pf.conf

pf.conf

Post by robi » Fri, 04 Jul 2003 04:46:32



Sorry guys......DOH!

# Variable declarations

INT="rl1"
EXT="rl0"
LAN="192.168.0.0/24"

BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

scrub in all

nat on $INT from $LAN to any -> 195.80.23.146

pass in all
pass out all

 
 
 

pf.conf

Post by Kris Kielhofne » Fri, 04 Jul 2003 04:59:57



> Sorry guys......DOH!

> # Variable declarations

> INT="rl1"
> EXT="rl0"
> LAN="192.168.0.0/24"

> BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

> scrub in all

> nat on $INT from $LAN to any -> 195.80.23.146

> pass in all
> pass out all

Try changing

nat on $INT from $LAN to any -> 195.80.23.146

to:

nat on $INT from $LAN to any -> $EXT

--
Kris Kielhofner

 
 
 

pf.conf

Post by robi » Fri, 04 Jul 2003 05:44:19


Hi, Thanks for the help.
ok did that but
Still the same systax error.

Bummer!!



> > Sorry guys......DOH!

> > # Variable declarations

> > INT="rl1"
> > EXT="rl0"
> > LAN="192.168.0.0/24"

> > BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

> > scrub in all

> > nat on $INT from $LAN to any -> 195.80.23.146

> > pass in all
> > pass out all

> Try changing

> nat on $INT from $LAN to any -> 195.80.23.146

> to:

> nat on $INT from $LAN to any -> $EXT

> --
> Kris Kielhofner

 
 
 

pf.conf

Post by Konfuziu » Fri, 04 Jul 2003 06:44:56


The "nat" line should be above the "scrub" rule, or you deactivate the order
enforcing (-> man pf.conf).

HTH Konfu

 
 
 

pf.conf

Post by zibi » Fri, 04 Jul 2003 07:28:19


Quote:> The "nat" line should be above the "scrub" rule, or you deactivate the
order
> enforcing (-> man pf.conf).

> HTH Konfu

Have you read man pf.conf?
---
Macros
Tables
Options
Traffic Normalization (e.g. scrub)
Queueing
Translation (Various forms of NAT)
Packet Filtering
With the exception of macros and tables, the types of statements should
     be grouped and appear in pf.conf in the order shown above, as this
match-
     es the operation of the underlying packet filtering engine.
---
 
 
 

pf.conf

Post by Daniel Hartmeie » Fri, 04 Jul 2003 07:38:51



> BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

If you look at this line long and hard, you'll spot the mistake
(superfluous period after the second zero in 192.168.0.0./16).

How we should find this on line 9 of what you posted is beyond me,
you probably posted something else than you tried to load...

Daniel

 
 
 

pf.conf

Post by robi » Sat, 05 Jul 2003 04:44:52



Quote:> Sorry guys......DOH!

> # Variable declarations

> INT="rl1"
> EXT="rl0"
> LAN="192.168.0.0/24"

> BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

> scrub in all

> nat on $INT from $LAN to any -> 195.80.23.146

> pass in all
> pass out all

Hi group

Once i put the external ip in speech marks (nat on $INT from $LAN to any ->
195.80.23.146) the conf load without any hitch at all. but i still cant get
nat working at all.

So back to the books thanks for all the advice

 
 
 

pf.conf

Post by zibi » Sat, 05 Jul 2003 04:48:58


Quote:> Once i put the external ip in speech marks (nat on $INT from $LAN to
any ->
> 195.80.23.146) the conf load without any hitch at all. but i still cant
get
> nat working at all.

> So back to the books thanks for all the advice

try to put spaces around IP like " 195.80.23.146 "

I have this

address = "( tun0 )"
nat on tun0 from 192.168.2.0/24 to any -> $address

working ok

 
 
 

pf.conf

Post by Ikhlasul Am » Sun, 06 Jul 2003 03:31:07



> BADIPS="{ 127.0.0.1/8, 192.168.0.0./16, 172.16.0.0/12, 10.0.0.0/8 }"

If I start my pf.conf with

block in log all
block out log all

do I still need to block 127.0.0.1/8 etc. away?

thx
--
ia

 
 
 

1. pf.conf

Hi

I've setup OpenBSD 3.0 with pf.  I am trying to get my internal
network to have access to the web...  below is my rules, they are
simple.  Block all inboud and allow only www & https out

# Rules for fxp0
#----------------
block in log on fxp0 all
block out log on fxp0 all

pass out quick on fxp0 inet proto tcp from 10.0.1.1/32 to any port 80
keep state

if i use the following rule;

pass out quick on fxp0 inet proto tcp from any to any port 80 keep
state

it works, but i want it narrowed down to a machine or subnet.

any ideal

roq

2. Are conditional symbolic links possible?

3. Apply changes to pf.conf file without rebooting

4. KOffice ?

5. pf.conf - multiple class Cs

6. need help with linux gcc on AIX

7. OpenBSD pf.conf and Scheduler

8. Free ISP? - How about Capitol One?

9. "no route to host" but pf.conf seems to be correct :-(

10. pf.conf issues, need fresh eyes

11. rule for ssh in pf.conf, flags

12. pf.conf synatx change?

13. pf.conf with samba