On Tue, 14 Oct 2008 14:33:19 +0700, Siju George <[EMAIL PROTECTED]>
wrote:
Hi Siju,
I think there are several things you need to understand more about pf
quick option.
If you don't use quick option on rules, then it will be last matching rule
applied, but if you you use quick option, the first matching rule will be
applied, the rest will be ignored. So, if you use quick option the filter
order would be;
rule 1 # very detail
rule 2 # pretty much detail
rule 3 # detail
rule 4 # not detail
something like;
pass in quick on $int_if inet proto tcp from <net_example1> to <internet>
pass in quick on $int_if inet from <net_example1> to <internet>
pass in quick on $int_if from <net_example1> to any
pass in quick on $int_if
if you don't use "quick" then it would be;
rule 1 # not detail
rule 2 # detail
rule 3 # pretty much detail
rule 4 # very detail
something like;
pass in on $int_if
pass in on $int_if from <net_example1> to any
pass in on $int_if from <net_example1> to <internet>
pass in on $int_if inet from <net_example1> to <internet>
pass in on $int_if inet proto tcp from <net_example to <internet>
HTH,
Insan
Hi,
I have firewall
sk0 - LAN Interface
rl1 - Primary internet connection
rl2 - secondary Internet connection
I have a line in pf.conf
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
<hifxchn2> to any keep state
to route requests from hosts in <hifxchn2> through the rl2 internet
connection but it does not seem to work.
the full pf.conf is below
===========================================================================================================
##NETWORK INTERFACES
#
int_if="sk0" #HiFX LAN Interface - Connected to Main
Swithches - using 172.16.0.0/12 Range.
ext_if="rl1" #Dataone Connection - "rl2" interface
Connected to the Dataone Router.
ext_if2="rl2"
ext_ifgw="122.166.40.1"
proxy="122.166.40.36"
#Private IP Address Range Specified by RFC 1918.
#
priv_nets="{ 127.0.0.0/8, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 }"
#Computers in HiFX LAN that are permitted to bypass squid to make HTTP
and HTTPS connections directly to the Internet
#
table <bypass-squid-users> persist file
"/etc/pf-tables/bypass-squid-users"
#Websites to which bypassing SQUID is allowed.
#
table <bypass-squid-sites> persist file
"/etc/pf-tables/bypass-squid-sites"
table <lanspl> persist file "/etc/pf-tables/lanspl"
table <adm> persist file "/etc/pf-tables/adms"
table <vtcservers> persist file "/etc/pf-tables/vtcservers"
table <bannedIPs> persist file "/etc/pf-tables/bannedIPs"
table <authpf_users> persist
table <hifxchn2> persist file "/etc/pf-tables/hifxchn2"
#Traffic Normalization - Required for "pppoe" connection.
#
scrub on $ext_if all no-df random-id fragment reassemble
###"Network Address Translation" and "Port Redirection"
###The First Matching rule wins here for any packet and no further
"nat" or "rdr" rules are checked.
nat-anchor "authpf/*"
rdr-anchor "authpf/*"
binat-anchor "authpf/*"
nat pass on $ext_if from <adm> to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp from $int_if:network to any port 21 ->
127.0.0.1 port 8021
# redirect to beergas website
rdr pass on $ext_if inet proto tcp from any to any port 80 ->
172.16.4.12 port 80
rdr pass on $ext_if inet proto tcp from any to any port 443 ->
172.16.4.12 port 443
###
#
nat on $ext_if from <bypass-squid-users> to any -> ($ext_if)
#NAT connections to specified websites.
nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } ->
($ext_if)
nat on $ext_if from any to <bypass-squid-sites> port { 80, 443 } ->
($ext_if2)
#Block NAT for other hosts to port 80 and 443 on the Internet.
#They should all go via SQUID CACHE PROXY
#
no nat on $ext_if from any to any port { 80, 443 }
no nat on $ext_if2 from any to any port { 80, 443 }
#Allow NAT for rest of the Computers to Internet - port 80 and 443 is
already blocked for these hosts by the rule above.
#
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if2 from $int_if:network to any -> ($ext_if2)
#The SQUID CACHE PROXY Listens on localhost interface port 8080 for
security reasons.
#PROXY configuration for computers in the HIFX LAN Machine in the IP
Address of $int_if and port 8080
#Hence all Traffic comming to $int_if port 8080 should be redirected
to SQUID running on localhost:8080
#
no rdr on $int_if from any to 70.86.222.30
rdr on $int_if proto tcp from any to any port 8080 -> 127.0.0.1 port 8080
###Filter Rules.
###The last matching rule wins here for packets except when the quick
word is used in which case Further rules are not processed.
#Starting with a Deny all Traffic Policy. Later rules open up the
firewall for required traffic.
block all
pass in quick on $ext_if inet proto tcp from any to any port ssh keep
state
#Blocking RFC1918 Traffic.
block in log quick on $ext_if from $priv_nets to any
block out log quick on $ext_if from any to $priv_nets
block out log quick on $ext_if from any to <bannedIPs>
#Allow all traffic on the localhost interface.
pass quick on lo0 all
#Allow Traffic from HIFX LAN to pass through the firewall & also allow
traffic from firewall to enter the LAN.
pass in quick on $int_if from any to $int_if keep state
pass out quick on $int_if from $int_if to any keep state
pass in quick on $int_if route-to ( $ext_if2 $ext_ifgw ) from
<hifxchn2> to any keep state
pass in quick on $int_if from $int_if:network to any keep state
pass out quick on $int_if from any to $int_if:network keep state
#Allow Trafficfrom Firewall to pass out to the Internet.
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if2 proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $ext_if2 proto { udp, icmp } all keep state
#ftp-proxy
anchor "ftp-proxy/*"
pass out proto tcp from $proxy to any port 21 keep state
#authpf
anchor "authpf/*"
====================================================================================================
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
groups: lo
inet 127.0.0.1 netmask 0xff000000
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
rl0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:50:fc:7d:4e:50
media: Ethernet autoselect
status: no carrier
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:4d:06:2b:65
groups: egress extif
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 122.166.40.36 netmask 0xffffff00 broadcast 122.166.40.255
inet6 fe80::2e0:4dff:fe06:2b65%rl1 prefixlen 64 scopeid 0x2
rl2: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:e0:4d:06:2b:68
groups: extif
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 122.166.40.99 netmask 0xffffff00 broadcast 122.166.40.255
inet6 fe80::2e0:4dff:fe06:2b68%rl2 prefixlen 64 scopeid 0x3
sk0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:0f:3d:88:9e:d4
media: Ethernet autoselect (100baseTX full-duplex,flag0,flag1)
status: active
inet 172.17.1.0 netmask 0xfff00000 broadcast 172.31.255.255
inet6 fe80::20f:3dff:fe88:9ed4%sk0 prefixlen 64 scopeid 0x4
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
pfsync0: flags=0<> mtu 1460
groups: carp
enc0: flags=0<> mtu 1536
=================================================================================
--
insandotpraja(at)gmaildotcom
