View Single Post
  #1   (View Single Post)  
Old 10th November 2008
cerulean's Avatar
cerulean cerulean is offline
Port Guard
 
Join Date: May 2008
Location: Arizona
Posts: 18
Default Vista network issues behind PF Firewall

I have a very straight forward pf config doing NAT for the internal network. Works great with the 30+ WinXP, Win2000 and Linux machines, but recently someone added a Vista machine and it simply doesn't work. Very slow, lots of disconnects, etc. The Vista machine can access internal network resources without issue which seems to indicate this is not a hardware issue.

Below is my pf.conf file .. I did a search and found one thread on the mailing lists with similar issues but it didn't seem to resolve the problem (I can't seem to locate the thread this morning). Thanks for any advise (beyond getting rid of Vista.

#############################
# PF Configuration
###############################
ext_if = "vr0"
int_if = "fxp0"

tcp_services = "{ 0, 21, 8234, 22, 2200, 3389, 3388, 8234, 80, 81, 5820, 143, 443, 110, 25, 2500, 587, 993, 45000:50000, 55555 }"
udp_services = "{ 53, 993, 8234 }"

apnic_blocked_services = "{22, 2200, 25, 2500, 587, 20, 21}"

icmp_types = "echoreq"

priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"

table <apnic> { 58.0.0.0/8, 59.0.0.0/8, 60.0.0.0/8, 61.0.0.0/8, 114.0.0.0/8, \
115.0.0.0/8, 116.0.0.0/8, 117.0.0.0/8, 118.0.0.0/8, 119.228.0.0/8, 120.0.0.0/8, \
121.0.0.0/8, 122.0.0.0/8, 123.0.0.0/8, 124.0.0.0/8, 125.0.0.0/8, 126.0.0.0/8, \
169.208.0.0/12, 202.0.0.0/8, 203.0.0.0/8, 210.0.0.0/8, 211.0.0.0/8, 218.0.0.0/8, \
219.0.0.0/8, 220.0.0.0/8, 221.0.0.0/8, 222.0.0.0/8 }

#############################
# PF Options
###############################

set block-policy return
set loginterface $ext_if
set skip on lo
scrub in all

#############################
# PF NAT Configuration
###############################

nat on $ext_if from !($ext_if) to any -> ($ext_if)
nat-anchor "ftp-proxy/*"

rdr-anchor "ftp-proxy/*"
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021

#############################
# PF Filter Rules
###############################

# Default Block Status

block in
pass out keep state

anchor "ftp-proxy/*"

antispoof quick for { lo $int_if }

block in quick on $ext_if inet proto tcp from <apnic> to ($ext_if) port $apnic_blocked_services

pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_services keep state

pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
Reply With Quote