pf https

jemate18 · Feb 5, 2010

Oh my.... I used the pf.conf you suggested..

Code:

i="em1"
x="em0"
lan="192.168.2.0/24"
set block-policy return
set skip on lo0

scrub in all fragment reassemble

nat on $x from $i to any -> $x

rdr on $i inet proto tcp from $lan to any port www -> 127.0.0.1 port 3128


antispoof log quick for $x
antispoof log quick for $i



block log all

pass in quick on $i inet proto tcp from $lan to any keep state flags S/SA
pass in quick on $i inet proto { udp icmp } from $lan to any keep state

pass out quick on $x inet proto tcp from $x to any modulate state flags S/SA
pass out quick on $x inet proto {udp icmp } from $x to any keep state

I know.... a lot of efforts... and still not working...

jemate18 · Feb 5, 2010

This still not works.. Maybe there's something wrong, not the pf.conf in my settings

jemate18 · Feb 5, 2010

Here is another one.. trying to access google mail in the client machine

the result of tcpdump -i em1

Code:

19:11:37.769179 IP 192.168.2.13.56782 > sin01s01-in-f104.1e100.net.https: Flags [S], seq 3429709285, win 5860, options [mss 1460,sackOK,TS val 3373311 ecr 0,nop,wscale 6], length 0
*** the above message appears 5 consecutive times, then this is next
19:12:03.764227 ARP, Request who-has 192.168.2.2 tell 192.168.2.13, length 46
19:13:03.764235 ARP, REply 192,168.2.2 is-at 00:xxxxxxxxx(oui Unknown), length 28
*** then this again***
19:11:37.769179 IP 192.168.2.13.56782 > sin01s01-in-f104.1e100.net.https: Flags [S], seq 3429709285, win 5860, options [mss 1460,sackOK,TS val 3373311 ecr 0,nop,wscale 6], length 0
**** displays for 3 times ****

After about 1 to 2 minutes, Network Timeout is displayed in the Browser of the client PC

Any ideas?

jemate18 · Feb 5, 2010

Are we having the same problem?

Code:

http://forums.freebsd.org/showthread.php?t=10874

DutchDaemon · Feb 5, 2010

Perhaps. Anyway, you have all the troubleshooting tools explained to you, so start experimenting. Don't work on proxies and redirections until you have your basic networking and routing in place. With a single NAT rule and 'set skip' on all interfaces you must be able to access the Internet from your LAN. That's the basis of everything else. Start from there and build up.

dennylin93 · Feb 5, 2010

I'd suggest actually reading some documentation first. Then you should be able to do all the debugging and experimentation.

For starters:

The links listed above provide a complete description of PF and should be more than enough to get you going. It should only take 3 or 4 days at the most to read.

jemate18 · Feb 5, 2010

Thanks guys, I ll read more bout pf. It's weekend today and I can experiment next week, I'll have more time to read.

Thanks once again

pf https

jemate18

jemate18

jemate18

jemate18

DutchDaemon

Administrator

dennylin93

jemate18