View Single Post
  #5   (View Single Post)  
Old 5th April 2013
Popelicious Popelicious is offline
New User
Join Date: Mar 2013
Posts: 5

Hello everyone. After thinkering with pf and reading all the pf stuff i could find i got a ruleset working for my conf.

My only problem is that i can only reach the services behind the pf box if i use the same machine as a gateway for the box that is running those services, something that unfortunatelly can't be done.

At the minute I have 2 routers from my ISP with 8 public ip's each, one of them being and the other is
The .0.1 router uses NAT for his 8 public ip's and .10.1 routes his 8 public ip's to a single iptables based firewall, with if_ext and if_int

My pf box is behind one of the nat adresses, and everything seems to be fine if i use it as gw for all the boxes i i redirect ports to. The problems arises when i redirect ports to a box that has gw

For example, lets say i have as the www server, the pf box is If i have set .200.93 gateway as .200.152 (the pf box) everything works and i can access the www server from outside with no problems.
Now, if that gateway gets changed to the .200.25 box it won't.

What is eating me is that this configuration does work for other machines if i use iptables, so i'm sure it's my pf configuration.

Here is it:

anchor "ftp-proxy/*"
pass in quick inet proto tcp to port ftp divert-to port 8021

ip="public ip"

#services pf box

# internal server

#block policy and log
set block-policy return
set loginterface $ext_if
set skip on {lo enc0}

#scrub in all #commented due to testing

block in log all 
pass out keep state
pass quick on { lo }
antispoof quick for { lo $int_if }

pass in quick log on $int_if

match out log on egress from $int_if:network to any nat-to (egress) #test nat

match in log on $ext_if proto tcp from any to any port 80 rdr-to $serv_ip port 80
match in log on $ext_if proto tcp from any to any port 443 rdr-to $serv_ip port 443

pass in on $ext_if inet proto tcp from any to ($ext_if) port $servicios_tcp keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port $servicios_udp keep state
pass in inet proto icmp all icmp-type $servicios_icmp keep state
synproxy state
pass in on $ext_if proto tcp from any to any port $servicios_serv flags S/SA synproxy state
Anyone can explain to me what is happening?


Last edited by Popelicious; 5th April 2013 at 12:30 PM.
Reply With Quote