ADSL modem in bridged mode

Martijn Broeders - HUB Labs m.broeders at hublabs.nl
Sat Dec 16 05:54:33 PST 2006


Hello,

I just started to move my ipfilter configs to pf, so I'm really a newbie
to pf.

I have an ADSL2-connection to the internet and my Alcatel SpeedTouch 516
is in 'bridged' mode. This means one of the nics in my FreeBSD-machine
get an external IP-adres. Like this:

to internet
^
|
|
ADSL2 Modem(Bridged)
| 
V
ip ext from isp
FreeBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
local network (192.168.0.0/24)

This is my very 'simple' firewall-ruleset:

--- begin firewall-ruleset ---

# macros
ext_if="xl1"
int_if="xl0"

tcp_services="{ 22, 25, 113, 80, 443 }"
icmp_types="echoreq"

webserver1="192.168.0.2"

# options
set block-policy return
set loginterface $ext_if

set skip on lo

# scrub
scrub in

# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $webserver1
rdr on $ext_if proto tcp from any to any port 443 -> $webserver1

# filter rules
block in

pass out keep state

anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to ($ext_if) \
   port $tcp_services flags S/SA keep state

pass in on $ext_if inet proto tcp from any to $webserver1 port 80 \
    flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $webserver1 port 443 \
    flags S/SA synproxy state

pass in inet proto icmp all icmp-type $icmp_types keep state

pass quick on $int_if

--- end firewall-ruleset ---

When I load this ruleset and try to connect to port 80 or 443 (from the
outside), no connection to the internal webserver is made. When I do a
'pfctl -ss', this is displayed:

self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452
PROXY:DST

Can someone tell me what is means? And why does the redirection fail to
the internal webserver?

(a simular ipfilter ruleset works perfectly on this machine, but I don't
want ipfilter anymore, I want pf for its features like ALTQ, tagging,
etc.)

I hope you can help.

Best regards,
Martijn Broeders


More information about the freebsd-pf mailing list