Re: Syntax errors in pf.conf

Sat, 10 Dec 2005 14:20:52 -0800

Taking your input, and some from private emails, I crafted up the following pf.conf, which ended up breaking things: 

1) DNS not working

2) No SSH from from the firewall -> LAN

3) No newsgroups access (Comcast; and likely realted to #1)

4) (still) Cannot access the public IP address of $ext_if from the LAN
Someone suggested I alter my RDR rules to include "to ($ext_if)" which I tried, and that failed as well. 

(note: not using the DMZ yet)
I feel like this is close to working properly, and perhaps some of the problem is still with the tagging logic... ? 


Thanks.

============================= snip =====================

ext_if = "fxp0"
int_if = "em0"
dmz_if = "em1"
ext_ad = "24.xx.xx.xx/32"
int_net = "192.168.1.0/24" dmz_net = "10.1.1.0/24" 
server = "192.168.1.2/32"
tcp_services = "imap, imaps, smtp, smtps"

### TABLES
## LOCAL FILE TABLES

table <badips> persist file "/etc/pf.d/spammers" \
        file "/etc/pf.d/abuse" \
        file "/etc/pf.d/geoip"

table <spammers> persist file "/etc/pf.d/spammers"

table <abuse> persist file "/etc/pf.d/abuse"

table <geoip> persist file "/etc/pf.d/geoip"

### NAT & RDR

no rdr on $ext_if proto tcp from <badips> to any port { $tcp_services }
no rdr on $ext_if proto tcp from <abuse> to any port 80
no rdr on $ext_if proto tcp from <abuse> to any port 443

rdr on $ext_if proto tcp from any to ($ext_if) \
        port { $tcp_services } tag INET_DMZ -> $server

rdr on $ext_if proto tcp from any to ($ext_if) \
        port 80 tag INET_DMZ -> $server

rdr on $ext_if proto tcp from any to ($ext_if) \
        port 443 tag INET_DMZ -> $server

nat on $ext_if tag LAN_INET_NAT tagged LAN_INET -> ($ext_if)

# nat on $ext_if tagged LAN_INET -> ($ext_if)

### BLOCK
block all

### INBOUND
# pass in quick on $int_if from $int_if:network to ! self tag LAN_INET keep 
state
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $ext_if proto tcp to $server port { $tcp_services, 80, 443 } \
        tag INET_DMZ keep state

### OUTBOUND
pass out quick on $ext_if tagged LAN_INET_NAT keep state
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ keep state

Reply via email to