Hi people.
I have been using pfsense in my home to protect from the outside, now I want to setup my own firewall from scratch, is not the fist time I did this, before pfsense I build my own FW, but now something happen or I forget how to do it.
I setup my kernel for pf, I change my rc.conf to my settings:
/etc/resolv.conf my isp nameservers
pf.conf
I copied this rules from Internet.
My ISP service is DSL, I setup mpd daemon like this:
I can ping my lan, but went ever I ping the outside I cannot resolve names. I can ping my public IP, but I cannot reach the Internet.
Every time I get my public IP I reload pf manually, pfctl -Fa -f /etc/pf.conf
I have been checking my ng0 interface with tcpdump, if I try to use dig, host or nslookup, they exit saying that they cannot reach any server.
My ng0 interface never show me anything, is like is not getting any packet, I ping a public site and the ng0 interface never receive any data.
netstat -nr
Doesn't have my public IP as gateway, just to mention this.
I really don't know why I cannot resolve any public ip.
Looks like everything is correct, did it forget something?
freebsd 7.2 + pf.
Thanks all for your time!!!
I have been using pfsense in my home to protect from the outside, now I want to setup my own firewall from scratch, is not the fist time I did this, before pfsense I build my own FW, but now something happen or I forget how to do it.
I setup my kernel for pf, I change my rc.conf to my settings:
Code:
sis0 -> gateway
ifconfig_sis0="inet 192.168.50.1 netmask 255.255.255.0"
PPPoE interface
ifconfig_xl0=""
pf_enable="YES" # Set to YES to enable packet filter (pf)
pf_rules="/etc/pf.conf" # rules definition file for pf
pf_program="/sbin/pfctl" # where the pfctl program lives
pf_flags="" # additional flags for pfctl
pflog_enable="YES" # Set to YES to enable packet filter logging
pflog_logfile="/var/log/pflog" # where pflogd should store the logfile
pflog_program="/sbin/pflogd" # where the pflogd program lives
pflog_flags="" # additional flags for pflogd
ftpproxy_enable="YES"
defaultrouter="192.168.50.1"
gateway_enable="YES"
Code:
nameserver IP-DNS1
nameserver IP-DNS2
Code:
ExtIF="ng0"
IntIF="sis0"
INTERNAL="192.168.50.0/24"
table <badhost> const {0.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
224.0.0.0/4, 240.0.0.0/4, 10.0.0.0/8, \
172.16.0.0/12, 192.168.0.0/16, 255.255.255.255, \
127.0.0.1/8}
table <allowhost> const {192.168.50.1, 192.168.50.2, 192.168.50.6, \
192.168.50.21, 192.168.50.7, 192.168.50.12}
set loginterface $ExtIF
scrub in all
scrub out all random-id max-mss 1440
# NAT section
nat on $ExtIF inet from $INTERNAL to any -> ($ExtIF)
# Remember default rule for non-matching packets are passed!!!
block out log on $ExtIF all
block in log on $ExtIF all
block return-rst out log on $ExtIF proto tcp all
block return-rst in log on $ExtIF proto tcp all
block return-icmp out log on $ExtIF proto udp all
block return-icmp in log on $ExtIF proto udp all
# allow lo0 interface packet
pass in quick on lo0 all
pass out quick on lo0 all
# allow internal network traffic
pass in on $IntIF from any to <allowhost>
pass out on $IntIF from <allowhost> to any
# block spoofing attack
block in quick log on $ExtIF from <badhost> to any
# block nmap's fingerprinting attempt(FIN, URG, PSH)
block in quick on $ExtIF inet proto tcp from any to any flags FUP/FUP
# Create states
pass out log on $ExtIF inet proto tcp all flags S/SA keep state
pass out log on $ExtIF inet proto {udp, icmp} all keep state
My ISP service is DSL, I setup mpd daemon like this:
Code:
mpd.conf
new -i ng0 PPPoE PPPoE
set iface route default
set iface disable on-demand
set iface idle 0
set iface up-script /usr/local/etc/mpd/mpd.links
set bundle disable multilink
set bundle authname "X"
set bundle password "Y"
set bundle no noretry
set link keep-alive 10 60
set link max-redial 0
set link no acfcomp protocomp
set link disable pap chap
set link accept chap
set link mtu 1492
set ipcp yes vjcomp
set ipcp ranges 0.0.0.0/0 0.0.0.0/0
set ipcp enable req-pri-dns
set ipcp enable req-sec-dns
open iface
mpd.links
PPPoE:
set link type pppoe
set pppoe iface xl0
set pppoe service "prodigy"
set pppoe enable originate
set pppoe disable incoming
Every time I get my public IP I reload pf manually, pfctl -Fa -f /etc/pf.conf
I have been checking my ng0 interface with tcpdump, if I try to use dig, host or nslookup, they exit saying that they cannot reach any server.
My ng0 interface never show me anything, is like is not getting any packet, I ping a public site and the ng0 interface never receive any data.
netstat -nr
Doesn't have my public IP as gateway, just to mention this.
I really don't know why I cannot resolve any public ip.
Looks like everything is correct, did it forget something?
freebsd 7.2 + pf.
Thanks all for your time!!!