ADSL modem in bridged mode
Martijn Broeders - HUB Labs
m.broeders at hublabs.nl
Sat Dec 16 05:54:33 PST 2006
Hello,
I just started to move my ipfilter configs to pf, so I'm really a newbie
to pf.
I have an ADSL2-connection to the internet and my Alcatel SpeedTouch 516
is in 'bridged' mode. This means one of the nics in my FreeBSD-machine
get an external IP-adres. Like this:
to internet
^
|
|
ADSL2 Modem(Bridged)
|
V
ip ext from isp
FreeBSD router with pf+NAT
ip 192.168.0.1
^
|
|
V
local network (192.168.0.0/24)
This is my very 'simple' firewall-ruleset:
--- begin firewall-ruleset ---
# macros
ext_if="xl1"
int_if="xl0"
tcp_services="{ 22, 25, 113, 80, 443 }"
icmp_types="echoreq"
webserver1="192.168.0.2"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
# nat/rdr
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to any port 80 -> $webserver1
rdr on $ext_if proto tcp from any to any port 443 -> $webserver1
# filter rules
block in
pass out keep state
anchor "ftp-proxy/*"
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from any to $webserver1 port 80 \
flags S/SA synproxy state
pass in on $ext_if inet proto tcp from any to $webserver1 port 443 \
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
--- end firewall-ruleset ---
When I load this ruleset and try to connect to port 80 or 443 (from the
outside), no connection to the internal webserver is made. When I do a
'pfctl -ss', this is displayed:
self tcp 192.168.0.2:80 <- 217.194.110.35:80 <- 213.84.86.15:35452
PROXY:DST
Can someone tell me what is means? And why does the redirection fail to
the internal webserver?
(a simular ipfilter ruleset works perfectly on this machine, but I don't
want ipfilter anymore, I want pf for its features like ALTQ, tagging,
etc.)
I hope you can help.
Best regards,
Martijn Broeders
More information about the freebsd-pf
mailing list