Hello everybody I play a littlebit with PF and 2 Networks.
One uses cables and the other is a WLAN-Network..
My PF:
Ext = "tun0" # Device an dem das Internet angeschlossen ist
Int = "xl0" # Device an dem das interne Netz haengt
IntNet = "192.168.0.0/16" # Adressraum des internen Netzes
RouterIP = "192.168.0.1" # IP Adresse des Routers
Int2 = "ath0"
IntNet2 = "10.10.10.0/24"
RouterIP2 = "10.10.10.1"
Loop = "lo0" # Loopback Device
table <NoRoute> { 127.0.0.1/8, 172.16.0.0/12, 192.168.0.0/16, !$IntNet,
10.0.0.0/8, !$IntNet2, 255.255.255.255/32 }
# Ports die geoeffnet werden sollen
InServicesTCP = "{ ssh, auth, http }"
### OPTIONS ###
# Macht Statistiken fuer die DSL-Verbindung (pfctl -s info)
set loginterface $Ext
# Beendet inaktive Verbindungen schneller - geringerer Speicherverbrauch.
set optimization aggressive
# Fragmentierte Pakete saeubern
scrub on $Ext all fragment reassemble random-id
altq on $Ext priq bandwidth 100Kb queue { q_pri, q_def }
queue q_pri priority 7
queue q_def priority 1 priq(default)
### NAT & FORWARD ###
# NAT aktivieren (unter Linux als Masquerading bekannt)
nat on $Ext from $IntNet to any -> $Ext static-port
nat on $Ext from $Int2:network to any -> $Ext static-port
# Active FTP - Umleitung zu unserem ftp-proxy
rdr on $Int proto tcp from !$RouterIP to !$IntNet port 21 -> 127.0.0.1
port 8021
rdr on $Int2 proto tcp from !$RouterIP2 to !$IntNet2 port 21 -> 127.0.0.1
port 8021
rdr-anchor redirect
### FILTER ###
# Zum Debuggen....
#pass out quick all # Alles durchlassen
#pass in quick all # Alles durchlassen
# Generelle Block Regel
block on $Ext
# Freiwillig machen wir keinen mucks ;)
block return log on $Ext
# Wir wollen kein IPv6.0
block quick inet6
# Loopback Device darf alles
pass quick on $Loop
# Erschwert scannen mit nmap und co.
block in log quick on $Ext inet proto tcp from any to any flags FUP/FUP
block in log quick on $Ext inet proto tcp from any to any flags SF/SFRA
block in log quick on $Ext inet proto tcp from any to any flags /SFRA
block in log quick on $Ext os NMAP
# IP Spoofing verhindern
block in log quick on $Ext inet from <NoRoute> to any
block in log quick on $Ext inet from any to <NoRoute>
# Active FTP erlauben
pass in quick on $Ext inet proto tcp from any to any port > 49151 user
proxy flags S/SAFR keep state
# Ping akzeptieren (ablehnen ist uebrigends wenig sinnvoll)
pass in quick on $Ext inet proto icmp all icmp-type 8 code 0 keep state
# Ports nach aussen oeffnen
pass in quick on $Ext inet proto tcp from any to any port $InServicesTCP
flags S/SAFR keep state label ServicesTCP
anchor passin
# Raus darf (fast) alles
pass out quick on $Ext keep state queue (q_def,q_pri)
--
The Problem:
I can use DNS with the WLAN but I can't e.g. acces the internet.
What could be wrong?
I don't find the bug even I reduced the pf.conf to the "basics" so it
couldn't be a problem related to any other option.
Kind regards,
Sebastian
