problem with dns on all and squid on some.

Edwin L. Culp eculp at encontacto.net
Thu May 26 14:13:25 PDT 2005 

# macros
I am trying to learn to use pf.  I basically took this from a home 
office example and made some modifications.  That is probably the 
problem ;)

I have installed this on three different servers and the only change 
from one to another are the int_if and ex_if values.  The three servers 
are primary and secondary dns' for each other and when all are running 
this configuration there is no dns resolution.  The first problem.

The second problem is that the redirect for squid initially worked for 
all three servers but now only works for one.  The other two give an 
error in the squid.log with 1117043675.879      5 192.168.1.2 
TCP_DENIED/400 1807 GET error:pf-open-failed - NONE/-
text/html [] [HTTP/1.0 40
0 Bad Request\r\nServer: squid/2.5.STABLE10\r\nMime-Version: 
1.0\r\nDate: Wed, 25 May
2005 17:54:35 GMT\r\nConten
t-Type: text/html\r\nContent-Length: 1509\r\nExpires: Wed, 25 May 2005 
17:54:35
GMT\r\nX-Squid-Error: ERR_INVALID
_REQ 0\r\n\r]

The squid configurations are more or less identical also.

The following is my pf.conf file.

int_if = "rl1"
ext_if = "rl0"

tcp_services = "{ 22, 25, 53, 80, 110, 113, 123, 143, 389 }"
icmp_types = "echoreq"

priv_nets = "{ 0.0.0.0/8, 20.20.20.0/24, 169.254.0.0/16, 127.0.0.0/8, 
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
224.0.0.0/3 }"

# options
set block-policy return
set loginterface $ext_if

# scrub
scrub in all

# nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if inet proto tcp from any to any port www -> 127.0.0.1 port 3128
# rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

# filter rules
block all

pass quick on lo0 all

block drop in  quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets

pass in on $ext_if inet proto tcp from any to ($ext_if) port 
$tcp_services flags S/SA keep state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state


Thanks in advance for any and all suggestions.  Hopefully, I'll learn 
something ;) and have a better firewall for it.

Thanks,

ed

More information about the freebsd-pf mailing list