[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: AIM connection issues



I am interested in Brian Kerr's suggestion, but I guess I'll have to wait until
Monday. Thank you.
In response to M Raju, here's my pf.conf. 
njoy.
-----------begin pf.conf
## here are my macros
EXTIF="xl2"
DMZIF="xl1"
INTIF="xl0"
#DMZ
DORMS="10.0.0.11"
DORMSEXT="x.x.x.12"
DAVINCI="10.0.0.13"
DAVINCIEXT="x.x.x.13"
COOLIDGE="192.168.28.65"
COOLIDGEEXT="x.x.x.14"
HTTP_PORTS="{ 80, 443 }"
MAIL_PORTS="{ 25, 143, 220, 109, 110, 993, 995 }"
##these are runtime options for pf to make it fit our needs better
set block-policy return
set loginterface $EXTIF
##scrub adds an extra layer of packet defragmentation to the good 'ol native
tcp
 one
scrub in all
scrub out all
##queuing. let's give qos a shot
altq on xl2 cbq bandwidth 100% queue { main, dorms, misc }
queue main bandwidth 50% cbq(borrow) { pri_q, def_q }
        queue pri_q bandwidth 10% priority 7
        queue def_q bandwidth 90% priority 1 cbq(borrow)
queue dorms bandwidth 35% { dorms_http_q, dorms_pri_q, dorms_mail_q }
        queue dorms_http_q bandwidth 70% priority 4 cbq(borrow)
        queue dorms_pri_q bandwidth 10% priority 6
        queue dorms_mail_q bandwidth 20% priority 5
queue misc bandwidth 15% priority 2 cbq(default)
##nat and redirection (i love this part)
nat pass on $EXTIF from $INTIF:network to any -> ($EXTIF)
binat on $EXTIF from $DORMS to any -> $DORMSEXT
binat on $EXTIF from $DAVINCI to any -> $DAVINCIEXT
rdr on $INTIF proto tcp from any to $DAVINCIEXT -> $DAVINCI
binat on $EXTIF from $COOLIDGE to any -> $COOLIDGEEXT
binat pass on $INTIF from $COOLIDGE to any -> $COOLIDGEEXT
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 80 -> $COOLIDGE port 8888
rdr on $EXTIF proto tcp from any to $COOLIDGEEXT port 3306 -> $COOLIDGE
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 80 ->
127.
0.0.1 port 8888
rdr pass on $INTIF proto tcp from $INTIF:network to $COOLIDGEEXT port 3306 ->
12
7.0.0.1 port 3306
rdr on $INTIF proto tcp from any to any port 21 -> 127.0.0.1 port 8021
rdr pass on $EXTIF proto tcp from any to ($EXTIF) port 5555 -> 192.168.28.80
##filter rules
antispoof for xl2
block log all
pass on lo0 all
pass in inet proto icmp all icmp-type echoreq keep state
pass in on $INTIF from $INTIF:network to any keep state queue def_q
pass out on $INTIF from any to $INTIF:network keep state
pass in quick on $EXTIF proto tcp from any to $EXTIF flags S/SA keep state
queue
 pri_q
pass out quick on $EXTIF proto tcp from $EXTIF to any flags S/SA keep state
queu
e pri_q
pass in on $DMZIF from $DORMS to any keep state
pass out on $DMZIF from any to $DORMS keep state queue dorms_ssh_q
pass in on $DMZIF proto tcp from $DORMS to any port $HTTP_PORTS keep state
pass out on $DMZIF proto tcp from any to $DORMS port $HTTP_PORTS keep state
queu
e dorms_http_q
pass in on $DMZIF proto tcp from $DORMS to any port $MAIL_PORTS keep state
pass out on $DMZIF proto tcp from any to $DORMS port $MAIL_PORTS keep state
queu
e dorms_mail_q
pass in on $DMZIF proto tcp from $DORMS to any port 22 keep state
pass out on $DMZIF proto tcp from any to $DORMS port 22 keep state queue
dorms_p
ri_q
pass in on $EXTIF inet proto tcp from any to $DORMSEXT keep state queue dorms
pass in on $EXTIF inet proto tcp from port 22 to ($DORMSEXT) keep state
pass in on $DMZIF from $DAVINCI to any keep state
pass out on $DMZIF from any to $DAVINCI keep state queue misc
pass in on $EXTIF inet proto tcp from port 22 to ($DAVINCIEXT) keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 8888 keep state
pass in on $EXTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass in on $EXTIF proto icmp from any to $COOLIDGE keep state
#pass in on $INTIF proto tcp from any to $COOLIDGE port 8888 keep state
#pass in on $INTIF proto tcp from any to $COOLIDGE port 3306 keep state
pass out on $INTIF from $COOLIDGE to any keep state
pass out on $EXTIF proto tcp all modulate state flags S/SA
pass out on $EXTIF proto { udp, icmp } all keep state
pass in on $EXTIF inet proto tcp from port 20 to ($EXTIF) user proxy flags S/SA
keep state
pass out on $EXTIF inet proto { udp, icmp } all keep state queue misc
-------end pf.conf
-- 
Florian Mosleh
Network & Admin. Support Manager
Capitol College
301.369.2800 ext.2040
800.950.1992 ext.2040
Quoting M Raju <[email protected]>:
> No pf.conf == No Answer.  Sanitize and post your pf.conf. 
> 
> _Raju
> 
> 
> On Fri, 25 Mar 2005 13:03:38 -0500, florian mosleh
> <fsmosleh[email protected]> wrote:
> > Hello,
> > 
> > I have a new firewall in development for the college i work at. I have
> tried
> > extensively googling this issue in various ways and have not managed to
> find
> > anything that seems pertinent.
> > 
> > Essentially, the problem I'm having is that a client that connects to the
> > internet through the new firewall (pf on openbsd 3.6) has problems
> establishing
> > a connection to AIM (login.oscar.aol.com). I have performed severl
> ethereal
> > packet sniffing sessions and can confirm that there is a successful
> connection
> > established between the server and the client and then it just drops.
> Usually
> > after about an hour or two of stubborn retrying and waiting it eventually
> > works.
> > 
> > Are there any possible pf configuration snafus that could be at fault?
> > 
> > The only other factor that I see as possibly contributing to the problem
> (i'm
> > not sure how) is that the internet connection is a set of 4 bonded t1s, but
> I've
> > been given the impression that this shouldn't make a difference.
> > 
> > Thanks.
> > 
> > --
> > Florian Mosleh
> > Network & Admin. Support Manager
> > Capitol College
> > 
> > 301.369.2800 ext.2040
> > 800.950.1992 ext.2040
> > 
> > ----------------------------------------------------------------
> > This message was sent using IMP, the Internet Messaging Program.
> > 
> 
> 
> -- 
> May the packets be with you.
> 
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.