Hi!
I have very strange problem. The setup is as follows:
- FreeBSD (6.4-RELEASE-p11) router/firewall with PF doing nat, scrub and packet filtering;
- WWW servers behind this FreeBSD box;
- several workstations behind this FreeBSD box.
There are no problems with accessing these WWW servers from the Internet from many client operating systems (including Windows XP,Vista,7; FreeBSD-RELEASE 6.4, 7.3, 8.1, some Linux distributions - Fedora, CentOS, Slackware, even Symbian-based smart phones). Unfortunately external Debian and Ubuntu boxes can't access WWW servers behind this FreeBSD box. Same Debian/Ubuntu clients can access WWW servers on the internal segment. I suspect there is something wrong with interactions between Debian's TCP/IP stack and my PF firewall rules on the FreeBSD router.
Thanks in advance!
Lyubomir.
Here are excerpts from /etc/pf.conf file:
For obvious reasons public IP addresses are substituted with capital letters.
I have very strange problem. The setup is as follows:
- FreeBSD (6.4-RELEASE-p11) router/firewall with PF doing nat, scrub and packet filtering;
- WWW servers behind this FreeBSD box;
- several workstations behind this FreeBSD box.
There are no problems with accessing these WWW servers from the Internet from many client operating systems (including Windows XP,Vista,7; FreeBSD-RELEASE 6.4, 7.3, 8.1, some Linux distributions - Fedora, CentOS, Slackware, even Symbian-based smart phones). Unfortunately external Debian and Ubuntu boxes can't access WWW servers behind this FreeBSD box. Same Debian/Ubuntu clients can access WWW servers on the internal segment. I suspect there is something wrong with interactions between Debian's TCP/IP stack and my PF firewall rules on the FreeBSD router.
Thanks in advance!
Lyubomir.
Here are excerpts from /etc/pf.conf file:
For obvious reasons public IP addresses are substituted with capital letters.
Code:
=========Start of pf.conf=========
ext_if="em0"
int_if="em1"
loopback_if="lo0"
internal_addr="192.168.100.100"
internal_net="192.168.100.0/24"
external_addr="A.B.C.D"
# 1st WWW Server
www1_int="192.168.100.240"
www1_ext="E.F.G.H"
# 2nd WWW Server
www2_int="192.168.100.246"
www2_ext="X.Y.Z.W"
# Options: tune the behavior of pf, default values are given.
#set timeout { interval 10, frag 30 }
#set timeout { tcp.first 120, tcp.opening 30, tcp.established 86400 }
#set timeout { tcp.closing 900, tcp.finwait 45, tcp.closed 90 }
#set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
#set timeout { icmp.first 20, icmp.error 10 }
#set timeout { other.first 60, other.single 30, other.multiple 60 }
#set timeout { adaptive.start 0, adaptive.end 0 }
#set limit { states 10000, frags 5000 }
#set loginterface none
#set optimization normal
#set block-policy drop
#set require-order yes
#set fingerprints "/etc/pf.os"
# Normalization: reassemble fragments and resolve or reduce traffic ambiguities.
scrub in all
# Queueing: rule-based bandwidth control.
#altq on $ext_if bandwidth 2Mb cbq queue { dflt, developers, marketing }
#queue dflt bandwidth 5% cbq(default)
#queue developers bandwidth 80%
#queue marketing bandwidth 15%
# Translation: specify how addresses are to be mapped or redirected.
# nat: packets going out through $ext_if with source address $internal_net will
# get translated as coming from the address of $ext_if, a state is created for
# such packets, and incoming packets will be redirected to the internal address.
# Static 1:1 NAT for the internal WWW servers
binat on $ext_if from $www1_int to any -> $www1_ext
binat on $ext_if from $www2_int to any -> $www2_ext
# NAT for the rest of the workstations
nat on $ext_if from $internal_net to any -> ($ext_if)
# block all incoming packets but allow ssh, pass all outgoing tcp and udp
# connections and keep state, logging blocked packets.
block in log all
pass in inet proto icmp all keep state
pass in on $ext_if proto tcp from any to $www1_int port 80 keep state
pass in on $ext_if proto tcp from any to $www2_int port 80 keep state
pass in on $int_if from $internal_net to any keep state
pass in on lo0 proto { tcp,udp } from any to any
pass out on $ext_if proto { tcp,udp,icmp } from $external_addr to any keep state
pass out on $int_if proto { tcp,udp,icmp } from $internal_net to any keep state
=========End of pf.conf=========