FreeBSD + pf = whoops

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#1
ext_if = "nfe0"
int_if = "nfe1"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

so here is my pf.conf file, now i know i'm missing something from there as its now blocking all out going connections so i cannot even grab updates to port tree.

I did have this issue wrote down somewhere but for the life of me i cant find the thread on here that gave me the solution or the txt file i thought i put it in :(

Is there anyone out there can help me out?

Thanks
 

Geffy

OSNN Veteran Addict
#2
try slapping a "pass out quick on $ext_if from any to any" at the bottom and see if it helps. I'd expect it to not firewall outgoing as you've not told it to block it.
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#3
that doesnt seem to have sorted it :( - wonder if its because i have block in on $ext_if from any to any

although i would have thought if i made the connection the incoming would be allowed
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#6
so to be clear then lord it should be

ext_if = "nfe0"
int_if = "nfe1"

drop in on $ext_if from any to any
pass out quick on $ext_if from any to any keep-state

pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#8
bah

getting syntax errors now!!!!

my-serv# pfctl -n -f /etc/pf.conf
/etc/pf.conf:4: syntax error
/etc/pf.conf:5: syntax error

:(

edit did a bit of reading on pf and i fixed it :)

ext_if = "nfe0"
int_if = "nfe1"

block drop in on $ext_if from any to any
pass out quick on $ext_if from any to any keep state

pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xxx.xxx.xxx.xxx. } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

seems it required block on line 4 and keep state and not keep-state

my-serv# pfctl -n -f /etc/pf.conf
my-serv#

and all is healthy again :p

(would give you reps M but it wont let me seems i have to spread it about)
 
Last edited:

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#10
guess i can give your suggestion a try as well X :) (would give reps but like lord i have to whore it about a bit first)

edit get syntax errors with your suggestion too X - yet if i change it to

block drop in on $ext_if
pass out quick on $ext_if keep state

works fine, i dont know what versions people are using but im on 7 would there be much of a change between 6 and 7 even if 7 was using updated pf package?
 

Geffy

OSNN Veteran Addict
#13
yeah, setting the block policy just means you don't have to explicitly tell it to stealth your ports in every block line, though "block drop in $ext_if" is still only one occurrence. I just like using the set's when I can.
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#14
ext_if = "nfe0"
int_if = "nfe1"

set block-policy drop
block in on $ext_if
pass out quick on $ext_if keep state
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx, xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

This is my pf.conf file now but even so the ppl's who's ip's i have added cannot connect on any of the ports listed above, router is set to forward the ports correctly.

Anyone shed some light on this? Should i add routers ip?

pass in on $ext_if from { 192.168.1.15 } to { 80, 443, 2010, 6500-6510 }
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#16
nope it doesnt - although after doing a bit of reading

ext_if = "nfe0"
int_if = "nfe1"

set block-policy drop
block in on $ext_if
scrub in all
antispoof for $ext_if inet
pass out on $ext_if proto { tcp, udp, icmp } all modulate state

pass in on $int_if from { 164.168.1.2/24 } to any
pass in on $ext_if from { 192.168.1.2/24 } to any
pass in on $ext_if proto tcp from { xx.xx.xx.xx, xx.xx.xx.xx } to $ext_if port www
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

bits in bold have been changed an now people can connect to the web server on my pc suppose i will have to find out what name is given to 443 2010 etc or see if i can use port 80 instead of port www

:)
 

Dark Atheist

OSNN Veteran Addict
Staff member
Political User
#18
i thought that just a firewall os much like smoothwall and such, and too be honest all is working as it should now, and seeing as im using zfs if i reformat then all is lost on that drive, so i would have to back up and retransfer stuff backa nd forth - bit time consuming that
 

Geffy

OSNN Veteran Addict
#19
I've been playing with ZFS on a VM, at the moment I've got 40 file systems so I can do all sorts of mad things like selective compression on various parts of the file system. I've dumped the scripts I used to make them on gisthub
 

Members online

No members online now.

Latest posts

Latest profile posts

Perris Calderon wrote on Electronic Punk's profile.
Ep, glad to see you come back and tidy up...did want to ask a one day favor, I want to enhance my resume , was hoping you could make me administrator for a day, if so, take me right off since I won't be here to do anything, and don't know the slightest about the board, but it would be nice putting "served administrator osnn", if can do, THANKS

Been running around Quora lately, luv it there https://tinyurl.com/ycpxl
Electronic Punk wrote on Perris Calderon's profile.
All good still mate?
Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,971
Messages
673,300
Members
89,016
Latest member
Poseeut