On 2005-05-10 07:19, Fafa Hafiz Krantz <[EMAIL PROTECTED]> wrote: > "Giorgos Keramidas" <[EMAIL PROTECTED]> wrote: > > Show us the output of: > > > > # pfctl -sr > > > > [snip ruleset] > > Hello! > > # pfctl -sr > > scrub in all fragment reassemble > block drop log all > pass quick on lo0 all > pass quick on ep0 all
Good so far. > pass out on lnc0 inet proto tcp from (lnc0) to any keep state > pass out on lnc0 inet proto udp from (lnc0) to any keep state > pass out on lnc0 inet proto icmp from (lnc0) to any keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = domain > pass in on lnc0 inet proto udp from any to (lnc0) port = domain > pass out on lnc0 inet proto tcp from (lnc0) port = domain to any > pass out on lnc0 inet proto udp from (lnc0) port = domain to any > pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state > pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state > pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep > state > pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep > state > pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep > state > pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62 > flags S/SA keep state > pass in on lnc0 proto tcp from any to any port = 31337 keep state > pass in on lnc0 proto tcp from any to any port 53333:55555 There are at least two problems with the above rules: 1. You are using (lnc0) on all the rules below. 2. There are no address mapping rules (nar or binat). The reason why (1) may cause problems is that they assume that all packets that come *in* on the lc0 interface have as their source or destination address one of the IP addresses of that interface. This may not be true if you have packet forwarding enabled. Especially when NAT is not enabled; which is not, in your ruleset. Even if NAT _is_ enabled, I think that packets that come in on ep0 will still have the same source address as they go in lnc0 and will only change their source address "en route" through lnc0, as the NAT rules are applied. Pay very close attention to the following example from the pf.conf manpage itself. It may help a bit to explain what I said above: In the example below, the machine sits between a fake internal 144.19.74.* network, and a routable external IP of 204.92.77.100. The no nat rule excludes protocol AH from being translated. # NO NAT no nat on $ext_if proto ah from 144.19.74.0/24 to any nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100 Both number (1) and (2) are not problems if you have public, routable IP addresses on all the hosts visible through the ep0 interface. The fact that you do have a problem suggests that the IP addresses of the ep0 interface (not visible above) are all parts of unroutable, private address blocks. Another problem that is easily noticed is that you have lots of redundant rules that serve only as a waste of CPU cycles. For instance, these sets of rules will match a common set of IP packets. You may find it useful to note that the *first* rule of each group matches a superset of the packets that the rest match, so you can keep just the first rule of each group for exactly the same effect! pass out on lnc0 inet proto tcp from (lnc0) to any keep state pass out on lnc0 inet proto tcp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any keep state pass out on lnc0 inet proto udp from (lnc0) port = domain to any pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state - Giorgos _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"