Hi,
I'm currently trying to configure small home network:
ADSL ----> Server / Firewall ----> Desktop
Now I'm working on building a proper firewall to my server. So far the
situation is following:
- Servers internet connection works
- Desktop receives IP, nameserver and default route from server's
DHCP service.
-Desktop can connect to server by SSH but can't connect to anything beyond
that.
Server's fxp0 gets dynamic IP from ISP and fxp1 uses static IP.
What I need:
-server running the most common services available to public. Then some
services available only to LAN.
-Desktop will only run games as client and will use the servers private
services
Here's my current pf.conf:
### MACROS ###
ext_if="fxp0"
lan_if="fxp1"
server_ip="xxx.xxx.xxx.xxx"
pri_ports="{ 20,21,22,25,80,110,113,123,443,2049,3306,6660,6669,6900:6999,8080}"
# Ports open on server to LAN
pub_ports="{ 20,21,22,25,80,110,113,123,443,6900:6999,8080}" # Ports
open on server to internet
game_ports="27000:27040
lan_ip="xxx.xxx.xxx.xxx"
p180_ip="xxx.xxx.xxx.xxx"
### TABLES ###
table <spamd-white> persist
table <intruders> persist
table <badhosts> const {10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16}
### OPTIONS ###
set skip on lo
set block-policy return
set optimization normal
set loginterface fxp0
set limit { states 50000, frags 100000 } # Are these good limits, I
have 4GB RAM?
### TRAFFIC NORMALIZATION ###
scrub in all fragment reassemble
### BANDWIDTH MANAGEMENT ###
### TRANSLATION ###
nat-anchor "ftp-proxy/*"
nat on $ext_if from !($ext_if) to any -> ($ext_if)
### REDIRECTION ###
rdr-anchor "ftp-proxy/*"
rdr pass on $lan_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr pass on $ext_if proto tcp from any to any port smtp -> 127.0.0.1 port 8025
no rdr on $ext_if proto tcp from <spamd-white> to any port smtp
rdr on $ext_if inet proto {tcp,udp} from any to ($ext_if) port
$game_ports -> $p180_ip
rdr on $lan_if inet proto {tcp,udp} from $lan_ip to any -> ($ext_if)
### ANCHORS ###
anchor "ftp-proxy/*"
### PACKET FILTERING ###
# Block rules
block in all # Default to block all incoming and outgoing traffic
block out all
# Antispoof
antispoof quick log for { lo $lan_if }
# Incoming traffic
pass in on $ext_if proto {tcp,udp} from port $game_ports to $p180_ip
#pass quick on $lan_if no state
pass in on $ext_if proto {tcp,udp} to ($ext_if) port $pub_ports
pass in log on $lan_if proto {tcp,udp} from ($lan_if) port $pri_ports
to $server_ip
pass in on $lan_if proto {tcp,udp} from any to any keep state
# Outgoing traffic
pass out log on $ext_if proto {tcp,udp} from ($ext_if) to port $pub_ports
pass out on $ext_if proto {tcp,udp,icmp} from $lan_ip to any
How to change the pf.conf to allow desktop traffic to access the internet?
I have tried some solutions like removing the default block rules but it
still didn't work and I'm starting to run out of ideas.
