Re: Another problem with pf..

To: Matteo Riondato <rionda@xxxxxxxx>
Subject: Re: Another problem with pf..
From: Dimitry Andric <dimitry@xxxxxxxxxx>
Date: Thu, 21 Oct 2004 22:56:52 +0200
Cc: freebsd-pf@xxxxxxxxxxx
Delivered-to: freebsd-pf@xxxxxxxxxxx
In-reply-to: <1098391754.909.16.camel@xxxxxxxxxxxxxxxx>
List-archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-id: Technical discussion and general questions about packet filter (pf) <freebsd-pf.freebsd.org>
List-post: <mailto:freebsd-pf@freebsd.org>
List-subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
List-unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>, <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
References: <1098383388.909.3.camel@xxxxxxxxxxxxxxxx> <1098391754.909.16.camel@xxxxxxxxxxxxxxxx>

On 2004-10-21 at 22:49:14 Matteo Riondato wrote:

> ext_if = "tun0"
> wifi_if = "rl0"
> eth_if = "fxp1"
> wifi_net = "192.168.1.0/27"
> eth_net = "192.168.0.0/29"
> tcp_services = "{ 22, 80, 25, 4660 >< 4683, 6890 >< 6901 }"
> icmp_types = "{ 0, 3, 8, 11 }"
> scrub in all fragment reassemble
> block drop all
> pass quick on lo0 all
> block drop in log quick on ! rl0 inet from 192.168.1.0/24 to any
> block drop in log quick inet from 192.168.1.1 to any
> block drop in quick on ! fxp1 inet from 192.168.0.0/24 to any
> block drop in quick inet from 192.168.0.1 to any
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = ssh flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = http flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port = smtp flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 4660 >< 4683 flags S/SA keep state
> pass in on tun0 inet proto tcp from any to 82.52.115.76 port 6890 >< 6901 flags S/SA keep state
> pass inet proto icmp all icmp-type echorep
> pass inet proto icmp all icmp-type unreach
> pass inet proto icmp all icmp-type echoreq
> pass inet proto icmp all icmp-type timex
> pass in on rl0 inet from 192.168.1.0/27 to any keep state
> pass out on rl0 inet from any to 192.168.1.0/27 keep state
> pass in on fxp1 inet from 192.168.0.0/29 to any keep state
> pass out on fxp1 inet from any to 192.168.0.0/29 keep state
> pass in on rl0 inet from 192.168.1.200 to 192.168.1.1 keep state
> pass out on rl0 inet from 192.168.1.1 to 192.168.1.200 keep state
> pass out on tun0 proto tcp all flags S/SA modulate state
> pass out on tun0 proto udp all keep state
> pass out on tun0 proto icmp all keep state

Hm, so your rules seem to be okay.  Do I miss something, or don't I
see any NAT rule in there?

Next question is: what happens if you manually run /etc/rc.d/pf start
or reload?

Attachment: pgp9Ew9znyq9S.pgp
Description: PGP signature

Follow-Ups:
- Re: Another problem with pf..
  - From: Matteo Riondato

References:
- Another problem with pf..
  - From: Matteo Riondato
- Re: Another problem with pf..
  - From: Matteo Riondato

Prev by Date: Re: Is PF nat broken?
Next by Date: Re: Another problem with pf..
Previous by thread: Re: Another problem with pf..
Next by thread: Re: Another problem with pf..
Index(es):
- Date
- Thread