On 2005-05-10 07:19, Fafa Hafiz Krantz <[EMAIL PROTECTED]> wrote:
> "Giorgos Keramidas" <[EMAIL PROTECTED]> wrote:
> > Show us the output of:
> >
> > # pfctl -sr
> >
> > [snip ruleset]
>
> Hello!
>
> # pfctl -sr
>
> scrub in all fragment reassemble
> block drop log all
> pass quick on lo0 all
> pass quick on ep0 all
Good so far.
> pass out on lnc0 inet proto tcp from (lnc0) to any keep state
> pass out on lnc0 inet proto udp from (lnc0) to any keep state
> pass out on lnc0 inet proto icmp from (lnc0) to any keep state
> pass in on lnc0 inet proto tcp from any to (lnc0) port = domain
> pass in on lnc0 inet proto udp from any to (lnc0) port = domain
> pass out on lnc0 inet proto tcp from (lnc0) port = domain to any
> pass out on lnc0 inet proto udp from (lnc0) port = domain to any
> pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state
> pass out on lnc0 inet proto udp from (lnc0) to any port = ntp keep state
> pass in on lnc0 inet proto tcp from any to (lnc0) port = ssh flags S/SA keep
> state
> pass in on lnc0 inet proto tcp from any to (lnc0) port = http flags S/SA keep
> state
> pass in on lnc0 inet proto tcp from any to (lnc0) port = auth flags S/SA keep
> state
> pass in on lnc0 inet proto tcp from any port = ftp-data to (lnc0) user = 62
> flags S/SA keep state
> pass in on lnc0 proto tcp from any to any port = 31337 keep state
> pass in on lnc0 proto tcp from any to any port 53333:55555
There are at least two problems with the above rules:
1. You are using (lnc0) on all the rules below.
2. There are no address mapping rules (nar or binat).
The reason why (1) may cause problems is that they assume that all
packets that come *in* on the lc0 interface have as their source or
destination address one of the IP addresses of that interface. This may
not be true if you have packet forwarding enabled. Especially when NAT
is not enabled; which is not, in your ruleset.
Even if NAT _is_ enabled, I think that packets that come in on ep0 will
still have the same source address as they go in lnc0 and will only
change their source address "en route" through lnc0, as the NAT rules
are applied.
Pay very close attention to the following example from the pf.conf
manpage itself. It may help a bit to explain what I said above:
In the example below, the machine sits between a fake internal
144.19.74.* network, and a routable external IP of 204.92.77.100.
The no nat rule excludes protocol AH from being translated.
# NO NAT
no nat on $ext_if proto ah from 144.19.74.0/24 to any
nat on $ext_if from 144.19.74.0/24 to any -> 204.92.77.100
Both number (1) and (2) are not problems if you have public, routable IP
addresses on all the hosts visible through the ep0 interface. The fact
that you do have a problem suggests that the IP addresses of the ep0
interface (not visible above) are all parts of unroutable, private
address blocks.
Another problem that is easily noticed is that you have lots of
redundant rules that serve only as a waste of CPU cycles.
For instance, these sets of rules will match a common set of IP packets.
You may find it useful to note that the *first* rule of each group
matches a superset of the packets that the rest match, so you can keep
just the first rule of each group for exactly the same effect!
pass out on lnc0 inet proto tcp from (lnc0) to any keep state
pass out on lnc0 inet proto tcp from (lnc0) port = domain to any
pass out on lnc0 inet proto udp from (lnc0) to any keep state
pass out on lnc0 inet proto udp from (lnc0) port = domain to any
pass out on lnc0 inet proto udp from (lnc0) to any port = domain keep state
- Giorgos
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
