On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
<alessandro.ba...@gmail.com> wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext="egress"
int="rl0"
dmz="rl1"
hostweb="172.16.2.3"
carpl="10.1.1.5"
carpw="192.168.1.84"
carpd="172.16.2.4"
pfsyncpeer="10.1.1.5"
pfsyncdev="rl0"
table <httpabuse> persist
table <httpsabuse> persist
table <sshblacklist> persist
# LIMIT and Policy
set block-policy drop
set fingerprints "/etc/pf.os"
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 90000
set limit frags 6000
set limit src-nodes 10000
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { <blacklist>, <httpabuse>,
<httpsabuse>, <sshblacklist> } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to $int:0
keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor "ftp-proxy/*"
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
