|
FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|
||||
I'm no expert on FreeBSD, as I don't use it, but the first thing I'd do is ensure that packet forwarding is enabled. Without it, your FreeBSD machine will not act as a router.
If you've confirmed you have that enabled, post your pf.conf here. But don't do that until you've you've edited your post above to hide your actual Internet address. There's no need to post that, and it might lead to an attack if you have misconfigured PF. |
|
||||
I used the pf.conf from the article (it wouldn't let me link to that before for some reason); here it is with my modifications.
Code:
### macros # internal and external interfaces (run 'ifconfig' to find interfaces) int_if = "re1" ext_if = "re0" # Allow Telnet, web, etc... tcp_services = "{ 22, 23, 25, 80 }" # ping requests icmp_types = "echoreq" # Private networks, we are going to block incoming traffic from them priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" ### options set block-policy return set loginterface $ext_if set skip on lo0 ### Scrub # From the PF user's guide (http://www.openbsd.org/faq/pf/index.html): # "Scrubbing" is the normalization of packets so there are no ambiguities in # interpretation by the ultimate destination of the packet. The scrub directive # also reassembles fragmented packets, protecting some operating systems from # some forms of attack, and # drops TCP packets that have invalid flag # combinations. scrub in all ### nat/rdr # NAT traffic from internal network to external network through external # interface nat on $ext_if from $int_if:network to any -> ($ext_if) ### filter rules block all # block incoming traffic from private networks on external interface block drop in quick on $ext_if from $priv_nets to any # block outgoing traffic to private networks on external interface block drop out quick on $ext_if from any to $priv_nets # allow access to tcp_services on external interface pass in on $ext_if inet proto tcp from any to ($ext_if) port $tcp_services flags S/SA keep state # allow in FTP control port pass in on $ext_if inet proto tcp from port 20 to ($ext_if) user proxy flags S/SA keep state # allow in ping replies pass in inet proto icmp all icmp-type $icmp_types keep state # allow all traffic from internal network to internal interface pass in on $int_if from $int_if:network to any keep state pass out on $int_if from any to $int_if:network keep state # allow all traffic out via external interface pass out on $ext_if proto tcp all modulate state flags S/SA pass out on $ext_if proto { udp, icmp } all keep state |
|
|||
Do you have this in your /etc/pf.conf?
Code:
gateway_enable="yes" You can check this setting with Code:
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Here we go, I've got some more dox for you;
I do have net.inet.ip.forwarding: 1 Here's my rc.conf: Code:
hostname="Mainframe" ifconfig_re0="DHCP" ifconfig_re1="inet 10.0.0.1 netmask 255.255.255.0" gateway_enable="YES" pf_enable="YES" pf_rules="/etc/pf.conf" dhcpd_enable="YES" named_enable="YES" inetd_enable="YES" ntpd_enable="YES" # Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable dumpdev="NO" Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether 00:e0:4c:68:10:eb inet 184.13.1.104 netmask 0xffffff00 broadcast 184.13.1.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE> ether bc:5f:f4:49:35:49 inet 10.0.0.1 netmask 0xffffff00 broadcast 10.0.0.255 media: Ethernet autoselect (100baseTX <full-duplex>) status: active pflog0: flags=0<> metric 0 mtu 33152 pfsync0: flags=0<> metric 0 mtu 1500 syncpeer: 0.0.0.0 maxupd: 128 lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384 options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6> inet 127.0.0.1 netmask 0xff000000 Code:
Routing tables Internet: Destination Gateway Flags Refs Use Netif Expire default 184.13.1.111 UGS 0 62 re0 10.0.0.0/24 link#7 U 0 10 re1 10.0.0.1 link#7 UHS 0 0 lo0 127.0.0.1 link#12 UH 0 0 lo0 184.13.1.0/24 link#1 U 0 8 re0 184.13.1.128 link#1 UHS 0 0 lo0 Code:
Windows IP Configuration Ethernet adapter Local Area Connection: Connection-specific DNS Suffix . : IP Address. . . . . . . . . . . . : 10.0.0.187 Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 10.0.0.1 |
|
|||
It could be DNS.
On the Windows machine can you ping yahoo.com by address? Code:
Code:
nslookup www.yahoo.com
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
||||
Quote:
Looking at your pf.conf, I can't help but wonder if PF has failed to load it, due to syntax errors. You haven't mentioned which release of FreeBSD you are using, and FreeBSD has used varying versions of PF, each with varying syntax. Following a 2006-era "howto" might have been a disservice. # pfctl -sr will show you what rules are currently loaded. If the default rules are loaded instead of your pf.conf, then you'll know this is the reason. You can test your rules: # pfctl -nf /etc/pf.conf will do a syntax check. No output = good.If your rules are syntactically correct, the next step would be to check to see which rules are being applied to your traffic. You do this by adding the log option to your block and your pass rules and then monitoring rule use traffic on the pflog0 device with tcpdump(1). |
|
|||
The kernel module may not be loaded
Code:
# kldload pf Code:
# /etc/rc.d/pf start Code:
# kldstat |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Need help with NAT setup | Quaxo | OpenBSD Installation and Upgrading | 6 | 27th January 2009 08:03 PM |
DJ Setup | tad1214 | FreeBSD General | 8 | 21st July 2008 01:50 PM |
problem on setup!! | josue | Other OS | 6 | 24th June 2008 05:29 AM |
How To Setup WPA? | warriors | OpenBSD General | 8 | 15th June 2008 04:39 PM |
postfix setup | Demodog | General software and network | 12 | 11th June 2008 07:43 PM |