Solved pass in from wont work

wolffnx

wolffnx

Hello,I got a PF firewall for my office Lan(work in progress), my problem is this:

I want to give full access to all ports for one IP, but the
rule
Code: 
block all
pass in on  $ext_if proto { tcp udp } from 192.168.1.12 to any port 0:65535 keep state

more rules for proxy and allowed ports here

If I change
Code: 
from 192.168.1.12 to from any it works
 
It's pass in on <interface> not pass in from <interface>.

And there's no need to add the destination ports, from 192.168.1.12 to any is enough to allow access to all ports.
 
SirDice said:
It's pass in on <interface> not pass in from <interface>.

And there's no need to add the destination ports, from 192.168.1.12 to any is enough to allow access to all ports.
Click to expand...
Sorry, mi error, I tiped wrong, corrected...(the thread) but the problem still
persists
 
anyone? this is the configuration:

Code: 
int_if="re0"



out_re0="{22,80,53,443,3389}"
out_re0_udp="{53}"
in_re0="{22,80,53,443,3389}"




set skip on lo0


nat on $int_if inet from ! ($int_if) to any -> ($int_if)

block log  all

pass out on $int_if inet proto tcp from any to any port $out_re0 flags S/SA keep state
pass out on $int_if inet proto udp from any to any port $out_re0_udp
pass in on $int_if inet proto tcp from any to any  port $in_re0 flags S/SA keep state



pass out on $int_if proto icmp



pass in on $int_if inet proto { udp tcp } from 192.168.1.12 to any
pass out on $int_if inet proto { udp tcp } from 192.168.1.12 to any

I'am testing it with bittorrent in the 192.168.1.12 machine
 
The machine only has one interface? If that's the case what are you using NAT for? And what is the IP address of the host itself because those last two rules seem to conflict with each other.

Please post the relevant rc.conf bits from this host and how the 192.168.1.12 machine is connected to it.
 
SirDice said:
The machine only has one interface? If that's the case what are you using NAT for? And what is the IP address of the host itself because those last two rules seem to conflict with each other.

Please post the relevant rc.conf bits from this host and how the 192.168.1.12 machine is connected to it.
Click to expand...

no,It has 2, now I move the actual config to a production one (small for now,15 users),the rc.conf :

Code: 
ifconfig_re0="inet 192.168.1.1 netmask 255.255.255.0"
ifconfig_re1="inet 200.70.47.xxx netmask 255.255.255.248"

defaultrouter="200.70.xxx.xxx"

and the PF code now is this

Code: 
ext_if="re1"
int_if="re0"

out_re0="{22,80,53,443,3389}"
out_re0_udp="{53}"
in_re0="{22,80,53,443,3389}"

out_re1="{22,80,53,443,3389}"
out_re1_udp="{53}"
in_re1="{22,3389}"



set skip on lo0


nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
nat on $int_if inet from ! ($int_if) to any -> ($int_if)

block log all

pass out on $int_if inet proto tcp from any to any port $out_re0 flags S/SA keep state
pass out on $int_if inet proto udp from any to any port $out_re0_udp
pass in on $int_if inet proto tcp from any to any  port $in_re0 flags S/SA keep state



pass in on  $ext_if inet proto tcp from any to any port $in_re1 flags S/SA keep state
pass out on $ext_if inet proto udp from any to any port $out_re1_udp
pass out on $ext_if inet proto tcp from any to any port $out_re1 flags S/SA keep state

pass out on $ext_if proto icmp

pass out on $int_if proto icmp




pass in on $int_if inet proto { udp tcp } from 192.168.1.12 to any
pass out on $int_if inet proto { udp tcp } from 192.168.1.12 to any


the machine has 2 network interfaces, the interlan LAN is in the interface re0 with the ip 192.168.1.1
and the external interface is the re1 with the ip 200.70.xxx.xxx , i can access to internet from the LAN
 
Don't NAT on the internal interface. This line needs to be removed:
Code: 
nat on $int_if inet from ! ($int_if) to any -> ($int_if)
That NAT is probably the reason why it's not working for you.

This line can be removed to:
Code: 
pass out on $int_if inet proto { udp tcp } from 192.168.1.12 to any
There will never be any outgoing traffic on the internal interface with a 192.168.1.12 source address.
 
I removed te nat line and the last, It works if i grant output access to all on external interface,
my question now is, is usefull blocking the output access of the server
Code: 
$ext_if
if i have already block it on the internal interface?
Code: 
$int_if

is kind of useless,no?
 
No, if you block everything (block all) you will need to allow traffic coming in on $int_if and going out on $ext_if for traffic that passes through the server. So that means at least two rules to allow traffic to pass through. Or else it will be allowed to come in but will be blocked going out and vise verse.
 
SirDice said:
No, if you block everything (block all) you will need to allow traffic coming in on $int_if and going out on $ext_if for traffic that passes through the server. So that means at least two rules to allow traffic to pass through. Or else it will be allowed to come in but will be blocked going out and vise verse.
Click to expand...

Now i got a idea of what I want to do,
thanks SirDice
 
You must log in or register to reply here.
Back
Top