DaemonForums  

Go Back   DaemonForums > FreeBSD > FreeBSD General

FreeBSD General Other questions regarding FreeBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th March 2010
jhp jhp is offline
Real Name: John
New User
 
Join Date: Mar 2010
Location: Derbyshire, UK
Posts: 5
Default Simple pf ruleset

Hi Everyone

I'm new to FreeBSD and am attempting to set up pf rules which will allow all traffic through a gateway machine, and redirect port 80 requests for transparent squid proxying.

This is my pf.conf, a very simple one, but for some reason it doesn't seem to be redirecting, does anyone have any idea why?

Code:
## Definitions
int_if="em0"
ext_if="fxp0"
lan="192.168.0.0/24"

## Redirect WWW traffic to local cache
rdr on $int_if proto tcp from $lan to any port www -> 127.0.0.1 port 3128

## No restrictions on Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all

## No restrictions on Inside LAN Interface for private network
pass out quick on $int_if all
pass in quick on $int_if all

## No restrictions on WAN Interface
pass out quick on $ext_if all
pass in quick on $ext_if all
I'm using FBSD 6.1-Release.

Thanks

John
Reply With Quote
  #2   (View Single Post)  
Old 29th March 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,125
Default

  1. Is the squid cache LISTENing on port 3128 of the lo0 interface?

    Please post the output of
    Code:
    $ netstat -an -f inet
  2. Your pf.conf really does not do any filtering . It can be simplified even more:
    Code:
    ## Definitions
    int_if="em0"
    ext_if="fxp0"
    
    ## No restrictions on Loopback Interface
    ## No restrictions on Inside LAN Interface for private network
    ## No restrictions on WAN Interface
    set skip on { lo0, $int_if, $ext_if }
    
    ## Redirect WWW traffic to local cache
    rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 3128
  3. Is pf enabled? What is the output of
    Code:
    # pfctl -s info
    ?
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #3   (View Single Post)  
Old 30th March 2010
jhp jhp is offline
Real Name: John
New User
 
Join Date: Mar 2010
Location: Derbyshire, UK
Posts: 5
Default

Ahhhhh. Point 3. I'd loaded the module but not enabled it.

FWIW I had to modify the pf rules slightly to get it working, the one posted didn't redirect.

Code:
## Definitions
int_if="em0"
ext_if="fxp0"

## No restrictions on Loopback Interface
## No restrictions on WAN Interface
set skip on { lo0, $ext_if }

## Redirect WWW traffic to local cache
rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

## No restrictions on Inside LAN Interface for private network
pass out quick on $int_if all
pass in quick on $int_if all
Thanks for your help!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
improve ruleset wesley OpenBSD Security 2 21st January 2010 11:31 PM
A simple question Mr-Biscuit Off-Topic 1 16th April 2009 04:26 PM
ipfw ruleset double check l2fl2f FreeBSD Security 3 26th March 2009 06:32 AM
FTP ruleset questions hitete OpenBSD Security 2 25th November 2008 05:30 PM
Simple Firewall with PF jones FreeBSD General 3 7th November 2008 02:02 AM


All times are GMT. The time now is 08:32 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick