on $WAN proto tcp from <operators> to <http-operators> port $Web
keep state
# Allow web and ftp in based on table
#pass in log on $WAN proto tcp from <customers> to $Web-server port $Web
#pass in log on $WAN proto tcp from <customers> to $Ftp-server port $Ftp
- - - - - - - - -
pass quick on lo0 all
block drop in log quick on bge0 inet from 127.0.0.0/8 to any
block drop in log quick on bge0 inet from 192.168.0.0/16 to any
block drop in log quick on bge0 inet from 172.16.0.0/12 to any
block drop in log quick on bge0 inet from 10.0.0.0/24 to any
block drop in log on bge0 all
block drop out log on bge0 all
pass in log on bge0 proto icmp all keep state
pass out log on bge0 inet proto icmp all icmp-type echoreq code 0 keep state
pass out log on bge0 proto udp from any to any port = domain keep state
pass out log on bge0 proto udp from any to any port = ntp keep state
pass in log on bge0 proto tcp from any to any port = ssh keep state
pass out log on bge0 proto tcp from any to any port = ssh keep state
pass in log on xl0 proto tcp from <managers> to any port = www keep state
pass in log on xl0 proto tcp from <managers> to any port = https keep state
pass out log on bge0 proto tcp from <admins> to any port = www keep state
pass out log on bge0 proto tcp from <admins> to any port = https keep state
pass out log on bge0 proto tcp from <managers> to <http-managers> port = www
keep state
pass out log on bge0 proto tcp from <managers> to <http-managers> port = https
keep state
pass out log on bge0 proto tcp from <operators> to <http-operators> port = www
keep state
pass out log on bge0 proto tcp from <operators> to <http-operators> port =
https keep state
--
Steve
