[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
PF does not work,why?

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: PF does not work,why?
From: "jking1" <jking1_(_at_)_fuqianqian_(_dot_)_com>
Date: Mon, 11 Jul 2005 22:47:10 +0800
############################
#/etc/pf.conf              #
############################
ext_if=\"fxp0\"
int_if=\"rl0\"
web_server=\"192.168.0.1\"
pcanywhere_port=\"5631\"
sql=\"1433\"

#table <spamd> persist
#table <spamd-white> persist

scrub in

rdr pass on $ext_if proto tcp from any to port www -> $web_server port www
rdr pass on $ext_if proto tcp from any to port $pcanywhere_port -> \\
        $web_server port $pcanywhere_port
rdr pass on $ext_if proto tcp from any to port $sql -> $web_server port $sql
rdr pass on $ext_if proto tcp from any to port 21 -> $web_server port 21
rdr pass on $ext_if proto udp from any to port 53 -> $web_server port 53
nat on $ext_if from !($ext_if) -> ($ext_if:0)

block return

pass quick on { lo $int_if }
antispoof quick for { lo $int_if }

pass in log on $ext_if inet proto tcp to $ext_if port ssh flags S/SA keep state
pass in log on $ext_if inet proto tcp to $web_server port 21 flags S/SA synproxy state
pass in log on $ext_if inet proto tcp to $web_server port $sql flags S/SA synproxy state
pass in log on $ext_if inet proto tcp to $web_server port 1434 flags S/SA synproxy state
pass in on $ext_if inet proto tcp to $web_server port { www, $pcanywhere_port} \\
        flags S/SA synproxy state
pass in on $ext_if inet proto { tcp, udp } to $web_server port 53 flags S/SA \\
        keep state
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

############################
#/etc/hostname.fxp0        #
############################ 				
inet XXX.XXX.XX.245 255.255.255.192 NONE

############################
#/etc/hostname.rl0         #
############################  
inet 192.168.0.254 255.255.255.0 NONE

############################
#/etc/mygate               #
############################ 
XXX.XX.X.193



############################
#show nat                  #
############################
haocb# pfctl -v -sn
nat on fxp0 from ! (fxp0) to any -> (fxp0:0)
  [ Evaluations: 1232      Packets: 0         Bytes: 0           States: 0     ]
rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1 port 80
  [ Evaluations: 1575      Packets: 1897      Bytes: 1425567     States: 29    ]
rdr pass on fxp0 inet proto tcp from any to any port = 5631 -> 192.168.0.1 port 5631
  [ Evaluations: 80        Packets: 0         Bytes: 0           States: 0     ]
rdr pass on fxp0 inet proto tcp from any to any port = 1433 -> 192.168.0.1 port 1433
  [ Evaluations: 80        Packets: 742       Bytes: 56328       States: 47    ]
rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1 port 21
  [ Evaluations: 11        Packets: 0         Bytes: 0           States: 0     ]
rdr pass on fxp0 inet proto udp from any to any port = domain -> 192.168.0.1 port 53
  [ Evaluations: 11        Packets: 0         Bytes: 0           States: 0     ]



############################
#show rules                #
############################ 
haocb# pfctl -v -sn
scrub in all fragment reassemble
  [ Evaluations: 12151     Packets: 6124      Bytes: 0           States: 0     ]
block return all
  [ Evaluations: 2933      Packets: 14        Bytes: 688         States: 0     ]
pass quick on lo all
  [ Evaluations: 2933      Packets: 0         Bytes: 0           States: 0     ]
pass quick on rl0 all
  [ Evaluations: 2933      Packets: 2919      Bytes: 1503906     States: 0     ]
block drop in quick on ! lo inet from 127.0.0.0/8 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick on ! lo inet6 from ::1 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick inet from 127.0.0.1 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick inet6 from ::1 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick on lo0 inet6 from fe80::1 to any
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
block drop in quick on ! rl0 inet from 192.168.0.0/24 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick inet from 192.168.0.254 to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
block drop in quick on rl0 inet6 from fe80::211:d8ff:fe79:d52b to any
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags S/SA keep state
  [ Evaluations: 43        Packets: 93        Bytes: 14185       States: 1     ]
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags S/SA synproxy state
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = 1433 flags S/SA synproxy state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA synproxy state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = 5631 flags S/SA synproxy state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = domain flags S/SA keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass in on fxp0 inet proto udp from any to 192.168.0.1 port = domain keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass out on fxp0 proto tcp all modulate state
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
pass out on fxp0 proto udp all keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
pass out on fxp0 proto icmp all keep state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]


	web server works fine(www,ftp and pcanywhere control),but i can\'t find any transport from
pf state!!!!!!
pass in on fxp0 inet proto tcp from any to 192.168.0.1 port = www flags S/SA synproxy state
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ] 
                                              ~~~~~~\\
													 why???
pass in log on fxp0 inet proto tcp from any to 192.168.0.1 port = ftp flags S/SA synproxy state
  [ Evaluations: 14        Packets: 0         Bytes: 0           States: 0     ]
                                              ~~~~~~\\
													 why???
pass in log on fxp0 inet proto tcp from any to 219.153.7.245 port = ssh flags S/SA keep state
  [ Evaluations: 43        Packets: 93        Bytes: 14185       States: 1     ]
                                              ~~~~~~\\
													 it\'s ok

and nat state is right!
rdr pass on fxp0 inet proto tcp from any to any port = www -> 192.168.0.1 port 80
  [ Evaluations: 1575      Packets: 1897      Bytes: 1425567     States: 29    ]
rdr pass on fxp0 inet proto tcp from any to any port = ftp -> 192.168.0.1 port 21
  [ Evaluations: 33        Packets: 12        Bytes: 592         States: 1     ]

   anyone can tell me this?i will thank you very much!


													yours jking

----

iGENUS is a free webmail interface, NO fee,   download
---------------------------------------------------------
please visit http://www.qmail.org
Prev by Date: Re: Linksys EG1032 not SysKonnect anymore as of rev. 3
Next by Date: =??B?UEYgZG9lcyBub3Qgd29yayx3aHk/?=
Previous by thread: Re: Linksys EG1032 not SysKonnect anymore as of rev. 3
Next by thread: =??B?UEYgZG9lcyBub3Qgd29yayx3aHk/?=
Index(es):
- Date
- Thread
Visit your host, monkey.org