..
# ISAKMPd
pass out on $wi_if proto esp keep state
pass in log on $wi_if inet proto udp from $wi_net \
to $wi_if port 500 keep state
pass out log on $wi_if inet proto udp from $wi_if \
to $wi_net port 500 keep state
# FTP - Proxy
pass in log on $ext_if inet proto tcp from any to $ext_if user proxy \
keep state queue(q_def, q_pri)
pass out log on $ext_if inet proto tcp from $ext_if to any user proxy \
keep state queue(q_def, q_pri)
pass out log on enc0 inet proto tcp from $wi_if to $wi_net user proxy \
keep state
pass out log on $int_if inet proto tcp from $int_if to $int_net user proxy \
keep state
..
-RZR
Jason Opperisano wrote:
the "teach a man to fish" response here is: change your 'block all' line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see what's getting blocked.
the "give a man a fish" response would involve something along the lines of (possibly amongst other things):
pass in on $sec_if from $wi_net tag WI_INET keep state
as an unrelated tip, you could also exploit the super-handy '$if:network' syntax to avoid creating macros for your networks...
HTH...
-j
On Fri, 2004-07-02 at 22:15, RZR wrote:
Following the directions from http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to include access for ipsec laptops on $wi_if (isakmpd on firewall), I came up with this.
However, ALL access becomes blocked; namely
-access from the firewall out
-access to the firewall from the ipsec laptops
-access to DMZ boxes from the ipsec laptops.
I know I'm missing something (hopefully small).
Any help would be much appreciated. -RZR
pf.conf -> # macros int_if = "fxp0" wi_if = "fxp1" dmz_if = "sk0" sec_if = "enc0" ext_if = "tun0" int_net = "192.168.1.0/24" wi_net = "192.168.2.0/24" dmz_net = "172.16.1.0/24" www_server = "172.16.1.2" mail_server = "172.16.1.3"
table <spamd> persist file "/etc/spammers" set loginterface $ext_if
### AltQueue altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } queue q_pri priority 7 queue q_def priority 1 priq(default)
################################################################## # classification -- classify packets based on the defined firewall # policy. #rdr on $ext_if proto tcp from <spamd> to port smtp \ # tag SPAMD -> 127.0.0.1 port 8025 rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 #rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 rdr on $ext_if proto tcp from any to $ext_if port 22 \ -> $mail_server port 22 rdr on $ext_if proto tcp from any to $ext_if port 25 \ -> $mail_server port 25 rdr on $ext_if proto tcp from any to $ext_if port 80 \ -> $www_server port 80 rdr on $ext_if proto tcp from any to $ext_if port 443 \ -> $www_server port 443 nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $wi_if from $wi_net tag WI_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state pass in on $ext_if proto tcp to $www_server port {www, https} \ tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \ tag INET_DMZ keep state
########################################################################
# policy enforcement -- pass/block based on the defined firewall policy.
pass in quick on $ext_if tagged SPAMD keep state
pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri)
pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri)
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged WI_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri)
############################################################################
