Re: Help needed to get PF working

[Timo Myyrä]

Ah, I forgot to mention that the packet forwarding is indeed enabled 
already.
I checked the sample pf.conf on your webpage and edited it to change the 
interface names and commented the queue rules. I then loaded the rules 
with "pfctl -f /etc/pf.new" but still I could only access my server from 
my desktop.  Server can access both internet and my desktop just fine.
I tried to ping outside addresses with their IP's from the desktop to 
test if it would be some DNS issue but that didn't work either.
Any other ideas?

Timo
Calomel wrote:
Timo,

If this box is going to be a firewall and you expect to pass packets from
one interface to the other you _MUST_ enable packet forwarding. Even 
if pf
is setup correctly for your network, no packets will traverse between 
your
internal and external networks unless packet forwarding is turned on.

You can see if ip.forwarding is set to on=1 or off=0 by typing "sysctl 
-a |
grep ip.forward". If ip.forwarding is off you can manually enable it by
typing "sysctl net.inet.ip.forwarding=1". This command will only take
affect for this session and ip.forwarding will be set back to its 
previous
setting on reboot.

OpenBSD Pf Firewall "how to" ( pf.conf )
http://calomel.org/pf_config.html

--
 Calomel @ http://calomel.org

On Thu, Oct 25, 2007 at 09:15:22AM +0300, Timo Myyr? wrote:
 
Hi,

I'm currently trying to configure small home network:
ADSL ----> Server / Firewall ----> Desktop

Now I'm working on building a proper firewall to my server. So far the
situation is following:

- Servers internet connection works
- Desktop receives IP, nameserver and default route from server's
DHCP service.
-Desktop can connect to server by SSH but can't connect to anything 
beyond
that.

Server's fxp0 gets dynamic IP from ISP and fxp1 uses static IP.

What I need:
-server running the most common services available to public. Then some
services available only to LAN.
-Desktop will only run games as client and will use the servers private
services

Here's my current pf.conf:

### MACROS ###
ext_if="fxp0"
lan_if="fxp1"
server_ip="xxx.xxx.xxx.xxx"
pri_ports="{ 
20,21,22,25,80,110,113,123,443,2049,3306,6660,6669,6900:6999,8080}"
# Ports open on server to LAN
pub_ports="{ 20,21,22,25,80,110,113,123,443,6900:6999,8080}" # Ports
open on server to internet
game_ports="27000:27040

lan_ip="xxx.xxx.xxx.xxx"

p180_ip="xxx.xxx.xxx.xxx"


### TABLES ###
table <spamd-white> persist
table <intruders> persist
table <badhosts> const {10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16}

### OPTIONS ###
set skip on lo
set block-policy return

set optimization normal

set loginterface fxp0
set limit { states 50000, frags 100000 } # Are these good limits, I
have 4GB RAM?


### TRAFFIC NORMALIZATION ###
scrub in all fragment reassemble

### BANDWIDTH MANAGEMENT ###


### TRANSLATION ###
nat-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) to any -> ($ext_if)


### REDIRECTION ###
rdr-anchor "ftp-proxy/*"
rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 
port 8025
no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
rdr on $ext_if inet proto {tcp,udp} from any to ($ext_if) port
$game_ports -> $p180_ip
rdr on $lan_if inet proto {tcp,udp} from $lan_ip to any -> ($ext_if)

### ANCHORS ###
anchor "ftp-proxy/*"

### PACKET FILTERING ###
# Block rules
block in all    # Default to block all incoming and outgoing traffic
block out all

# Antispoof
antispoof quick log for { lo $lan_if }

# Incoming traffic
pass in on $ext_if proto {tcp,udp} from port $game_ports to $p180_ip
#pass quick on $lan_if no state

pass in on $ext_if proto {tcp,udp} to ($ext_if) port $pub_ports
pass in log on $lan_if proto {tcp,udp} from ($lan_if) port $pri_ports
to $server_ip
pass in on $lan_if proto {tcp,udp} from any to any keep state

# Outgoing traffic
pass out log on $ext_if proto {tcp,udp} from ($ext_if) to port 
$pub_ports
pass out on $ext_if proto {tcp,udp,icmp} from $lan_ip to any

How to change the pf.conf to allow desktop traffic to access the 
internet?
I have tried some solutions like removing the default block rules but it
still didn't work and I'm starting to run out of ideas.