K9DI_BSD
April 15th, 2005, 05:46
Hi Gang,
Wayne K9DI & LD Riot here*. I'm posting because I've
been banging my head up against the brick wall of setting pf
up to work on my firewall box (fBSD5.4). Each time I've
taken pf "live" on the firewall I've lost internet
connectivity to not only my workstation and my wife's Win2K box,
but to the firewall itself. I've been working with a friend,
Diane VA3DB, trying to get pf working, but so far no dice. I
have looked through the pf guide from oBSD, but as is usually
the case when I try to read anything in a man page format I
glean very little that is useful. Is it absolutely
imperative to have AltQ compiled into the kernel to have pf
work properly? In the interest of brevity I'll refrain from
posting /etc/pf.conf right now, but I will post it if asked
for it, or any other file that might have a bearing on this.
AW CRAP, it's damn near 0500, need sleep
L8R all
Wayne K9DI
k9bsd (at) k9di (dot) org
bsdjunkie
April 15th, 2005, 09:23
Is it absolutely imperative to have AltQ compiled into the kernel to have pf work properly?
Nope.
You may want to post your current pf.conf and an example of how your network is setup. It will be easier to pick out any mistakes that may be there..
K9DI_BSD
April 15th, 2005, 13:52
I probably should mention that I'm running fBSD 5.4 on the firewall box...
ok, here's the pf.conf file I'm using.
# $FreeBSD: src/etc/pf.conf,v 1.1.2.1 2004/09/17 18:27:14
+mlaier Exp $
# $OpenBSD: pf.conf,v 1.21 2003/09/02 20:38:44 david Exp $
#
# See pf.conf(5) and /usr/share/examples/pf for syntax and examples.
# Required order: options, normalization, queueing, translation,
+filtering.
# Macros and tables may be defined and used anywhere.
# Note that translation rules are first match while filter rules are
+last match.
# Macros: define common values, so they can be referenced and changed
+easily.
ext_if="xl0" # replace with actual external interface name i.e.,
+dc0
int_if="rl0" # replace with actual internal interface name i.e.,
+dc1
internal_net="192.168.0.0/24"
external_addr="207.246.185.168/24"
# Tables: similar to macros, but more flexible for many addresses.
#table <foo> { 10.0.0.0/8, !10.1.0.0/16, 192.168.0.0/24, 192.168.1.18
+}
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
Normalization: reassemble fragments and resolve or reduce traffic
+ambiguities.
#scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers,
+marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address
+$internal_net will
# get translated as coming from the address of $ext_if, a state is
+created for
# such packets, and incoming packets will be redirected to the
+internal address.
nat on $ext_if from $internal_net to any -> ($ext_if)
# rdr: packets coming in on $ext_if with destination
+$external_addr:1234 will
# be redirected to 10.1.1.1:5678. A state is created for such
+packets, and
# outgoing packets will be translated as coming from the external
+address.
#rdr on $ext_if proto tcp from any to $external_addr/32 port 1234 ->
+10.1.1.1 port 5678
# rdr outgoing FTP requests to the ftp-proxy
#rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port
+8021
# spamd-setup puts addresses to be redirected into table <spamd>.
#table <spamd> persist
#no rdr on { lo0, lo1 } from any to any
#rdr inet proto tcp from <spamd> to any port smtp -> 127.0.0.1 port
+8025
# Filtering: the implicit first two rules are
pass in all
pass out all
# block all incoming packets but allow ssh, pass all outgoing tcp and
+udp
# connections and keep state, logging blocked packets.
#block in log all
#pass in on $ext_if proto tcp from any to $ext_if port 22 keep
+state
#pass out on $ext_if proto { tcp, udp } all keep state
# pass incoming packets destined to the addresses given in table
+<foo>.
#pass in on $ext_if proto { tcp, udp } from any to <foo> port 80 keep
+state
# pass incoming ports for ftp-proxy
#pass in on $ext_if inet proto tcp from any to $ext_if user proxy
+keep state
# assign packets to a queue.
#pass out on $ext_if from 192.168.0.0/24 to any keep state queue
+developers
#pass out on $ext_if from 192.168.1.0/24 to any keep state queue
+marketing
ok, there it is
K9DI
K9DI_BSD
April 16th, 2005, 03:10
Hi folks, Never mind about the pf.conf file it works. I just had to compile pf and AltQ into the kernel. Muchas Gracias to Strog on #screamingelectron and to Dianora in the #help channel on irc.dishnuts.net, With their help I recompiled the kernel with pf and AltQ in it and went through the make buildworld, make installworld, mergemaster, config <KERNEL>, make depends, make, make install and reboot cycle...and when I rebooted pf was working...YES!!!! Next Step...LOCKDOWN!!
This site and the members who are also in the irc channel just plain ROCK!!
Vy 73
de
Wayne K9DI
k9bsd (at) k9di (dot) org