Re: Please help me with my PF config
2008/3/7, Preston Hagar [EMAIL PROTECTED]: It looks like you already have your problem solved. One utility you might want to look at is pftop. With it, you can see pretty much in real time what is going through pf and what is being blocked. This has helped me a lot to find out which rule in blocking something I need to let through. If you run pftop, then hit the right arrow key, it will have the rule that is being applied for a given connection on the far right-hand side. If you hit SHIFT+S it will order the connections by source ip to help you find what you are looking for. Once you have the rule number that is blocking the connection you need to let through, hit the right arrow 4 more times to see the list of rules and their corresponding numbers. It may or may not be of much use to you, but I have found pftop to be indispensable when setting up pf firewalls. Preston It looks great. I was looking for something like this because I would like to see what is happening in the network. I'm gonna install this on monday. Thankz for the tip. Hugs, Alaor Neto. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Please help me with my PF config
On Thu, Mar 6, 2008 at 12:02 PM, Alaor Barroso de Carvalho Neto [EMAIL PROTECTED] wrote: 2008/3/6, Erik Norgaard [EMAIL PROTECTED]: I know my config is far away from a good config but it's the first time I configure an firewall, and I have only basic english knowledge, I'm not totally sure about I can and I can not do, even since I read the tutorials, because my english skills aren't good enough. The IN and OUT stuff is very confusing for me yet. But thankz a lot, it's working now. Hugs, Alaor Neto It looks like you already have your problem solved. One utility you might want to look at is pftop. With it, you can see pretty much in real time what is going through pf and what is being blocked. This has helped me a lot to find out which rule in blocking something I need to let through. If you run pftop, then hit the right arrow key, it will have the rule that is being applied for a given connection on the far right-hand side. If you hit SHIFT+S it will order the connections by source ip to help you find what you are looking for. Once you have the rule number that is blocking the connection you need to let through, hit the right arrow 4 more times to see the list of rules and their corresponding numbers. It may or may not be of much use to you, but I have found pftop to be indispensable when setting up pf firewalls. Preston ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Please help me with my PF config
Hi guyz, let me explain what I have. I work in a school, we have access to
the internet, two internal networks (academic and administrative) and we
have to connect to some servers in another school because we share databases
and to video-conference. I have a FreeBSD box with PF and squid, i want all
my web traffic to pass through the squid, it's working. I want to academic
net don't be able to communicate with administrative net, and the inverse,
it's working. But I would like to my adm net to communicate with some
servers in the other school network, and only this servers, no other ip
would be accessible, it's NOT working. I can ping to the servers but I can't
connect to the services ports (SQL Server, and so on).
Here's my pf.conf:
BEGIN OF CONFIG
ext_if=em0
adm_if=xl0
acad_if=xl1
cefet_if=xl2
all_if={ em0, xl0, xl1, xl2 }
ext_net=XXX.XXX.XXX.XXX/XX
adm_net=192.168.1.0/24
acad_net=192.168.2.0/24
cefet_net=10.10.0.0/16
cefet_servers={ 10.10.0.10, 10.10.0.15, 10.10.0.213 }
internal_nets={ 192.168.1.0/24, 192.168.2.0/24 }
tcp_services={ ssh, smtp, domain, http, https, ftp, ftp-data, nntp, pop3,
pop3s, auth, 3128 } }
udp_services={ domain, ntp }
proxy_ports={ 80, 8000, 8080, 3128 }
martians={ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }
set block-policy return
scrub in all
nat on $ext_if from $internal_nets to any - ($ext_if)
nat on $cefet_if from $adm_net to any - ($cefet_if)
rdr on $all_if proto tcp from any to any port $proxy_ports - 127.0.0.1 port
3128
block all
block drop in quick on $ext_if from $martians to any
block drop out quick on $ext_if from any to $martians
block drop quick from $acad_net to $adm_net
block drop quick from $adm_net to $acad_net
pass quick proto icmp from any to any keep state
pass quick from $adm_net to $cefet_servers keep state
pass quick from $cefet_servers to $adm_net keep state
block quick from any to $cefet_net
block quick from $cefet_net to any
pass proto tcp to any port $tcp_services keep state
pass proto udp to any port $udp_services keep state
antispoof for $all_if
END OF CONFIG
cefet_net is the network of the other school, and cefet_servers are the
servers I want to communicate with, I want all ports and protocols to these
servers, but it's not working. I need a light guyz.
Thankz, and sorry my poor english.
Alaor Neto
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Please help me with my PF config
Alaor Barroso de Carvalho Neto wrote: nat on $ext_if from $internal_nets to any - ($ext_if) nat on $cefet_if from $adm_net to any - ($cefet_if) rdr on $all_if proto tcp from any to any port $proxy_ports \ - 127.0.0.1 port 3128 OK, so do these nat rules actually take effect? Which one? Why do you need nat from adm_net to cefet_net? It appears there is no such need, but then could require a change on cefet_net to tell these hosts the route to adm_net. It is possible that the rdr rule applies even though it appears under the nat rule because rdr is applied on the way in while nat is applied on the way out. rdr is only applied to tcp, the nat rule then is applied to udp and icmp - this will explain why you can ping but not connect with tcp. You can add log statements to your nat rules to see which is applied. pass quick proto icmp from any to any keep state pass quick from $adm_net to $cefet_servers keep state pass quick from $cefet_servers to $adm_net keep state It appears that ping is passed by the first rule, but other protocols are not matched in the second/third rule. block quick from any to $cefet_net block quick from $cefet_net to any Then it is probably blocked here. Some general considerations: When writing your ruleset, make sure to add log in any block statement. That will show you which rule is applied when a packet is blocked. Once things are working remove log statements. Make your rules as specific as possible. State direction and interfaces and avoid the use of any. It is easier to avoid that some other rule take effect than the one you intended. any and lack of direction/interface is fine in policy rules - that is when you explicitly state block all. I usually build my rules like this: block all # default policy block in all block in on $ext_if all ... block in quick on $ext_if all ... block in quick all block out all ... block out quick all block quick all # catch up just in case I messed up It makes it easy to locate any error, and it actually also follows the rules of the pf skip ahead optimizer. Cheers, Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Please help me with my PF config
2008/3/6, Erik Norgaard [EMAIL PROTECTED]: You can add log statements to your nat rules to see which is applied. pass quick proto icmp from any to any keep state pass quick from $adm_net to $cefet_servers keep state pass quick from $cefet_servers to $adm_net keep state It appears that ping is passed by the first rule, but other protocols are not matched in the second/third rule. block quick from any to $cefet_net block quick from $cefet_net to any Then it is probably blocked here. Thankz, brother, it worked. I need the nat to work with the firewall config of the other school. Then, I saw in the log that the traffic going through the 10.10.0.50 (my if) to the servers was being blocked. For me saying that adm_net should communicate with cefet_server would be enough to the firewall understand that it should pass trough any if on the way. I know my config is far away from a good config but it's the first time I configure an firewall, and I have only basic english knowledge, I'm not totally sure about I can and I can not do, even since I read the tutorials, because my english skills aren't good enough. The IN and OUT stuff is very confusing for me yet. But thankz a lot, it's working now. Hugs, Alaor Neto ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
