[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

pf.conf frustration



Hi, I am new to pf and I am having some issues with my pf.conf. I need to get my website from behind this firewall and I can't seem to get it to work. The requests for the website appear in the pflog (as seen in tcpdump -i) but it never makes it to the web server (nothing ever in the logs). I am running openbsd 3.2.
 
My system is set up with a static external IP on one NIC, and mygate has the DFGW of the static external connection. The internal IP is on the second NIC, and uses 192.168.0.0/24 subnet.
 
I can surf out from the firewall, but nothing comes in. rc.conf and sysctl.conf have been edited as needed. I can ping everything everywhere from the PF machine, internal machines and external machines (doesn't reply but shows in the log)
 
Here is a copy of my pf.conf...
 
spamassassinexception
 
#    $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $
#
# See pf.conf(5) for syntax and examples
 
# pass all packets in and out (these are the implicit last two rules)
 
outside="fxp0"
inside="le1"
#stealth="ne1"

desktop="192.168.0.46"
webserver="192.168.0.201"
internal_net="192.168.0.0/24"
outside_ip="208.38.11.118"
 
NoRouteIPs="{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8,
31.0.0.0/8, 69.0.0.0/8, 70.0.0.0/7, 72.0.0.0/5, 82.0.0.0/7, 84.0.0.0/6,
88.0.0.0/5, 96.0.0.0/3, 127.0.0.0/8, 128.0.0.0/16, 128.66.0.0/16,
169.254.0.0/16, 172.16.0.0/12, 191.255.0.0/16, 192.0.0.0/19,
192.0.48.0/20, 192.0.64.0/18, 192.0.128.0/17}"
 
EMailAssholes="{207.34.112.32, 220.116.0.0/12, 218.70.0.0/16, 61.72.0.0/14}"
 
#IP Range                Who                    Block Specification
#207.34.112.32                Taco                    207.34.112.32
#220.116.0.0 - 220.127.255.255        Korea Telecom               
#220.116.0.0/12
#218.70.0.0 - 218.70.255.255        CHINANET Chongqing  province
#network    218.70.0.0/16
#61.72.0.0 - 61.77.255.255        KOREA TELECOM                61.72.0.0/14
 

scrub in all
 
#NAT
nat on $outside from $internal_net to any -> $outside_ip
 
#web server
rdr on $outside proto tcp from any to any port 80 -> $webserver port 80
 
#batttle.net
rdr on $outside proto {tcp, udp} from any to any port 6112 -> $desktop port 6112
 
#rtcw
rdr on $outside proto {tcp, udp} from any to any port 27960 -> $desktop
 
#hlds
rdr on $outside proto {tcp, udp} from any to any port 27015 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 27016 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 27050 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 27052 -> $desktop
 
#nwn
rdr on $outside proto {tcp, udp} from any to any port 5121 -> $desktop
 
#age of empires
rdr on $outside proto {tcp, udp} from any to any port 27999 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 28805 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 28806 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 28807 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 28808 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 28800 -> $desktop
rdr on $outside proto {tcp, udp} from any to any port 2300:2400 -> $desktop
 
#serious sam
rdr on $outside proto {tcp, udp} from any to any port 25600:25603 -> $desktop
 
#quake2
rdr on $outside proto {tcp, udp} from any to any port 27910 -> $desktop
 
#quake
rdr on $outside proto {tcp, udp} from any to any port 26000 -> $desktop
 
#default block all
block in log on $outside all
 
#block emailassholes (fucking completely block the cunts.  not just port 25)
block in quick on $outside proto {tcp, udp} from $EMailAssholes to any
 
#$stealth can't respond
#block out quick on $stealth from any to any
 
# don't allow anyone to spoof non-routeable addresses
block in  quick on $outside from $NoRouteIPs to any
block out quick on $outside from any to $NoRouteIPs
 
#ssh
pass in quick on $outside proto tcp from any to any port = 22 flags S/SA keep state
 
#smtp
pass in quick on $outside proto tcp from any to any port = 25 flags S/SA keep state
pass in quick on $outside proto udp from any to any port = 25 keep state
 
#dns
pass in quick on $outside proto udp from any to any port = 53 keep state
pass in quick on $outside proto tcp from any to any port = 53 flags S/SA keep state
 
#http
pass in quick on $outside proto tcp from any to any port = 80 flags S/SA keep state
 
#ident
pass in quick on $outside proto tcp from any to any port = 113
 
#battle.net
pass in quick on $outside proto {tcp,udp} from any to any port = 6112
 
#serious sam
pass in quick on $outside proto {tcp,udp} from any to any port = 25600
pass in quick on $outside proto {tcp,udp} from any to any port = 25601
pass in quick on $outside proto {tcp,udp} from any to any port = 25602
pass in quick on $outside proto {tcp,udp} from any to any port = 25603
 
#quake
pass in quick on $outside proto {tcp,udp} from any to any port = 26000
 
#quake2
pass in quick on $outside proto {tcp,udp} from any to any port = 27910
 
#default
pass out on $outside proto { tcp, udp, icmp } all keep state
 
Any ideas?
 
Thanks Heaps for any responses!!
 
Cheers,
Wayne