On 2011-04-18 12:38, Chris Buechler wrote:
You can do that with floating rules. Check your resulting floating
rules in /tmp/rules.debug to ensure you have them configured
correctly, and enable logging on all your rules so you can determine
which rule matched.
You're right. It is possible to add those specific rules using Floating
Rules. Thanks for telling me about /tmp/rules.debug, this is very much
more helpful than trying to make sense of whatever's dumped by pfctl.
They do appear in that file as follows:
GWWAN2 = " route-to ( em0 172.16.2.2 ) "
pass out log on { em1 } $GWWAN2 from 172.16.2.1 to any keep state
label "USER_RULE"
I have pasted the full /tmp/rules.debug at the end of this message for
the full listing. And this seems to be what I asked for - with the
exception of "keep state". I have tried with "no state" as well, and got
the same result.
As you can see I've enabled logging on this particular rule as well. But
the rule never seems to match, at least not when I look in the Web UI.
The only rule I see matched is this:
@40 pass in log quick on em0 inet proto tcp from any to 172.16.0.51
flags S/SA keep state label "USER_RULE: NAT chargen wan2"
My current instinct is that the return packets never even hit the
firewall rules so that they may be policy routed, since the packet is
part of a state. But I have no idea how I would verify that, or what I'd
do to remedy that situation.
-------
[2.0-RC1][[email protected]]/root(27): cat /tmp/rules.debug
#System aliases
loopback = "{ lo0 }"
WAN1 = "{ em1 }"
LAN = "{ em2 }"
WAN2 = "{ em0 }"
#SSH Lockout Table
table <sshlockout> persist
table <webConfiguratorlockout> persist
#pfSnortSam tables
table <snort2c>
table <pfSnortSamout>
table <pfSnortSamin>
table <virusprot>
# User Aliases
# Gateways
GWWAN2 = " route-to ( em0 172.16.2.2 ) "
GWWAN1 = " route-to ( em1 172.16.1.2 ) "
set loginterface em1
set loginterface em2
set loginterface em0
set optimization normal
set limit states 22000
set limit src-nodes 22000
set skip on pfsync0
scrub in on $WAN1 all fragment reassemble
scrub in on $LAN all fragment reassemble
scrub in on $WAN2 all fragment reassemble
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# Outbound NAT rules
nat on $WAN1 from 172.16.0.0/24 to any -> 172.16.1.1/32 port 1024:65535
nat on $WAN2 from 172.16.0.0/24 to any -> 172.16.2.1/32 port 1024:65535
# Load balancing anchor
rdr-anchor "relayd/*"
# TFTP proxy
rdr-anchor "tftp-proxy/*"
table <direct_networks> { 172.16.1.0/24 172.16.0.0/24 172.16.2.0/24 }
# NAT Inbound Redirects
rdr on em1 proto tcp from any to 172.16.1.1 port 19 -> 172.16.0.51
rdr on em0 proto tcp from any to 172.16.2.1 port 19 -> 172.16.0.51
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "relayd/*"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log all label "Default deny rule"
block out log all label "Default deny rule"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0
# Block all IPv6
block in quick inet6 all
block out quick inet6 all
# pfSnortSam
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"
block quick from <pfSnortSamout> to any label "Block pfSnortSamOut hosts"
block quick from any to <pfSnortSamin> label "Block pfSnortSamIn hosts"
# SSH lockout
block in log quick proto tcp from <sshlockout> to any port 22 label
"sshlockout"
# webConfigurator lockout
block in log quick proto tcp from <webConfiguratorlockout> to any port
443 label "webConfiguratorlockout"
block in quick from <virusprot> to any label "virusprot overload table"
antispoof for em1
antispoof for em2
# allow access to DHCP server on LAN
pass in on $LAN proto udp from any port = 68 to 255.255.255.255 port =
67 label "allow access to DHCP server"
pass in on $LAN proto udp from any port = 68 to 172.16.0.1 port = 67
label "allow access to DHCP server"
pass out on $LAN proto udp from 172.16.0.1 port = 67 to any port = 68
label "allow access to DHCP server"
antispoof for em0
# loopback
pass in on $loopback all label "pass loopback"
pass out on $loopback all label "pass loopback"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out all keep state allow-opts label "let out anything from firewall
host itself"
# make sure the user cannot lock himself out of the webConfigurator or SSH
pass in quick on em2 proto tcp from any to (em2) port { 80 443 22 }
keep state label "anti-lockout rule"
# User-defined rules follow
pass out log on { em1 } from 172.16.2.1 to <vpns> no state label
"NEGATE_ROUTE: Negate policy route for vpn(s)"
pass out log on { em1 } $GWWAN2 from 172.16.2.1 to any no state
pass out log on { em0 } from 172.16.1.1 to <vpns> no state lab
pass out log on { em0 } $GWWAN1 from 172.16.1.1 to any no state
pass in log quick on $WAN1 proto tcp from any to 172.16.0.51 fl
pass in log quick on $LAN from 172.16.0.0/24 to any keep state la
pass in log quick on $WAN2 proto tcp from any to 172.16.0.51 fl
# VPN Rules
anchor "tftp-proxy/*"
# uPnPd
anchor "miniupnpd"
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
Commercial support available - https://portal.pfsense.org
