Hello list,
I have to problems. I'm new to pf and networks at all, so please, be
patient.
I've attached my pf.conf.
1. Maybe there is misconfiguration. I have a rule:
pass out log inet proto tcp to any port $client_out \
flags S/SA keep state
And it works, but whet I change to this nothing happens:
pass out log inet proto tcp from $localnet to any port $client_out \
flags S/SA keep state
Syntax is OK, but... no outgoing traffic. I think I just don't
understand something.
2. What is wrong with this my pf.conf for email, webserver? From local
net I can access local http server, but the, I can't use <VirtualHost
blyn.com>
E-mail doesn't works at all.
Maybe I should do something more than only redirection?
Please, explain or direct me where I should look for mistakes.
Sorry for my english.
Regards,
beast
# SRV-ERINYS
# 2006-08-28
# Kaunas, Lithuania
##########
# marcro definitios
##########
# external interface
ext_if="vr0"
# internal interface
int_if="vr1"
# internal network
network = "192.168.1.0/24"
localnet = $int_if:network
# clients
table <clients> persist file "/etc/pf_clients"
# web server
# redirect.a
webserver = "192.168.1.5"
webports = "{ http, https }"
# email server
# redirect.b
emailserver = "192.168.1.5"
emailports = "{ smtp, smtp, pop3, imap, imaps, pop3s }"
# ports.b
udp_services = "{ domain, ntp }"
# ports.a
client_out = "{ ftp-data, ftp, domain, ssh, pop3, pop3s, imap, imaps, auth,
nntp, http,\
https, 222 }"
# ports.c (samba)
samba = "{ 137, 138, 139, 445 }
# troubleshooting.a
icmp_types = "echoreq, unreach"
# defense.a
space = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
##########
# options: "set"
##########
# log interface
set loginterface $ext_if
# strict
set block-policy drop
##########
# rules: scrub rules
##########
# defense from malformed packets
scrub in all
##########
# rules: NAT rules: "rdr", "nat", "binat"
##########
# redirect.a
rdr on $ext_if proto tcp from any to $ext_if port \
$webports -> $webserver
# redirect.a.internal
rdr on $int_if proto tcp from $localnet to $ext_if \
port $webports -> $webserver
# redirect.b
rdr on $ext_if proto tcp from any to $ext_if port \
$emailports -> $emailserver
# redirect.b.internal
rdr on $int_if proto tcp from $localnet to $ext_if \
port $emailports -> $emailserver
rdr on $ext_if proto tcp from any to $ext_if port ssh -> 192.168.1.5
# nat.a.
nat on $ext_if from $localnet to any -> ($ext_if)
# nat.b no nat on internal interface
no nat on $int_if proto tcp from $localnet to $localnet
# redirect.a.internal nating
nat on $int_if proto tcp from $localnet to $webserver \
port $webports -> $int_if
# redirect.b.internal nating
nat on $int_if proto tcp from $localnet to $emailserver \
port $emailports -> $int_if
##########
# rules: filtering rules
##########
block log all
# nat.a
pass log from { lo0, $localnet } to any keep state
# ports.a
pass out log inet proto tcp to any port $client_out \
flags S/SA keep state
# ports.b
pass log quick inet proto { tcp, udp } to any port $udp_services keep state
# troubleshooting.a
pass log on $ext_if inet proto icmp all icmp-type 8 code 0 keep state
# troubleshooting.b
# allow out the default range for traceroute(8):
# "base+nhops*nqueries-1" (33434+64*3-1)
pass out log on $ext_if inet proto udp from any to any \
port 33433 >< 33626 keep state
# filtering.a
# filtering.b
antispoof log for $ext_if
antispoof log for $int_if
# defense.a
# defense.b
block drop in log quick on $ext_if from $space to any
block drop out log quick on $ext_if from any to $space
# redirect.a
pass log proto tcp from any to $webserver port $webports \
flags S/SA synproxy state
# redirect.b
pass log proto tcp from any to $emailserver port $emailports \
flags S/SA synproxy state
# ports.c
pass log on $int_if proto {tcp, udp} from any to any port $samba
pass in log on $ext_if proto tcp from 123.123.123.0 to 192.168.1.5 port ssh
pgpn4UTTmWLMV.pgp
Description: PGP signature
