Unable to attach to public IP from private net... and a couple of questions.

Forrest Aldrich forrie at forrie.com
Tue Nov 29 22:32:35 GMT 2005 

I am unable to route to my public IP address from my private RFC 
network, which is puzzling me.   I can get to 192.168.1.2:80 just fine 
(which I have internal DNS pointing my domain to anyhow).

 From what I understand, the connection should simply redirect 
internally.  What am I doing wrong? (rules below).

Another item that puzzles me is:

    pass quick on $int_if inet all keep state
    # pass in quick on $int_if inet from $prv_net to any flags S/SA keep
    state
    # pass in quick on $int_if inet from $prv_net to any keep state 


If I do any of the commented-out items, I cannot ssh or do anything from 
the gateway to the internal network.

I also found, using ($ext_if) does not seem to work correctly.  
According to the PF BOOK, you should be able to use:

    block in quick on $ext_if proto { tcp, udp } from <spammers> to
    ($ext_if) port 25

where the use of parenthesis ($ext_if) should automatically obtain the IP address of the interface and place it into the rules accordingly - when I debug, it shows only "fxp0" and indeed the rules don't match.

I seem to have most of this working okay - it's been rough (converting from ipfw2).  Any constructive critique/advice on the rules below would be greatly appreciated (before I lose my mind adding CBC queue for VoIP <grin>).


Thank you.



ext_if = "fxp0"
int_if = "em0"
icmp_types = "echoreq"
server = "192.168.1.2/32"
ext_ad = "24.62.224.XXX/32"
prv_net = "192.168.1.0/24"

rfc_nets = "{ 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 224.0.0.0/4, \
	240.0.0.0/5, 127.0.0.0/8, 0.0.0.0 }"

tcp_services = "imap imaps www smtp smtps http https"


set require-order yes
set limit { frags 30000, states 25000 }
set block-policy drop
set optimization normal


set timeout tcp.first 20
set timeout { udp.first 300, udp.single 150, udp.multiple 900 }


table <spammers> persist file "/etc/pf.d/spammers"

table <abuse> persist file "/etc/pf.d/abuse"

table <geoip-apnic> persist { \
	58.0.0.0/8, \
	61.0.0.0/8, \
	124.0.0.0/8, \
	126.0.0.0/8, \
	168.208.0.0/16, \
	196.192.0.0/16, \
	202.0.0.0/8, \
	210.0.0.0/8, \
	218.0.0.0/8, \
	220.0.0.0/8, \
	222.0.0.0/8 \
}

table <geoip-ripe> persist { \
	80.0.0.0/8, \
	81.0.0.0/8, \
	82.0.0.0/8, \
	83.0.0.0/8, \
	84.0.0.0/8, \
	85.0.0.0/8, \
	86.0.0.0/8, \
	87.0.0.0/8, \
	88.0.0.0/8, \
	89.0.0.0/8, \
	90.0.0.0/8, \
	91.0.0.0/8, \
	193.0.0.0/8, \
	194.0.0.0/8, \
	195.0.0.0/8, \
	212.0.0.0/8, \
	213.0.0.0/8, \
	217.0.0.0/8 \
}

table <geoip-afrinic> persist { \
	41.0.0.0/8 \
}

table <geoip-lacnic> persist { \
	189.0.0.0/8, \
	190.0.0.0/8, \
	200.0.0.0/8, \
	201.0.0.0/8 \
}


scrub on $ext_if all reassemble tcp no-df random-id



nat on $ext_if inet from $prv_net to any -> $ext_if

rdr pass on $ext_if inet proto tcp from any to $ext_ad \
	port { $tcp_services } -> $server



antispoof for { lo0, $int_if, $ext_if }

set skip on lo0
block all

block in quick on $ext_if proto { tcp, udp } from { <geoip-apnic>, <geoip-lacnic>, <geoip-afrinic>, <geoip-ripe> } \
	to $ext_ad port 25

block in quick on $ext_if from <abuse> to any

block in quick on $ext_if proto { tcp, udp } from <spammers> to $ext_ad port 25



pass in quick on $int_if inet from $prv_net to any keep state


pass in on $ext_if inet proto tcp from any to any port { $tcp_services } \
	flags S/SA modulate state


pass in on $ext_if inet proto udp all keep state

pass in on $ext_if inet proto icmp all icmp-type 8 code 0 keep state (max 32)


pass out quick on $ext_if inet proto tcp all \
	flags S/SA keep state

pass out quick on $ext_if inet proto udp all keep state

pass out quick on $ext_if inet proto icmp all icmp-type 8 code 0 keep state

More information about the freebsd-pf mailing list