On 12/24/2010 10:25 AM, Alessandro Baggi wrote:
quoted text > On 12/23/2010 10:48 PM, Johan Beisser wrote:
>> On Thu, Dec 23, 2010 at 10:43 AM, Alessandro Baggi
>> <alessandro.baggi@gmail.com> wrote:
>>
>>>> Please post your pf.conf, ifconfig output and dmesg. There may be
>>>> another issue not addressed.
>>>>
>>>>
>> I still need your pf.conf.
>>
> ext="egress"
> int="rl0"
> dmz="rl1"
> hostweb="172.16.2.3"
> carpl="10.1.1.5"
> carpw="192.168.1.84"
> carpd="172.16.2.4"
> pfsyncpeer="10.1.1.5"
> pfsyncdev="rl0"
>
> table <httpabuse> persist
> table <httpsabuse> persist
> table <sshblacklist> persist
>
>
> # LIMIT and Policy
>
> set block-policy drop
> set fingerprints "/etc/pf.os"
> set hostid 1
> #set debug none
> set limit states 7000
> set limit tables 100
> set limit table-entries 90000
> set limit frags 6000
> set limit src-nodes 10000
> set optimization aggressive
> set ruleset-optimization basic
> set loginterface $ext
> #set state-policy if-bound
> #set state-defaults
> set skip on lo0
> set timeout tcp.established 900
> set timeout tcp.closed 5
> set timeout tcp.first 20
> set timeout tcp.opening 20
> set timeout tcp.closing 10
> set timeout tcp.finwait 30
>
>
> match all scrub (no-df, random-id, max-mss 1440)
>
>
> # NAT
>
> match out on $ext inet from $int:network to any nat-to (carp0:0)
> match out on $ext inet from $dmz:network to any nat-to (carp0:0)
> # RDR
> match in log on $int proto tcp from $int:network to any port 21 rdr-to
> 127.0.0.1 port 8021
>
>
> # FILTERING RULES
> # Bloccaggio delle blacklist http - https - sshd
> block in log quick on $ext from { <blacklist>, <httpabuse>,
> <httpsabuse>, <sshblacklist> } to any
>
> # REGOLE ANTISPOOFING
>
> antispoof log quick for { $int , $ext, $dmz }
>
> # CARP RULES
>
> pass in log quick on $int proto carp from $carpl to $int:0 keep state
> (no-sync)
> pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
> (no-sync)
> pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
> (no-sync)
>
> # PFSYNC RULES
>
> pass in log quick on $pfsyncdev proto pfsync from $pfsyncpeer to
> $int:0 keep state (no-sync)
>
> # DEFAULT DENY
> block in log all
> pass out all
>
> anchor "ftp-proxy/*"
>
>
> # LAN MACHINE RULES
> pass in on $int from any to any
>
> # DMZ RULES DOES NOT EXIST
>
> Thanks in advance
Hi list. I've tried another nic same as xl0, and the problem was the
same. The only thing to see was the pf ruleset. All carp rules was
wrong. Then I've tried with xl0 <-> rl2 and all works fine.
I've changed the rules:
pass in log quick on $int proto carp from $carpl to $int:0 keep state
(no-sync)
pass in log quick on $ext proto carp from $carpw to $ext:0 keep state
(no-sync)
pass in log quick on $dmz proto carp from $carpd to $dmz:0 keep state
(no-sync)
in:
pass in quick on { $int, $ext, $dmz } proto carp keep state (no-sync)
Best regards and thanks for the time.
