|
FreeBSD Security Securing FreeBSD. |
|
Thread Tools | Display Modes |
|
|||
Code:
# --- NAT nat on $ext_if from !($ext_if) # --- EXTERNAL interface # --- OUT pass out quick on $ext_if all keep state flags S/SA # -- INTERNAL interface # --- IN & OUT pass quick on $int_if all keep state flags S/SA # default block and log block log all
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
How many computers are in the network? If the network is big and busy you may hit the maximum nr of states that pf can track.
Code:
$ sudo pfctl -s info Status: Enabled for 0 days 00:14:43 Debug: err Interface Stats for egress IPv4 IPv6 Bytes In 1289347 0 Bytes Out 372112 64 Packets In Passed 1661 0 Blocked 0 0 Packets Out Passed 1596 1 Blocked 0 0 State Table Total Rate current entries 3 searches 3258 3.7/s inserts 157 0.2/s removals 154 0.2/s Counters match 157 0.2/s bad-offset 0 0.0/s fragment 0 0.0/s short 0 0.0/s normalize 0 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 0 0.0/s state-mismatch 0 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Code:
$ sudo pfctl -s memory states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 200000
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
when I type this
Code:
pfctl -s info Code:
Status: Enabled for 6 days 07:24:08 Debug: Urgent Interface Stats for sk0 IPv4 IPv6 Bytes In 9189704409 0 Bytes Out 1882048433 0 Packets In Passed 11444963 0 Blocked 21677 0 Packets Out Passed 10500629 0 Blocked 0 0 State Table Total Rate current entries 269 searches 225488256 413.7/s inserts 1103490 2.0/s removals 1103221 2.0/s Counters match 1107918 2.0/s bad-offset 0 0.0/s fragment 3 0.0/s short 0 0.0/s normalize 20 0.0/s memory 0 0.0/s bad-timestamp 0 0.0/s congestion 0 0.0/s ip-option 0 0.0/s proto-cksum 52 0.0/s state-mismatch 21671 0.0/s state-insert 0 0.0/s state-limit 0 0.0/s src-limit 0 0.0/s synproxy 0 0.0/s Code:
pfctl -s memory Code:
states hard limit 10000 src-nodes hard limit 10000 frags hard limit 5000 tables hard limit 1000 table-entries hard limit 100000 |
|
|||
Code:
State Table Total Rate current entries 269 If you a dynamic IP address, one that changes, you will have to use "(" and ")" around the external interface specification. From my example above: Code:
# --- EXTERNAL interface # --- OUT pass out quick on ($ext_if) all keep state flags S/SA
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Many years ago, on bsdforums.org, I helped somebody, who had the same problem as you. He thought that his Internet cafe had a fixed IP while it was not. When he restarted the pf router/firewall everything worked again for a few hours.
Because your external IP is fixed, that cannot be the problem What is the use of these rules?: Code:
SERVER = "10.10.10.200" NAT1 = "10.10.10.194" NAT2 = "10.10.10.195" [snip] NAT23 = "10.10.10.217" NAT24 = "10.10.10.218" NAT25 = "10.10.10.219" nat pass on $ext_if from $paltalk1 to any -> $NAT1 nat pass on $ext_if from $paltalk2 to any -> $NAT2 nat pass on $ext_if from $paltalk3 to any -> $NAT3 nat pass on $ext_if from $webdsgn1 to any -> $NAT4 [snip] nat pass on $ext_if from $webdsgn8 to any -> $NAT11 nat pass on $ext_if from $rased1 to any -> $NAT12 nat pass on $ext_if from $rased2 to any -> $NAT13 [snip] nat pass on $ext_if from $rased7 to any -> $NAT18 nat pass on $ext_if from $rased8 to any -> $NAT19 nat pass on $ext_if from $admin1 to any -> $NAT20 nat pass on $ext_if from $admin2 to any -> $NAT21 As far as I understand you have the following setup Code:
| | | ------------|------------ 10.10.10.192/27 external FreeBSD pf firewall internal 192.168.168.0.1/24 ------------|------------ | | | You can do it with one single statement : Code:
# --- NAT nat on $ext_if from !$ext_if
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
paltalk server do not let user to login or use three room from one IP ,and only let users login from 3 room with one IP and when somebody want login with another room , they discard it , so I have to make different NAT |
|
|||
Yes, now I understand, but I am afraid I cannot help you much further
When the connections hang again, but before you to restart pf, you could do the following two things;
FreeBSD has a rather old version of pf. You could try to get the latest OpenBSD release 5.0 and see whether that solves the problem. Be aware though, that in OpenBSD 4.7 the NAT/RDR syntax has changed. See http://www.openbsd.org/faq/pf/nat.html
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
REMARK from Administrator:
Because mfaridi decided see whether a change to OpenBSD will solve the "hangs" of ruleset on FreeBSD, the continuation of this thread is in the OpenBSD section at http://www.daemonforums.org/showthre...6531#post41282
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
High Definition Audio | classicmanpro | NetBSD General | 0 | 12th April 2011 07:03 PM |
high cpu usage by system process | badkuk | OpenBSD General | 7 | 19th October 2010 03:17 AM |
Bad ftp performance | Randux | NetBSD Package System (pkgsrc) | 2 | 4th January 2009 09:17 PM |
resolution too high!!! =| ? what? | seadog109 | Other BSD and UNIX/UNIX-like | 19 | 18th October 2008 04:25 AM |
Bill Joy's high school | matt | Off-Topic | 9 | 27th May 2008 06:01 PM |