I am in the process of seeting up a firewall for our datacenter. The issue I am having is that I have setup the interfaces both internal and external. So they are:
ext_if= 192.0.0.36 255.255.255.224 dmz_if= 10.1.12.1 255.255.255.0 The external gateway is 192.0.0.33 The issue I am having is I can ping internal and externals from the firewall. But can not get out from my internal servers. I'm sure it is something pretty simple I am over looking. Also with the below rules when I have pf running and try to ssh to internal boxes from the firewall I get: ssh: connect to host 10.1.12.10 port 22: No route to host Thanks for any insight! -J (My pf.conf) # Here is my macros: # Network 10.1.12.0/24 is my dmz, 10.1.10.0/24 and 10.1.11.0/24 # are my internal networks. dmz = "10.1.12.0/24" internal_net1 = "10.1.10.0/24" internal_net2 = "10.1.11.0/24" internal_nets = "{" $internal_net1, $internal_net2 "}" dnsServer = "10.1.12.1" # fw does dns cache web_servers = "{ 10.1.12.10, 10.1.12.11, 10.1.12.12 }" web_servers_ext = "{ 192.0.0.40 }" dmz_servers = "{" $web_servers, $dnsServer "}" mail_server = "{ 10.1.12.100 }" mail_server_ext = "{ 192.0.0.38 }" controller = "{ 10.1.12.60 }" controller_ext = "{ 192.0.0.45 }" adminbox = "{ 10.1.12.50 }" adminbox_ext = "{ 192.0.0.44 }" ext_if = "vr0" dmz_if = "re0" table <rfc1918> const { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 } table <blocklist> persist file "/etc/blacklist" file "/etc/spammers" scrub in all nat on $ext_if from any to any -> ($ext_if) binat on $ext_if from $dnsServer to any -> $dnsExternalIp # nat external traffic binat on $ext_if from $web_servers to any -> $web_serv_ext block log all antispoof log quick for $ext_if inet # block and log incoming packets from reserved address space and # invalid addresses, they are either spoofed or misconfigured. block in log quick on $ext_if from <rfc1918> to any # Block and don't log stuff we don't want to log block in quick on $ext_if proto { tcp, udp } from any to any \ port { 137:139, 1433:1434 } block in log quick proto tcp from { <blocklist>, <spammers> } to any # ------------------------------------ # General Policy # ------------------------------------ pass on lo0 all keep state pass out on $ext_if proto { tcp, udp } from $internal_nets to any keep state pass proto icmp all icmp-type echoreq keep state # Allow ping everywhere pass in proto { tcp, udp } from any to $dnsServer port domain keep state pass in proto tcp from any to $dnsServer port smtp keep state flags S/SA pass in proto tcp from any to { $int1_if, $int2_if, $dmz_servers, } port ssh keep state pass in proto tcp from any to { $controller_ext $adminbox_ext } port 445 keep state # Load-balance across web nodes rdr on $ext_if proto tcp from any to $web_servers_ext port 80 -> $web_servers \ round-robin sticky-address # # Allow VPN traffic # pass in proto esp from any to $ext_if pass in proto udp from any to $ext_if port = 500 keep state pass in on enc0 all