Problem with PF :-(

S

skangraf

Hello

I've problem with PF on FreeBSD 8.0. I have running apache on port 80,443 and ssh on port 22, all services are on interface eth0 (192.168.1.67).When running pf I can't connect to http and ssh. I changed (22,80,443) synproxy state to keep state and I can connect to ssh and http from other computer, but I can't connect from server(192.168.1.67) to http service for example lynx 192.168.1.67 I get error -> "Unable to connect to remote host"

here is my pf.conf:

Code: 
##################
# makrodefinition
##################


ext_if = "em0"
my = "192.168.1.227/32"
my1 = "192.168.1.81/32"


##################
# Option
##################

set limit frags 30000
set require-order yes
set block-policy drop
set optimization normal
set loginterface em0

##################
# Normalization
##################

scrub in all
scrub out all

##################
# Filtering
##################

# block all

block in all



# pass out

pass out quick on $ext_if inet from ($ext_if) to any keep state



# allow connection in on ext_if port 80 (apache)

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 80 flags S/SA keep state


# allow connection in on ext_if port 443 (apache SSL)

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 443 flags S/SA keep state


# allow connection in on ext_if port 22 (SSH)

pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SA keep state


# allow ping request from $my, $my1

pass in on $ext_if inet proto icmp from {$my,$my1}  to ($ext_if) icmp-type 8 code 0 keep state


# antispoof rule 
antispoof for $ext_if

Can someone help me ?
 
Are you sure 192.168.1.67 is correct? Your pf.conf is setup to use whatever address is on em0.

Can you post the output of [cmd=]ifconfig em0[/cmd]
 
SirDice said:
Are you sure 192.168.1.67 is correct? Your pf.conf is setup to use whatever address is on em0.

Can you post the output of [cmd=]ifconfig em0[/cmd]
Click to expand...


Yes, it's. Tomorow I'll post the output ifconfig em0, but I'm sure. Server is in locale lan (192.168.1.0)and has eth0 = 192.168.1.67.

kostya said:
Sory for my bad English Add "set skip on lo0", that must help you.
Click to expand...

Tomorow I will try to add it to pf.conf and will see. Yesterday I added 2 lines:

Code: 
pass out quick on $lo_if inet from ($ext_if) to any keep state
pass in quick on $lo_if inet from ($ext_if) to any keep state
and it's work, but I'm not sure is it correct.
 
Code: 
pass out quick on $lo_if inet from ($ext_if) to any keep state
pass in quick on $lo_if inet from ($ext_if) to any keep state
is more long record.Additional, using keep-state on lo0 interfaces is no need.
 
kostya said:
Sory for my bad English :) Add "set skip on lo0", that must help you.
Click to expand...

Today, I added
Code: 
set skip on lo0
and remove
Code: 
pass out quick on $lo_if inet from ($ext_if) to any keep state
pass in quick on $lo_if inet from ($ext_if) to any keep state
and everything works fine :-)
 
You must log in or register to reply here.
Back
Top