FreeBSD + pf = whoops

Dark Atheist

OSNN Veteran Addict
Political Access
Joined
8 Apr 2003
Messages
6,376
ext_if = "nfe0"
int_if = "nfe1"

block in on $ext_if from any to any
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

so here is my pf.conf file, now i know i'm missing something from there as its now blocking all out going connections so i cannot even grab updates to port tree.

I did have this issue wrote down somewhere but for the life of me i cant find the thread on here that gave me the solution or the txt file i thought i put it in :(

Is there anyone out there can help me out?

Thanks
 
try slapping a "pass out quick on $ext_if from any to any" at the bottom and see if it helps. I'd expect it to not firewall outgoing as you've not told it to block it.
 
that doesnt seem to have sorted it :( - wonder if its because i have block in on $ext_if from any to any

although i would have thought if i made the connection the incoming would be allowed
 
modulate state does weird things to packets. You should keep it as keep-state.

also change block to drop - stealth mode :)
 
so to be clear then lord it should be

ext_if = "nfe0"
int_if = "nfe1"

drop in on $ext_if from any to any
pass out quick on $ext_if from any to any keep-state

pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }
 
bah

getting syntax errors now!!!!

my-serv# pfctl -n -f /etc/pf.conf
/etc/pf.conf:4: syntax error
/etc/pf.conf:5: syntax error

:(

edit did a bit of reading on pf and i fixed it :)

ext_if = "nfe0"
int_if = "nfe1"

block drop in on $ext_if from any to any
pass out quick on $ext_if from any to any keep state

pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xxx.xxx.xxx.xxx. } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

seems it required block on line 4 and keep state and not keep-state

my-serv# pfctl -n -f /etc/pf.conf
my-serv#

and all is healthy again :p

(would give you reps M but it wont let me seems i have to spread it about)
 
Last edited:
guess i can give your suggestion a try as well X :) (would give reps but like lord i have to whore it about a bit first)

edit get syntax errors with your suggestion too X - yet if i change it to

block drop in on $ext_if
pass out quick on $ext_if keep state

works fine, i dont know what versions people are using but im on 7 would there be much of a change between 6 and 7 even if 7 was using updated pf package?
 
set block-policy drop
block in on $ext_if
pass out quick on $ext_if keep state
 
yeah, setting the block policy just means you don't have to explicitly tell it to stealth your ports in every block line, though "block drop in $ext_if" is still only one occurrence. I just like using the set's when I can.
 
ext_if = "nfe0"
int_if = "nfe1"

set block-policy drop
block in on $ext_if
pass out quick on $ext_if keep state
pass in on $int_if from { 164.168.1.1/24 } to any
pass in on $ext_if from { 192.168.1.1/24 } to any
pass in on $ext_if from { xx.xx.xx.xx, xx.xx.xx.xx } to { 80, 443, 2010, 6500-6510 }
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

This is my pf.conf file now but even so the ppl's who's ip's i have added cannot connect on any of the ports listed above, router is set to forward the ports correctly.

Anyone shed some light on this? Should i add routers ip?

pass in on $ext_if from { 192.168.1.15 } to { 80, 443, 2010, 6500-6510 }
 
nope it doesnt - although after doing a bit of reading

ext_if = "nfe0"
int_if = "nfe1"

set block-policy drop
block in on $ext_if
scrub in all
antispoof for $ext_if inet
pass out on $ext_if proto { tcp, udp, icmp } all modulate state

pass in on $int_if from { 164.168.1.2/24 } to any
pass in on $ext_if from { 192.168.1.2/24 } to any
pass in on $ext_if proto tcp from { xx.xx.xx.xx, xx.xx.xx.xx } to $ext_if port www
table <friends> { some.dns.name1, somedns.name2, somedns.name3, some.dns.name4 }
pass in on $ext_if from <friends> to { 80, 443, 2010, 6500-6510 }

bits in bold have been changed an now people can connect to the web server on my pc suppose i will have to find out what name is given to 443 2010 etc or see if i can use port 80 instead of port www

:)
 
443 = HTTPS
80/WWW same thing :)

You could just use PF Sense though - thats freebsd with pf and a nice web interface to it all :)
 
i thought that just a firewall os much like smoothwall and such, and too be honest all is working as it should now, and seeing as im using zfs if i reformat then all is lost on that drive, so i would have to back up and retransfer stuff backa nd forth - bit time consuming that
 
I've been playing with ZFS on a VM, at the moment I've got 40 file systems so I can do all sorts of mad things like selective compression on various parts of the file system. I've dumped the scripts I used to make them on gisthub
 
hehehe nice - not sure how that would work on ftp/storage drive though, wouldnt the compression cause issues
 

Members online

No members online now.

Latest profile posts

Also Hi EP and people. I found this place again while looking through a oooollllllldddd backup. I have filled over 10TB and was looking at my collection of antiques. Any bids on the 500Mhz Win 95 fix?
Any of the SP crew still out there?
Xie wrote on Electronic Punk's profile.
Impressed you have kept this alive this long EP! So many sites have come and gone. :(

Just did some crude math and I apparently joined almost 18yrs ago, how is that possible???
hello peeps... is been some time since i last came here.
Electronic Punk wrote on Sazar's profile.
Rest in peace my friend, been trying to find you and finally did in the worst way imaginable.

Forum statistics

Threads
62,015
Messages
673,494
Members
5,621
Latest member
naeemsafi
Back