Hello,
I must create a DMZ zone for my second local net: 192.168.1.0/16
this is my pf.conf:
----
Code:
### macros
int_if = "re0"
dmz_if = "re1"
ext_if = "pppoe0"
tcp_services = "{ 20, 21, 22, 25, 80, 110, 113 }"
udp_service = "{ 53, 5060 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16 }"
dmz_net = "192.168.1.0/16"
bnd_upstream="512Kb"
bnd_downstream="7168Kb"
host_usr1="192.168.0.1"
host_usr4="192.168.0.4"
host_usr5="192.168.0.5"
host_usr6="192.168.0.6"
host_usr8="192.168.0.8"
host_usr9="192.168.0.9"
host_usr10="192.168.0.10"
host_usr11="192.168.0.11"
host_usr12="192.168.0.12"
host_usr13="192.168.1.13"
host_usr14="192.168.1.14"
host_usr15="192.168.0.15"
host_usr16="192.168.0.16"
host_usr17="192.168.0.17"
host_usr18="192.168.0.18"
### options
set optimization normal
set block-policy return
set loginterface $ext_if
set skip on lo0
### scrub
scrub in all
scrub out on $ext_if max-mss 1440
### altq
altq on $ext_if cbq bandwidth $bnd_upstream queue { up_def }
altq on $int_if cbq bandwidth $bnd_downstream queue { dn_def }
queue up_def bandwidth 100% cbq(default) { up_host1 up_host4 up_host5 up_host6 up_host8 up_host9 up_host10 up_host11 up_host12 up_host13 up_host14 up_host15 up_host16 up_host17 up_host18 }
queue up_host1 bandwidth 13% cbq(borrow)
queue up_host4 bandwidth 7% cbq(borrow)
queue up_host5 bandwidth 7% cbq(borrow)
queue up_host6 bandwidth 7% cbq(borrow)
queue up_host8 bandwidth 6% cbq(borrow)
queue up_host9 bandwidth 6% cbq(borrow)
queue up_host10 bandwidth 6% cbq(borrow)
queue up_host11 bandwidth 6% cbq(borrow)
queue up_host12 bandwidth 6% cbq(borrow)
queue up_host13 bandwidth 6% cbq(borrow)
queue up_host14 bandwidth 6% cbq(borrow)
queue up_host15 bandwidth 6% cbq(borrow)
queue up_host16 bandwidth 6% cbq(borrow)
queue up_host17 bandwidth 6% cbq(borrow)
queue up_host18 bandwidth 6% cbq(borrow)
queue dn_def bandwidth 100% cbq(default) { dn_host1 dn_host4 dn_host5 dn_host6 dn_host8 dn_host9 dn_host10 dn_host11 dn_host12 dn_host13 dn_host14 dn_host15 dn_host16 dn_host17 dn_host18}
queue dn_host1 bandwidth 13% cbq(borrow)
queue dn_host4 bandwidth 7% cbq(borrow)
queue dn_host5 bandwidth 7% cbq(borrow)
queue dn_host6 bandwidth 7% cbq(borrow)
queue dn_host8 bandwidth 6% cbq(borrow)
queue dn_host9 bandwidth 6% cbq(borrow)
queue dn_host10 bandwidth 6% cbq(borrow)
queue dn_host11 bandwidth 6% cbq(borrow)
queue dn_host12 bandwidth 6% cbq(borrow)
queue dn_host13 bandwidth 6% cbq(borrow)
queue dn_host14 bandwidth 6% cbq(borrow)
queue dn_host15 bandwidth 6% cbq(borrow)
queue dn_host16 bandwidth 6% cbq(borrow)
queue dn_host17 bandwidth 6% cbq(borrow)
queue dn_host18 bandwidth 6% cbq(borrow)
### nat/rdr
nat on $ext_if from $int_if:network to any -> ($ext_if)
nat on $ext_if from $dmz_if:network to any -> ($ext_if)
#redirect per nucleo, anima, xaser ed enjoy
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {4001:4005, 1063:1083} -> $host_usr1
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1000:1020 -> $host_usr8
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port {1021:1041, 3724, 6112 } -> $host_usr9
rdr pass on $ext_if proto { tcp udp } from any to ($ext_if) port 1042:1062 -> $host_usr10
### filter rules
block all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
block drop in quick on $ext_if from $dmz_net to any
block drop out quick on $ext_if from any to $dmz_net
pass in on $int_if proto { tcp udp } from $host_usr1 to any queue up_host1
pass in on $int_if proto { tcp udp } from $host_usr4 to any queue up_host4
pass in on $int_if proto { tcp udp } from $host_usr5 to any queue up_host5
pass in on $int_if proto { tcp udp } from $host_usr6 to any queue up_host6
pass in on $int_if proto { tcp udp } from $host_usr8 to any queue up_host8
pass in on $int_if proto { tcp udp } from $host_usr9 to any queue up_host9
pass in on $int_if proto { tcp udp } from $host_usr10 to any queue up_host10
pass in on $int_if proto { tcp udp } from $host_usr11 to any queue up_host11
pass in on $int_if proto { tcp udp } from $host_usr12 to any queue up_host12
pass in on $dmz_if proto { tcp udp } from $host_usr13 to any queue up_host13
pass in on $dmz_if proto { tcp udp } from $host_usr14 to any queue up_host14
pass in on $int_if proto { tcp udp } from $host_usr15 to any queue up_host15
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host16
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host17
pass in on $int_if proto { tcp udp } from $host_usr16 to any queue up_host18
pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $udp_service keep state
pass in on $ext_if inet proto { tcp udp } from any to ($dmz_if) keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass in on $dmz_if all keep state
pass out on $int_if proto { tcp udp } from any to $host_usr1 queue dn_host1
pass out on $int_if proto { tcp udp } from any to $host_usr4 queue dn_host4
pass out on $int_if proto { tcp udp } from any to $host_usr5 queue dn_host5
pass out on $int_if proto { tcp udp } from any to $host_usr6 queue dn_host6
pass out on $int_if proto { tcp udp } from any to $host_usr8 queue dn_host8
pass out on $int_if proto { tcp udp } from any to $host_usr9 queue dn_host9
pass out on $int_if proto { tcp udp } from any to $host_usr10 queue dn_host10
pass out on $int_if proto { tcp udp } from any to $host_usr11 queue dn_host11
pass out on $int_if proto { tcp udp } from any to $host_usr12 queue dn_host12
pass out on $dmz_if proto { tcp udp } from any to $host_usr13 queue dn_host13
pass out on $dmz_if proto { tcp udp } from any to $host_usr14 queue dn_host14
pass out on $int_if proto { tcp udp } from any to $host_usr15 queue dn_host15
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host16
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host17
pass out on $int_if proto { tcp udp } from any to $host_usr16 queue dn_host18
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
pass out on $int_if from any to $int_if:network
pass out on $dmz_if all keep state
###Deny spoofing
antispoof for $ext_if
antispoof for $dmz_if
antispoof for $int_if
------------------
I need to leave open ALL TCP AND UDP ports on the dmz network and this is not happen with this firewall...
And, I can ping from server/router every ip of 192.168.1.0 but from pc of lan (in the 192.168.0.0) I can't ping a pc in the dmz...where is the mistake?!
Thanks a lot.