There are no rules on this box (except the default
allow LAN > ANY)
$ cat /tmp/rules.debug
# System Aliases
loopback = "{ lo0 }"
lan = "{ le0 }"
wan = "{ le1 }"
enc0 = "{ enc0 }"
# User Aliases
NetBIOS = "{ 137 138 139 445 }"
OpenDNS = "{ 208.67.222.222 208.67.220.220 }"
set loginterface le1
set loginterface le0
set optimization aggressive
scrub all random-id fragment reassemble
nat-anchor "pftpx/*"
nat-anchor "natearly/*"
nat-anchor "natrules/*"
# FTP proxy
rdr-anchor "pftpx/*"
# Outbound NAT rules
nat on $wan from 192.168.2.0/24 port 500 to any
port 500 -> (le1)
port 500
nat on $wan from 192.168.2.0/24 port 5060 to any
port 5060 -> (le1)
port 5060
nat on $wan from 192.168.2.0/24 to any -> (le1)
nat on $wan from 10.2.2.0/24 port 500 to any port
500 -> (le1) port
500
nat on $wan from 10.2.2.0/24 port 5060 to any port
5060 -> (le1) port
5060
nat on $wan from 10.2.2.0/24 to any -> (le1)
nat on $wan from 192.168.10.0/26 port 500 to any
port 500 -> (le1)
port 500
nat on $wan from 192.168.10.0/26 port 5060 to any
port 5060 -> (le1)
port 5060
nat on $wan from 192.168.10.0/26 to any -> (le1)
nat on $wan from 192.168.1.0/24 port 500 to any
port 500 -> (le1)
port 500
nat on $wan from 192.168.1.0/24 port 5060 to any
port 5060 -> (le1)
port 5060
nat on $wan from 192.168.1.0/24 to any -> (le1)
#SSH Lockout Table
table persist
# Load balancing anchor - slbd updates
rdr-anchor "slb"
# FTP Proxy/helper
table { }
# IMSpector rdr anchor
rdr-anchor "imspector"
# UPnPd rdr anchor
rdr-anchor "miniupnpd"
anchor "ftpsesame/*"
anchor "firewallrules"
# We use the mighty pf, we cannot be fooled.
block quick proto { tcp, udp } from any port = 0
to any
block quick proto { tcp, udp } from any to any
port = 0
# snort2c
table persist
block quick from to any label "Block snort2c
hosts"
block quick from any to label "Block snort2c
hosts"
# loopback
anchor "loopback"
pass in quick on $loopback all label "pass
loopback"
pass out quick on $loopback all label "pass
loopback"
# package manager early specific hook
anchor "packageearly"
# carp
anchor "carp"
# permit wan interface to ping out (ping_hosts.sh)
pass quick proto icmp from x.x.x.132 to any keep
state
# NAT Reflection rules
# allow access to DHCP server on LAN
anchor "dhcpserverlan"
pass in quick on $lan proto udp from any port = 68
to 255.255.255.255
port = 67 label "allow access to DHCP server on
LAN"
pass in quick on $lan proto udp from any port = 68
to 192.168.2.2
port = 67 label "allow access to DHCP server on
LAN"
pass out quick on $lan proto udp from 192.168.2.2
port = 67 to any
port = 68 label "allow access to DHCP server on
LAN"
block in log quick on $wan proto udp from any port
= 67 to
192.168.2.0/24 port = 68 label "block dhcp client
out wan"
# LAN/OPT spoof check (needs to be after DHCP
because of broadcast
addresses)
antispoof for le0
anchor "spoofing"
# block anything from private networks on WAN
interface
anchor "spoofing"
antispoof for $wan
block in log quick on $wan from 10.0.0.0/8 to any
label "block
private networks from wan block 10/8"
block in log quick on $wan from 127.0.0.0/8 to any
label "block
private networks from wan block 127/8"
block in log quick on $wan from 172.16.0.0/12 to
any label "block
private networks from wan block 172.16/12"
block in log quick on $wan from 192.168.0.0/16 to
any label "block
private networks from wan block 192.168/16"
# Support for allow limiting of TCP connections by
establishment rate
anchor "limitingesr"
table
block in quick from to any label "virusprot
overload table"
# block bogon networks
#
http://www.cymru.com/Documents/bogon-bn-nonagg.txt
anchor "wanbogons"
table persist file "/etc/bogons"
block in log quick on $wan from to any label
"block bogon networks
from wan"
# let out anything from the firewall host itself
and decrypted IPsec
traffic
pass out quick on $lan proto icmp keep state label
"let out anything
from firewall host itself"
pass out quick on $wan proto icmp keep state label
"let out anything
from firewall host itself"
# tcp.closed 5 is a workaround for load balancing,
squid and a few
other issues.
# ticket (FEN-857512) in centipede tracker.
pass out quick on le1 all keep state ( tcp.closed
5 ) label "let out
anything from firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on le1 all keep state label "let
out anything from
firewall host itself"
pass out quick on le0 all keep state label "let
out anything from
firewall host itself"
pass out quick on $enc0 keep state label "IPSEC
internal host to
host"
# make sure the user cannot lock himself out of
the webGUI or SSH
anchor "anti-lockout"
pass in quick on le0 from any to 192.168.22.2 keep
state label
"anti-lockout web rule"
# SSH lockout
block in log quick proto tcp from to any port 22
label "sshlockout"
anchor "ftpproxy"
anchor "pftpx/*"
# User-defined aliases follow
# User-defined rules follow
pass in quick on $lan from 192.168.2.0/24 to any
keep state label
"USER_RULE: Default LAN -> any"
# VPN Rules
pass in quick on le0 inet proto tcp from any to
$loopback port 8021
keep state label "FTP PROXY: Allow traffic to
localhost"
pass in quick on le0 inet proto tcp from any to
$loopback port 21
keep state label "FTP PROXY: Allow traffic to
localhost"
pass in quick on le1 inet proto tcp from port 20
to (le1) port >
49000 flags S/SA keep state label "FTP PROXY: PASV
mode data
connection"
# enable ftp-proxy
# IMSpector
anchor "imspector"
# uPnPd
anchor "miniupnpd"
#---------------------------------------------------------------------------
# default deny rules
#---------------------------------------------------------------------------
block in log quick all label "Default deny rule"
block out log quick all label "Default deny rule"
--
David L. Strout
Engineering Systems Plus, LLC
----- Original Message -----
SUBJECT: Re: [pfSense Support] Reflective routing
broken in newest
1.2.1-RC2 SNAP
FROM:[EMAIL PROTECTED]
TO:[EMAIL PROTECTED]
DATE: 11-27-2008 11:22 am
On Thu, Nov 27, 2008 at 10:55 AM, DLStrout wrote:
> I just updated our 1.2.1-RC2 to the newest SNAP:
>
> 1.2.1-RC2
> built on Thu Nov 27 13:35:44 EST 2008
>
> I had been having issues w/ reflective routing
in
> past 1.2.1 SNAPs but it got resolved back a
couple
> weeks ago with a new SNAP.
>
> After this morning update I see that it is
broken
> again. I preform the same battery of testing on
> all 1.2.1-RC?
>
It's not the same cause then, the rules are
generated correctly in
RC2. Post your entire ruleset.
---------------------------------------------------------------------
To unsubscribe, e-mail:
[EMAIL PROTECTED]
For additional commands, e-mail:
[EMAIL PROTECTED]
Commercial support available -
https://portal.pfsense.org
