Hello list,
I have to problems. I'm new to pf and networks at all, so please, be patient. I've attached my pf.conf. 1. Maybe there is misconfiguration. I have a rule: pass out log inet proto tcp to any port $client_out \ flags S/SA keep state And it works, but whet I change to this nothing happens: pass out log inet proto tcp from $localnet to any port $client_out \ flags S/SA keep state Syntax is OK, but... no outgoing traffic. I think I just don't understand something. 2. What is wrong with this my pf.conf for email, webserver? From local net I can access local http server, but the, I can't use <VirtualHost blyn.com> E-mail doesn't works at all. Maybe I should do something more than only redirection? Please, explain or direct me where I should look for mistakes. Sorry for my english. Regards, beast
# SRV-ERINYS # 2006-08-28 # Kaunas, Lithuania ########## # marcro definitios ########## # external interface ext_if="vr0" # internal interface int_if="vr1" # internal network network = "192.168.1.0/24" localnet = $int_if:network # clients table <clients> persist file "/etc/pf_clients" # web server # redirect.a webserver = "192.168.1.5" webports = "{ http, https }" # email server # redirect.b emailserver = "192.168.1.5" emailports = "{ smtp, smtp, pop3, imap, imaps, pop3s }" # ports.b udp_services = "{ domain, ntp }" # ports.a client_out = "{ ftp-data, ftp, domain, ssh, pop3, pop3s, imap, imaps, auth, nntp, http,\ https, 222 }" # ports.c (samba) samba = "{ 137, 138, 139, 445 } # troubleshooting.a icmp_types = "echoreq, unreach" # defense.a space = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 }" ########## # options: "set" ########## # log interface set loginterface $ext_if # strict set block-policy drop ########## # rules: scrub rules ########## # defense from malformed packets scrub in all ########## # rules: NAT rules: "rdr", "nat", "binat" ########## # redirect.a rdr on $ext_if proto tcp from any to $ext_if port \ $webports -> $webserver # redirect.a.internal rdr on $int_if proto tcp from $localnet to $ext_if \ port $webports -> $webserver # redirect.b rdr on $ext_if proto tcp from any to $ext_if port \ $emailports -> $emailserver # redirect.b.internal rdr on $int_if proto tcp from $localnet to $ext_if \ port $emailports -> $emailserver rdr on $ext_if proto tcp from any to $ext_if port ssh -> 192.168.1.5 # nat.a. nat on $ext_if from $localnet to any -> ($ext_if) # nat.b no nat on internal interface no nat on $int_if proto tcp from $localnet to $localnet # redirect.a.internal nating nat on $int_if proto tcp from $localnet to $webserver \ port $webports -> $int_if # redirect.b.internal nating nat on $int_if proto tcp from $localnet to $emailserver \ port $emailports -> $int_if ########## # rules: filtering rules ########## block log all # nat.a pass log from { lo0, $localnet } to any keep state # ports.a pass out log inet proto tcp to any port $client_out \ flags S/SA keep state # ports.b pass log quick inet proto { tcp, udp } to any port $udp_services keep state # troubleshooting.a pass log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state # troubleshooting.b # allow out the default range for traceroute(8): # "base+nhops*nqueries-1" (33434+64*3-1) pass out log on $ext_if inet proto udp from any to any \ port 33433 >< 33626 keep state # filtering.a # filtering.b antispoof log for $ext_if antispoof log for $int_if # defense.a # defense.b block drop in log quick on $ext_if from $space to any block drop out log quick on $ext_if from any to $space # redirect.a pass log proto tcp from any to $webserver port $webports \ flags S/SA synproxy state # redirect.b pass log proto tcp from any to $emailserver port $emailports \ flags S/SA synproxy state # ports.c pass log on $int_if proto {tcp, udp} from any to any port $samba pass in log on $ext_if proto tcp from 123.123.123.0 to 192.168.1.5 port ssh
pgpn4UTTmWLMV.pgp
Description: PGP signature