On 12/24/2010 10:25 AM, Alessandro Baggi wrote:
On 12/23/2010 10:48 PM, Johan Beisser wrote:
On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
<alessandro.ba...@gmail.com> wrote:
Please post your pf.conf, ifconfig output and dmesg. There may be
another issue not addressed.
I still need your pf.conf.
ext="egress"
int="rl0"
dmz="rl1"
hostweb="172.16.2.3"
carpl="10.1.1.5"
carpw="192.168.1.84"
carpd="172.16.2.4"
pfsyncpeer="10.1.1.5"
pfsyncdev="rl0"
table <httpabuse> persist
table <httpsabuse> persist
table <sshblacklist> persist
# LIMIT and Policy
set block-policy drop
set fingerprints "/etc/pf.os"
set hostid 1
#set debug none
set limit states 7000
set limit tables 100
set limit table-entries 90000
set limit frags 6000
set limit src-nodes 10000
set optimization aggressive
set ruleset-optimization basic
set loginterface $ext
#set state-policy if-bound
#set state-defaults
set skip on lo0
set timeout tcp.established 900
set timeout tcp.closed 5
set timeout tcp.first 20
set timeout tcp.opening 20
set timeout tcp.closing 10
set timeout tcp.finwait 30
match all scrub (no-df, random-id, max-mss 1440)
# NAT
match out on $ext inet from $int:network to any nat-to (carp0:0)
match out on $ext inet from $dmz:network to any nat-to (carp0:0)
# RDR
match in log on $int proto tcp from $int:network to any port 21 rdr-to
127.0.0.1 port 8021
# FILTERING RULES
# Bloccaggio delle blacklist http - https - sshd
block in log quick on $ext from { <blacklist>, <httpabuse>,
<httpsabuse>, <sshblacklist> } to any
# REGOLE ANTISPOOFING
antispoof log quick for { $int , $ext, $dmz }
# CARP RULES
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
# PFSYNC RULES
pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to
$int:0 keep state (no-sync)
# DEFAULT DENY
block in log all
pass out all
anchor "ftp-proxy/*"
# LAN MACHINE RULES
pass in on $int from any to any
# DMZ RULES DOES NOT EXIST
Thanks in advance
Hi list. I've tried another nic same as xl0, and the problem was the
same. The only thing to see was the pf ruleset. All carp rules was
wrong. Then I've tried with xl0 <-> rl2 and all works fine.
I've changed the rules:
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
in:
pass in quick on { $int, $ext, $dmz } proto carp keep state (no-sync)
Best regards and thanks for the time.
