Thread: FreeBSD + MPD + PF
View Single Post
  #5   (View Single Post)  
Old 22nd November 2010
roko roko is offline
New User
  
Join Date: Nov 2010
Posts: 4
Default re
about the proxy arp bug, i didnt even consider this to be relevant to my problem. So yeah i guess there is a problem in my pf configuration. Here is my mpd.conf:

Code:
startup:
        set console self 127.0.0.1 5005
        set console open
        set web self 0.0.0.0 5006
        set web open

default:
        load pptp_server

pptp_server:
        set ippool add pool1 10.0.0.50 10.0.0.100
        create bundle template MYVPN
        set iface enable proxy-arp
        set iface idle 1800
        set iface enable tcpmssfix
        set ipcp yes vjcomp
        set ipcp ranges 10.0.0.1/32 ippool pool1
        set ipcp dns 10.0.0.1
        set bundle enable compression
        set ccp yes mppc
        set mppc yes e40
        set mppc yes e128
        set mppc yes stateless
        create link template MYVPN pptp
        set link action bundle MYVPN
        set link enable multilink
        set link yes acfcomp protocomp
        set link no pap chap
        set link enable chap
        set link keep-alive 10 60
        set link mtu 1460
        set pptp self MY_WAN_IP
        set link enable incoming
and my mpd.links:

Code:
pptp1:
set link type pptp
set pptp enable incoming
set pptp disable originate
In the above configuration:

* MY_WAN_IP -> my public IP
* 10.0.0.50 - 10.0.0.100 -> the IP range for clients
* 10.0.0.1 -> the gateway internal's IP

my pf.conf:
Code:
external="em0"
internal="em1"
local="em3"
ipv6="stf0"
pptp="ng0"
intranal="10.0.0.0/24"
intranallocal="10.0.1.0/24"
services="{ 21, 25, 53, 50, 60, 70, 80, 110, 443, 995, 2525 }"
portsopen="{ 47, 2525, 1723, 10000, 10001 }"
ircportsopen="{ 10001 }"
irc="{ IPS }"
ipsopen="{ IPS }"
ip6sopen="{ IPS6 }"
blockaniipji="{ IPS }"
ports="{ 21 }"
icmp_types="echoreq"

set block-policy drop
set loginterface $external

set skip on lo0

scrub in all

scrub on $internal
scrub on $external random-id max-mss 1452 reassemble tcp fragment reassemble

nat on $external from $intranal to any -> ($external)
nat on $external from $intranallocal to any -> ($external)

rdr on $external proto tcp from any to $external port 60606 -> 10.0.0.2 port 60606

# START - XTREAMER - FTP
rdr on $external proto tcp from any to $external port 10002 -> 10.0.0.5 port 21
rdr on $external proto tcp from any to $external port 10003 -> 10.0.0.5 port 80
rdr on $external proto tcp from any to $external port 1024:1050 -> 10.0.0.5
# END - EXTREAMER - FTP

nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

#rdr on $internal proto tcp from any to any port 21 -> 127.0.0.1 port 21

block in log quick on $external inet proto tcp from any to any flags FUP/FUP
block in log quick on $external proto tcp from any to any flags SAFRPU/SAFRPU
block in log quick on $external proto tcp from any to any flags SAFRU/SAFRU
block in log quick on $external proto tcp from any to any flags SF/SF
block in log quick on $external proto tcp from any to any flags SR/SR

block in inet proto icmp all icmp-type $icmp_types
block in log quick on $external proto tcp from $blockaniipji to $external
#pass in inet proto icmp icmp-type $icmp_types from $internal to any keep state
#pass inet proto icmp icmp-type $icmp_types from any to $external keep state

#block return-rst in quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto udp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto tcp from any to any
#block return-icmp(port-unr) in log quick on sis0 proto icmp from any to any

block in log all
block out log all

anchor "ftp-proxy/*"

antispoof quick for { lo $internal }
antispoof quick for { lo $local }

pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state

# IP-TV ZA MREZO #

pass in on $external inet proto igmp to 224.0.0.0/4 allow-opts
pass in on $external inet proto udp  to 224.0.0.0/4

pass out on $external inet proto igmp from $external to 224.0.0.0/4 allow-opts

pass in on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass in on $internal inet proto udp  from 10.0.0.0/24

pass out on $internal inet proto igmp from 10.0.0.0/24 to 224.0.0.0/4 allow-opts
pass out on $internal inet proto udp to 224.0.0.0/4

# KONEC IP-TV ZA MREZO #

# START OF IPV6

pass in on $ipv6 inet6 from any to any keep state

#pass in on $external inet proto ipv6 from any to $external keep state

pass in on $internal inet proto ipv6 from any to any keep state

pass out on $ipv6 all

pass out on $external inet proto ipv6 from $external to any keep state

pass in on lo all

pass out on lo all

# END OF IPV6

# START - XTREAMER - FTP

pass in quick on $external inet proto tcp from any to 10.0.0.5 port 21 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 80 flags S/SAFR synproxy state
pass in quick on $external inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state
pass out quick on $internal inet proto tcp from any to 10.0.0.5 port 1024 >< 1050 flags S/SAFR modulate state

# END - XTREAMER - FTP

# START OF PORT FORWARDING THROUGH NAT

pass out on $internal inet proto tcp from any to 10.0.0.2 port 60606 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 21 keep state
pass out on $internal inet proto tcp from any to 10.0.0.5 port 80 keep state

# END OF PORT FORWARDING THROUGH NAT

pass out on $external inet proto udp all keep state

pass out on $external inet proto icmp from any to any keep state

pass out on $external inet proto tcp from any to any

pass out on lo inet proto tcp from any to any port 953 keep state

pass in on lo inet proto tcp from any to any port 953 keep state

# WEBMAIL

pass in on lo inet proto tcp from any to any port 143 keep state

pass out on lo inet proto tcp from any to any port 143 keep state

pass out on lo inet proto tcp from any to any port 25 keep state

pass in on lo inet proto tcp from any to any port 25 keep state

# END OF WEBMAIL

pass in on $external proto tcp from any to any port > 49151 keep state

pass in on $external inet proto udp from any to any port domain keep state

pass in on $internal inet from $intranal to any modulate state
pass in on $local inet from $intranallocal to any modulate state
pass out on $internal inet from $intranal to any modulate state
pass out on $local inet from $intranallocal to any modulate state

pass in on $external inet proto tcp from $ipsopen to $external port $portsopen keep state

#pass in quick on $external inet6 proto tcp from $ip6sopen to $external port $portsopen keep state

pass in on $external inet proto tcp from any to $external port $services keep state
pass in on $external inet proto tcp from $irc to $external port 113 keep state

pass in on $external inet proto tcp from any to $external user proxy keep state

# IGMP IP-TV
pass in on $internal inet proto igmp from any to any allow-opts
pass in on $external proto tcp from any to 10.0.1.2 flags S/SA keep state

antispoof for $external
antispoof for $ipv6
antispoof for $local
antispoof for $internal
i know that this pf config is messy, and sure there are some misconfigures in it, i didnt had time to retest everything and get the syntax 100%...

the things i added for mpd and pptp are:
Code:
pass in on $pptp inet from any to any
pass out on $pptp inet from any to any

pass in proto gre all keep state
pass out proto gre all keep state
So the problem is that clients are able to connect to the pptp server, they get address from the pool - 10.0.0.50-100, but they cannot ping any system from the internal network - 10.0.0.0/24 unless i disable the PF, then the clients can ping the gateway 10.0.0.1 and samba starts working too...

thanks for the quick response DNAeon in hope to find the pf config bug..
Reply With Quote