On Wed, Jul 09, 2008 at 07:25:18PM +0200, Leslie Jensen wrote:
> Hello
>
> When I boot the machine where pf is installed, every thing I can see looks
> ok. It's hard to read the text scrolling on the screen and the information
> concerning pf is not to be found in /var/log/messages.
>
> Anyway I have one PC on the inside and it takes some time before it's able
> to reach the outside world.
>
> I can speed up the process by making a change to pf.conf and then use the
> command pfctl -f /etc/pf.conf.
>
> Another thing I see is that for example I add log (all) to one of my
> filters and do pfctl -f /etc/pf.conf, then later I remove it again and do
> pfctl -f /etc/pf.conf. The output from tcpdump -n -e -ttt -i pflog0 still
> shows packages as if it had not refreshed and still have the "log (all)"
> active.
>
> I know my problems is a little bit unclear but I hope someone will help my
> solving this behaviour in the right way.
>
> # macros
> int_if="xl0"
> ext_if="bfe0"
>
> tcp_services="{ 22 }"
> tcp_priv_services="{ 389, 443 }"
> icmp_types="echoreq"
>
> # tables
> table <goodguys> { something.somewhere.com, somethingelse.somewhere.com,
> xxx.yyy.zzz.qqq }
>
While loading the pf ruleset pf needs to resolve these domains. This will
not work in some cases and may cause long delays.
> # options
> set block-policy return
> set loginterface $ext_if
>
> set skip on lo0
>
> # scrub
> scrub in
>
> # ext_if IP address could be dynamic, hence ($ext_if)
> nat on $ext_if from !($ext_if) to any -> ($ext_if)
>
> # filter rules
> block in log (all) on $ext_if
>
> pass out keep state
>
> # Let the goodguys access the machine from the outside
> pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
> port $tcp_services flags S/SA keep state
>
> # ICMP traffic needs to be passed:
> pass inet proto icmp all icmp-type $icmp_types keep state
>
> # traffic must be passed to and from the internal network
> pass in quick on $int_if
> --------------------------------------------
--
:wq Claudio
