-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sat, 26 Mar 2011 12:18, leslie@ wrote:
Hello list.
I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy
server on a network with 10 pc behind it for some years.
Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with
exactly the same set-up.
My problem is that PF is not acting the same. Everything is blocked, if I
remove the first rule "block in log on $ext_if all" I get some functionality
but it won't redirect the traffic to Squid for example.
I've been trying to fix it but I need some new eyes to help me.
Below are the pf.conf on the new 8.2 machine and further below is the
original pf.conf from the 7.2 system
I'm aware that there has been some changes to the pf syntax, but when doing
pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong.
Will you Please take a look and see if you can see what's wrong.
Thank you :-)
Hi Leslie,
I just extracted your rules sets from the email and from what I gather I
hope its just not a formatting issue with your mailer that I have seen in
coincidence.
After pulling out the patch pipe and loading with a diff this is what I've
come up with: (-)=New Config (+)=Old Config
# Let the goodguys access the machine from the outside
- -pass in log on $ext_if inet proto tcp from <goodguys> to ($ext_if)
+pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
port $tcp_services flags S/SA keep state
# We need this for the rdr to VNC (change of portnumber)
- -pass in on $ext_if inet proto tcp from <goodguys> to $internal_net
+pass in on $ext_if inet proto tcp from <goodguys> to $internal_net \
port $vncports flags S/SA synproxy state
You mentioned that when removing your block rule that you would get some
functionality back and this stuck out like a sore thumb!. Pay close
attention to the new line character at the new or in other words "don't
forget the backslash"
Also you used to have:
# filter rules
- -block in log on $ext_if all
+block in log (all)
but that is probably not relative to what you are seeing in your rule sets
at this time.
If this all is not a formatting error you should be able to verify that
all your rules are loaded with ( pfctl -s rules ) and manually inspect the
ones in question whether the backslash really makes the difference.
Good luck.
- --
Regards,
J. Hellenthal
(0x89D8547E)
JJH48-ARIN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89D8547E
iQEcBAEBAgAGBQJNjwNeAAoJEJBXh4mJ2FR+02EH/RUG17OuvE1ltgIMtGJpTy17
26oLFCiWY0AlH7LR8L1hImXFL8VPdsrybsCN6F7YgKFOpKtAPYoqV50zI5gF81cI
FOGErW1I8rNB4aHZsjBlQyARlSFtJO5uRr/desuCrL4SIK8FzD9QPb8qdEoWaehc
fMjHPhC5277NljkHH22HPKKRb1yA2+jvrZ91LOjUVO8AanPHDcXWvmNGOmbnTcB9
yG8K1gJymxzs4Atlw1m0PPCxmrwYzw4IbLB1TGzsZIhnGcmfR8M0eKCi/G98uyCP
LWXr8f/qL8lE4tjbr3jiKXEqeQWNXACI2vjqCEn6QG4t24U2gZtOrlnssneAY/M=
=vzmL
-----END PGP SIGNATURE-----
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[email protected]"
