Hello,

I can comment out the general block rule
and my webserver is accessible from the
outside. But when I active these general
block rules, it is unreachable

Any ideas on what I'm doing wrong is
most appreciated.....

Here's the file:


# $OpenBSD: pf.conf 28Oct03

# macros
ext_if = "dc0"
int_if = "ne3"
dmz_if = "xl0"
webserver ="192.168.3.16/32"
mailserver ="192.168.3.18/32"
dnsserver ="192.168.3.19/32"

# did not allow ftp from subnet
tcp_services = "{ 20, 21, 113 }"
# allow ssh and authentication
tcp_services = "{ 22, 80, 113 } "

# ping rules
icmp_types = "echoreq"
#icmp_types = 8

priv_nets = "{ 127.0.0.0/8,
192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
int_net = "{ 192.168.2.0/24 }"
dmz_net = "{ 192.168.3.0/24 }"

set block-policy return
set loginterface $ext_if

# scrub
scrub in all
scrub in on $dmz_if all no-df fragment
reassemble
scrub in on $ext_if all no-df fragment
reassemble
scrub in on $int_if all no-df fragment
reassemble
scrub out on $ext_if all no-df random-id
fragment reassemble

# nat/rdr
# this rule provides network address
translation from internal net to internet
nat on $ext_if from $int_if:network to
any -> ($ext_if)

# This rule allows dmz servers to
retreive packages
# from the outside internet
#nat on $ext_if from $dmz_if:network to
any -> ($ext_if)

# This rule directs external internet
web traffic to webserver on DMZ
# ???currently does not work
rdr on $ext_if proto tcp from any to
$ext_if port 80 -> $webserver port 80
rdr on $ext_if proto tcp from any to
$ext_if port 443 -> $webserver port 443

# This rule allow the intenal network
access to webserver port https
rdr on $int_if proto tcp from $int_if to
$ext_if port 80 -> $webserver port 80
rdr on $int_if proto tcp from $int_if to
$ext_if port 443 -> $webserver port 443
# This rule directs external internet
mail traffic to mailserver on DMZ
rdr on $ext_if proto tcp from any to
$ext_if port 25 -> $mailserver port 25

# This rule allow the intenal network
access to mailserver
rdr on $int_if proto tcp from $int_if to
$ext_if port 25 -> $mailserver port 25

# This rule directs external internet
dns traffic to dnsserver on DMZ
rdr on $ext_if proto tcp from any to
$ext_if port 53 -> $dnsserver port 53
rdr on $ext_if proto tcp from any to
$ext_if port 53 -> $dnsserver port 53

# this rule keeps nat from messing up
traffic between int_net and dmz servers
#no nat on $int_if proto tcp from
$int_if to $dmz_if

# filter rules
block in log all
block out log all
block in inet6 all
block out inet6 all
block drop in quick on $ext_if from
$priv_nets to any
block drop out quick on $ext_if from any
to $priv_nets

# pass localhost
pass out quick on lo0 all
pass in quick on lo0 all

# ??? This rule's variations do not
allow ssh to reach dmz servers
#pass in on $ext_if inet proto tcp from
any to ($ext_if) port \
# $tcp_services flags S/SAFR keep state

# This allows pings to answer outside of
the firewall
pass in inet proto icmp all icmp-type
$icmp_types keep state

pass in on $int_if from $int_if:network
to any keep state
pass out on $int_if from any to
$int_if:network keep state
pass out on $ext_if proto tcp all
modulate state flags S/SA
pass out on $ext_if proto { udp, icmp }
all keep state

# ??? currently does not allow outside
access to web server ???
pass in quick on $ext_if proto tcp from
any to $webserver \
port = 80 flags S/SA keep state

But when I disable these rules, it works?
# block in log all
# block out log all