Shane Lazarus wrote:
Heya
Seems to me that you should probably allow traffic out to the $proxy
via the $dmz_if at some point...
For that matter, allow from the $proxy back in through the $dmz_if and
out...
Something like:
# tables
table <msn_rdr> persist const file "/etc/pf.conf.d/msn-rdr"
table <msn_allow> persist const file "/etc/pf.conf.d/msn-allow"
# msn proxy
rdr on { $lan1_if, $lan2_if } proto tcp from <msn_rdr> to any port {
1863 25000:30000 } -> $proxy
# msn filter
block all
pass in on { $lan1_if $lan2_if } inet proto tcp from <msn_rdr> to
$proxy port { 1863 25000:30000 }
pass out on { $dmz_if } inet proto tcp from <msn_rdr> to $proxy port {
1863 25000:30000 }
pass in on { $lan1_if $lan2_if $dmz_if } inet proto tcp from
<msn_allow> to any port { 1863 25000:30000 }
pass out on { $inet_if } inet proto tcp from <msn_allow> to any port {
1863 25000:30000 }
Note that Hypens are not recommended for user defined names inside
pf.conf , being Macros, Table Names et al.
( man pf.conf for allowed characters )
So your table names <msn-allow> and <msn-rdr> have been altered above
to conform to recommendations.
Also you have not mentioned any NAT rules here so these rules would
only work with Public IP Addresses throughout.
Lastly, try to group the rules together to get a better idea of packet
flow when building rules like these.
It was obvious to me from the first that you were missing rules, which
you would likely have been able to see yourself if you had grouped the
rules by expected packet flow.
For example:
Internal Network Redirects --> Proxy Server
Proxy Server --> Internet
Internal Network Direct --> Internet
Shane
Hi Shane and others. Tks for the tips. With it, i finally manage to get
working. I did not paste all my firewall script, that's why it didn't
have any NAT rule.
I only did a small change in your sugestion to get to work.
First, i switched the 'block all' to 'block in on ! $inet_iface inet
proto tcp from any to any port 1863' since i allow all traffic between
internal interfaces and all traffic going out through inet_iface by default.
I also changed the second pass rule; from 'pass out on { $dmz_if } inet
proto tcp from <msn_rdr> to $proxy port { 1863 25000:30000 }' to 'pass
out on { $dmz_iface } inet proto tcp from $proxy to <msn-rdr> port {
1863 25000:30000 }' (inverted the 'from' and 'to' statements).
I'll follow your tips regading the hypens stuff. Tks for your help.
