Dear list members,
i am trying to build a firewall. Up to now, everything is ok, except
for some http sites that cannot be shown.
I am really having a hard time trying to figure it out what is happening !
I believe something is wrong between rule 7 to 10 ( i am on network
defined by interface sis1).
I can ping world outside my private network, as also telnet, ssh, etc ...
I can access everything from inside the firewall itself. The problem
is that some web sites does not appear when accessing from the local
desktop, the scenario is the following:
access from access to status
firewall <wildcarded> ok
desktop www.unix.org nothing appears
desktop www.gmail.com ok
Does anybody have any ideia about what is wrong (again, ssh, telnet,
ntp access from wihtin dekstop is 100% ok, only some web sites)
here goes my firewall rules:
########
#
# Macros
#
########
IIF_0 = "sis0"
IIF_1 = "sis1"
IIF_2 = "sis2"
EIF = "pppoe0"
########
#
# Tables
#
########
table <noroute> persist const { 127/8 255/8 0/8 }
table <rfc1918> persist const { 10/8 172.16/12 192.168/16 }
table <mcast> persist const { 224/4 }
table <prvlcl> persist { 10/8 172.16/12 192.168/16 !10/25
!10.0.0.128/26 !10.0.0.192/26 }
table <badhosts> persist
table <net> persist { 10/25 10.0.0.128/26 10.0.0.192/26 }
#########
#
# Options
#
#########
set loginterface $EIF
set skip on lo0
set debug misc
set state-policy if-bound
set block-policy return
#######################
#
# Traffic Normalization
#
#######################
##########
#
# Queueing
#
##########
#############
#
# Translation (first match wins). Only appliable if $EIF is a public address.
#
#############
no nat on $EIF from { ($IIF_0) ($IIF_1) ($IIF_2) }
nat on $EIF from ($IIF_0:network) to !<rfc1918> tag NAT -> ($EIF)
nat on $EIF from ($IIF_1:network) to !<rfc1918> tag NAT -> ($EIF)
nat on $EIF from ($IIF_2:network) to !<rfc1918> tag NAT -> ($EIF)
##################
#
# Packet Filtering (last match wins)
#
##################
# let's block everything by default
block log all
# everything may come in and out the host itself (two rules per interface)
pass in log on $IIF_0 from ($IIF_0:network) to ($IIF_0) flags S/SA keep state
pass out log on $IIF_0 from ($IIF_0) to ($IIF_0:network) flags S/SA keep state
pass in log on $IIF_1 from ($IIF_1:network) to ($IIF_1) flags S/SA keep state
pass out log on $IIF_1 from ($IIF_1) to ($IIF_1:network) flags S/SA keep state
pass in log on $IIF_2 from ($IIF_2:network) to ($IIF_2) flags S/SA keep state
pass out log on $IIF_2 from ($IIF_2) to ($IIF_2:network) flags S/SA keep state
pass in log on $EIF to ($EIF) flags S/SA keep state
pass out log on $EIF from ($EIF) flags S/SA keep state ! tagged NAT
# allowed traffic configuration goes here
pass out log on $EIF from ($EIF) flags S/SA keep state tagged NAT
pass in log on $IIF_1 flags S/SA keep state
# default on each internal interface (private address)
block in log on $IIF_0 from { ($IIF_0) ($IIF_0:broadcast) !($IIF_0:network) }
block in log on !$IIF_0 to ($IIF_0:broadcast)
block in log on $IIF_0 to <noroute>
#block in log on $IIF_0 proto ! udp to <mcast>
block in log on $IIF_1 from { ($IIF_1) ($IIF_1:broadcast) !($IIF_1:network) }
block in log on !$IIF_1 to ($IIF_1:broadcast)
block in log on $IIF_1 to <noroute>
#block in log on $IIF_1 proto ! udp to <mcast>
block in log on $IIF_2 from { ($IIF_2) ($IIF_2:broadcast) !($IIF_2:network) }
block in log on !$IIF_2 to ($IIF_2:broadcast)
block in log on $IIF_2 to <noroute>
#block in log on $IIF_2 proto ! udp to <mcast>
# default external interface (public address)
block in log on $EIF from ($EIF)
# additional rules
block in log on $EIF from { <rfc1918> <noroute> <mcast> }
block in log on $EIF to <net> ! tagged RDR
block in log on $EIF to { <noroute> <prvlcl> }
#block in log on $EIF proto ! udp to <mcast>
