Hi all,
I'm new to pf - transitioning over from iptables.
Confession: I'm not using FreeBSD (using OS X 10.7), but I am using a similar version of pf.
I have these configurations:
pf.conf
internal (loaded in via command prompt. Trust me: this is working)
external (loaded same as internal)
The problem I'm having is that outside people can't connect to my HTTP/HTTPS server. (Granted, my ISP blocks HTTP, but HTTPS worked with iptables so I know it works).
Can anybody tell me what I'm doing wrong?
I'm new to pf - transitioning over from iptables.
Confession: I'm not using FreeBSD (using OS X 10.7), but I am using a similar version of pf.
I have these configurations:
pf.conf
Code:
#
# Default PF configuration file.
#
# This file contains the main ruleset, which gets automatically loaded
# at startup. PF will not be automatically enabled, however. Instead,
# each component which utilizes PF is responsible for enabling and disabling
# PF via -E and -X as documented in pfctl(8). That will ensure that PF
# is disabled only when the last enable reference is released.
#
# Care must be taken to ensure that the main ruleset does not get flushed,
# as the nested anchors rely on the anchor point defined here.
#
# See pf.conf(5) for syntax.
#
# Build the orderings
scrub-anchor "com.mycompany.external"
scrub-anchor "com.apple/*"
scrub-anchor "com.mycompany.internal"
nat-anchor "com.mycompany.external"
nat-anchor "com.apple/*"
nat-anchor "com.mycompany.internal"
rdr-anchor "com.mycompany.external"
rdr-anchor "com.apple/*"
rdr-anchor "com.mycompany.internal"
dummynet-anchor "com.mycompany.external"
dummynet-anchor "com.apple/*"
dummynet-anchor "com.mycompany.internal"
# Add our external anchor
anchor "com.mycompany.external"
# Add Apple's anchor (and load it)
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
# Add our internal anchor
anchor "com.mycompany.internal"internal (loaded in via command prompt. Trust me: this is working)
Code:
# 0) Definitions
lanIF = "en0"
wanIF = "en4"
lanIPs = "10.0.0.0/16"
########## Filtering ##########
# Loopback
set skip on lo0
# We trust our LAN
pass in on $lanIF
pass out on $lanIFexternal (loaded same as internal)
Code:
# 0) Definitions
lanIF = "en0"
wanIF = "en4"
lanIPs = "10.0.0.0/16"
########## Scrub ##########
scrub in on $wanIF
########## Routes ##########
# Port forwarding
rdr pass on $wanIF proto tcp from any to any port 80 -> 10.0.0.2 port 80
rdr pass on $wanIF proto tcp from any to any port 443 -> 10.0.0.2 port 443
#rdr on $wanIF proto tcp from any to any port any -> 10.0.0.9
# Enable router
nat on $wanIF from $lanIPs -> $wanIF
########## Filtering ##########
# Allow egress on WAN anytime
pass out quick on $wanIF
# Allow pings
pass in quick inet proto icmp all icmp-type echoreq
# Default: block everything
# (note: established connections don't go through these rules)
block drop in quick on $wanIFThe problem I'm having is that outside people can't connect to my HTTP/HTTPS server. (Granted, my ISP blocks HTTP, but HTTPS worked with iptables so I know it works).
Can anybody tell me what I'm doing wrong?
