Re: Asking abt my PF

Tue, 02 Oct 2007 05:34:21 -0700 

To get debugging info out of pf(4):

$ sudo pfctl -x loud

Also check "netstat -s" for layer 3/4 errors, and "netstat -m" for
kernel memory resource consumption, and "ifconfig -i(?)" for layer 2
errors.

~BAS

On Tue, 2007-10-02 at 14:20 +0700, dika wrote:
> Dear teams,
> 
> Im using OpenBSD4.1 for my gateway..
> I've set my PF.conf for my client (there are 40 DMZ clients).
> 
> [DMZ]-----------[Gateway]-----------[router]
> 
> like this:
> ext="bge0"
> int="bge1"
> dalem="203.190.245.0/24"
> set optimization aggressive
> set limit { frags 100000, states 150000 }
> 
> 
> table <agra> { 218.100.4.0/24, \
> 203.190.245.0/24, \
> 203.190.247.3/32, \
> 202.152.224.0/24, \
> 202.152.162.221, \
> 202.152.162.230, \
> 202.3.208.1, \
> 203.190.240.134, \
> 202.149.66.137 }
> 
> prot="{ 80 443 53 25 110 }"
> protq="{ 80 443 53 25 110 22 }"
> 
> scrub in all
> 
> block in log quick on $int proto icmp from $dalem to !<agra> icmp-type 0 code
> 0
> pass in quick on $int proto udp from $dalem to any port 33433 >< 33626
> pass in quick on $ext proto udp from $dalem to any port 33433 >< 33626
> pass proto icmp all
> 
> block return in log quick on $ext proto tcp from ! <agra> to $dalem port ssh
> block return out log quick on $ext proto tcp from $dalem to 127.0.0.1
> 
> #pass in on $ext all
> pass in quick on bge0
> pass out quick on $int proto { tcp udp } from any to $dalem port $prot
> 
> pass in quick on $int proto { tcp udp } from $dalem to any port $protq
> pass out on $ext all
> 
> block return out log on $int inet from ! <agra> to $dalem
> block return in log  on $int inet proto tcp from $dalem to ! <agra> port ssh
> I have tested these gateway with 1 client and everything's alright.. all rules
> working well.
> But situation turned worse when I used it for real conditions, 40 servers with
> high traffic connected to the gateway.
> Problems occured, from gateway to DMZ there were many loss of packets when I
> try to ping.
> And some hours later, everything were down. There's no any packets passed,
> even I change to /pass in all. pass out all/.
> 
> thats my problems,
> your reply will do help me.
> 
> 
> Thank you.
> Dika_
> .indonesian

Reply via email to