Thread: Help needed with understanding PF rules
View Single Post
  #6   (View Single Post)  
Old 26th March 2012
sparky's Avatar
sparky sparky is offline
Fdisk Soldier
  
Join Date: Mar 2012
Posts: 73
Default
Right so I've enabled the ftp-proxy service which I've checked using netstat -ap tcp and it's up!

Code:
Active Internet connections (including servers)
Proto   Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp          0      0  localhost.8021         *.*                    LISTEN
However, how can I check that things are working properly because the Foreign Address field keeps saying listen and that's it??

This is my pf.conf file now:

Code:
#macros

int_if="em1"

tcp_services="{ 22 }"
icmp_types="echoreq"

imap_box="10.0.0.9"
http_box="10.0.0.8"

#options

set block-policy return
set loginterface em0
set skip on "{ lo, em1 }"

# Proxy rules

#anchor "http-proxy/*"

#pass in quick on $int_if inet proto tcp to any port http \
#    divert-to 172.16.8.40 port 3128 

pass in quick on $int_if inet proto tcp to any port ftp \
    divert-to 127.0.0.1 port 8021 

#match rules

#match out on egress inet from !(egress) to any nat-to (egress:0)

match out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

#filter rules

block in log
pass out quick
pass out quick on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13 
#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13

antispoof quick for { lo, em1 }

pass in quick on egress inet proto tcp from any to (egress) port $tcp_services

#pass in quick on egress inet proto tcp to (egress) port 143 rdr-to $imap_box synproxy state 
pass in quick on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in quick on em1 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass in out on em0 inet proto tcp to port 143 rdr-to $imap_box synproxy state
#pass  on em0 from any to $imap_box binat-to em0 
pass  on em1 from $imap_box to any binat-to em0


pass in quick on egress inet proto tcp to (egress) port 80 rdr-to $http_box synproxy state

block in on egress inet proto icmp all icmp-type $icmp_types

pass in quick  on $int_if 

#pass out on em0 from 10.0.0.0/24 to any nat-to 172.16.8.13
On the FreeBSD host that I'm trying to use ports to install software with I am doing this:

Code:
setenv http_proxy http://172.16.8.40:3128
setenv ftp_proxy ftp://172.16.8.40:3128
setenv https_proxy https://172.16.8.40:3128
That proxy address/port combo is what I'm using outside of my OpenBSD router as internet access is restricted!

pfctl -ss shows:

Code:
# pfctl -ss 
all tcp 10.0.0.1:22 <- 10.0.0.10:53250       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55195       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55195 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55210       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55210 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.9:143 (172.16.8.13:143) <- 172.16.8.12:55211       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.12:55211 -> 10.0.0.9:143       ESTABLISHED:ESTABLISHED
all tcp 10.0.0.1:22 <- 10.0.0.10:53307       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.40:3128 <- 10.0.0.5:58513       ESTABLISHED:ESTABLISHED
all tcp 172.16.8.13:52735 (10.0.0.5:58513) -> 172.16.8.40:3128       ESTABLISHED:ESTABLISHED
but still am unable to download anything from ftp://ftp.freebsd.org
Reply With Quote