pf vs. afp

Dánielisz László laszlo_danielisz at yahoo.com
Sat Dec 26 01:02:29 UTC 2009 

Hi,

Here comes my pf.conf

#MACROS
ext_if="tun0"
int_if="rl0"
localnet = $int_if:network
good_ip="{ ***** }"
icmp_types="echoreq"
bad_ports = "69,135,137,138,139,445,524,548,1433,6000,31337,666,12345"
no_route = "{ 127.0.0.1/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 255.255.255.255/32 }"


#DEFAULT RULES
scrub in all

###NAT
nat on $ext_if from $localnet to any -> ($ext_if)


# SPECIAL IMMEDIATE BLOCKS:
# block bad ports and external broadcasts
block in quick  proto { udp,tcp }  from any to any port { = $bad_ports }
block in quick  on $ext_if         from any to 255.255.255.255  
# block weird tcp packets on ext_if:
block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP
block in quick on $ext_if inet proto tcp from any to any flags SF/SFRA
block in quick on $ext_if inet proto tcp from any to any flags /SFRA

# don't allow anyone to spoof non-routeable addresses
block in  quick on $ext_if from $no_route to any
block out quick on $ext_if from any to $no_route
block in all


### LOOPBACK
pass in quick on lo0 all
pass out quick on lo0 all


### EXTERNAL INTERFACE
###
#INCOMING: ssh, http
pass in log on $ext_if inet proto tcp from $good_ip to ($ext_if) port { 22 }  flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state 
#OUTGOING
pass out on $ext_if all

### INTERNAL INTERFACE
# INCOMING: forward traffic to all over destinations 
pass in quick on $int_if from $int_if/24 to any

#pass inet from { lo0, $localnet } to any

#INCOMING:  
pass in log on $int_if inet proto { tcp, udp } from $localnet to ($int_if) port { 21, 22, 80 } flags S/SA keep state
pass in log on $int_if inet proto { tcp, udp } from $localnet to ($int_if) port=548 flags S/SP keep state 
pass in log on $int_if inet proto { tcp, udp } from $localnet to ($int_if) port=548 flags S/SU keep state 

#pass in dhcp
pass in log on $int_if proto { tcp,udp } from 192.168.1.0/24 to $int_if port = 67 keep state
#pass in quick on $int_if proto { tcp,udp } from 192.168.1.0/24 to $int_if port = 67 keep state

#incoming ftp
pass in log on $int_if proto tcp from $localnet to any port > 49151 keep state

 
# OUTGOING: pass all.
pass out quick on $int_if  proto { tcp,udp,icmp } from any to $int_if/24  keep state




________________________________
From: Michael K. Smith <mksmith at adhost.com>
To: Dánielisz László <laszlo_danielisz at yahoo.com>; Anh Ky Huynh <kyanh at viettug.org>
Cc: freebsd-pf at freebsd.org
Sent: Fri, December 25, 2009 11:01:05 PM
Subject: Re: pf vs. afp

You can use the ($int_if) for traffic terminating on the firewall.  Any
traffic going through to another host needs to have the destination defined.

Could you include a complete copy (sanitized, of course) of your pf.conf
file?  There might be something else at work but it's hard to tell without
the file.

Kind Regards,

Mike


On 12/25/09 8:13 AM, "Dánielisz László" <laszlo_danielisz at yahoo.com> wrote:

> I am using  "($int_if)" for ports 22, 80 too and they are working as charm.
> This is how I defined it in my pf.conf:
> int_if="rl0"
> 
> Right now I can not try it but when I'll be able I'll try your idea and than I
> will let you know how it works.
> 
> Thank you!
> 
> 
> 
> ________________________________
> From: Anh Ky Huynh <kyanh at viettug.org>
> To: Dánielisz László <laszlo_danielisz at yahoo.com>
> Cc: freebsd-pf at freebsd.org
> Sent: Fri, December 25, 2009 2:06:24 PM
> Subject: Re: pf vs. afp
> 
> On Fri, 25 Dec 2009 04:33:03 -0800 (PST)
> Dánielisz László <laszlo_danielisz at yahoo.com> wrote:
> 
>> 
>> ________________________________
>> 
>> Hello,
>> 
>> It's been a while I struggeling how to deal with apf/netatalk
>> passing trough my pf rules. If I disable pf everything is working
>> great (but I still do want firewall on my server). I tried the
>> following rule but it still don't lets me in:
>> 
>> pass in log on $int_if inet proto { tcp, udp } from $localnet to
>> ($int_if) port=548  flags S/SA keep state
> 
> I think the problem is "($int_if)". You should use, for e.g,
> 
>     from $localnet to 192.168.1.123
> 
>> When I try a telnet on port 548 I got "Operation timed out", in
>> pflog I can see that my Mac tries to connect but I have no clue why
>> it can't when the coresponding port is open, do you have any idea?
> 
> Regards,

More information about the freebsd-pf mailing list