Lost in rules!

J. Hellenthal jhell at DataIX.net
Sun Mar 27 09:29:14 UTC 2011 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sat, 26 Mar 2011 12:18, leslie@ wrote:
> Hello list.
>
> I've had a machine running Freebsd 7.2-RELEASE as a firewall and Squid proxy 
> server on a network with 10 pc behind it for some years.
>
> Now I've got some new hardware and have installed Freebsd 8.2-RELEASE with 
> exactly the same set-up.
>
> My problem is that PF is not acting the same. Everything is blocked, if I 
> remove the first rule "block in log on $ext_if all" I get some functionality 
> but it won't redirect the traffic to Squid for example.
>
> I've been trying to fix it but I need some new eyes to help me.
>
> Below are the pf.conf on the new 8.2 machine and further below is the 
> original pf.conf from the 7.2 system
>
> I'm aware that there has been some changes to the pf syntax, but when doing 
> pfctl -n -f /etc/pf.conf there's no indication that my syntax is wrong.
>
> Will you Please take a look and see if you can see what's wrong.
>
> Thank you :-)
>

Hi Leslie,

I just extracted your rules sets from the email and from what I gather I 
hope its just not a formatting issue with your mailer that I have seen in 
coincidence.

After pulling out the patch pipe and loading with a diff this is what I've 
come up with: (-)=New Config (+)=Old Config

  # Let the goodguys access the machine from the outside
- -pass in log on $ext_if inet proto tcp from <goodguys> to ($ext_if)
+pass in on $ext_if inet proto tcp from <goodguys> to ($ext_if) \
  port $tcp_services flags S/SA keep state

  # We need this for the rdr to VNC (change of portnumber)
- -pass in on $ext_if inet proto tcp from <goodguys> to $internal_net
+pass in on $ext_if inet proto tcp from <goodguys> to $internal_net \
  port $vncports flags S/SA synproxy state


You mentioned that when removing your block rule that you would get some 
functionality back and this stuck out like a sore thumb!. Pay close 
attention to the new line character at the new or in other words "don't 
forget the backslash"

Also you used to have:
  # filter rules
- -block in log on $ext_if all
+block in log (all)

but that is probably not relative to what you are seeing in your rule sets 
at this time.

If this all is not a formatting error you should be able to verify that 
all your rules are loaded with ( pfctl -s rules ) and manually inspect the 
ones in question whether the backslash really makes the difference.

Good luck.

- -- 

  Regards,

  J. Hellenthal
  (0x89D8547E)
  JJH48-ARIN

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (FreeBSD)
Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x89D8547E

iQEcBAEBAgAGBQJNjwNeAAoJEJBXh4mJ2FR+02EH/RUG17OuvE1ltgIMtGJpTy17
26oLFCiWY0AlH7LR8L1hImXFL8VPdsrybsCN6F7YgKFOpKtAPYoqV50zI5gF81cI
FOGErW1I8rNB4aHZsjBlQyARlSFtJO5uRr/desuCrL4SIK8FzD9QPb8qdEoWaehc
fMjHPhC5277NljkHH22HPKKRb1yA2+jvrZ91LOjUVO8AanPHDcXWvmNGOmbnTcB9
yG8K1gJymxzs4Atlw1m0PPCxmrwYzw4IbLB1TGzsZIhnGcmfR8M0eKCi/G98uyCP
LWXr8f/qL8lE4tjbr3jiKXEqeQWNXACI2vjqCEn6QG4t24U2gZtOrlnssneAY/M=
=vzmL
-----END PGP SIGNATURE-----

More information about the freebsd-pf mailing list