SEO
vBulletin Search Engine Optimization
| |||||||
| Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2008, 05:07 AM
| ||||
| ||||
 pf not working properly even with only "pass in all" and "pass out all" rules i have two rules in my pf.conf file, "pass in all" and "pass out all" i was having issues with getting pf working to begin with, so i went with starting from nothing and working on up. i have an ultrasparc ultra1 200e, with an added 4-port fast ethernet sbus card, running "3.4 GENERIC#85 sparc64" i have my access server on one and my workstation on two separate ports that are different networks. i can ping the access server from my workstation and my OBSD box, however, i can't telnet to the access server from my workstation. i can telnet to the access server through the OBSD box. my pf.conf is as follows: ------------- ################################### # $OpenBSD: pf.conf 11/9/2003 ################################### ##################################### ### macros ##################################### ### IP addresses ext_ip = "10.10.110.2" # external interface ip address int_ip = "192.168.110.253" # internal interface ip address pub_ip = "172.16.210.1" # public servers interface ip address pvt_ip = "192.168.210.1" # private servers interface ip address pod_ip = "172.16.110.1" # cisco router pod interface ip address ### physical interfaces int_if = "hme0" # internal interface pvt_srv_if = "hme1" # private server interface pub_svr_if = "hme2" # public server interface cisco_pod_if = "hme3" # router lab interface ext_if = "hme4" # external interface all_if = "{ hme0, hme1, hme2, hme3, hme4}" # all interfaces ### networks int_net = "192.168.110.240/28" # internal LAN ext_net = "10.10.110.0/30" # external LAN pvt_net = "192.168.210.0/30" # private server network pub_net = "172.16.210.0/30" # public server network pod_net = "172.16.110.0/30" # cisco router pod network ### servers web_server = "172.16.210.2" # webserver PDC = "192.168.210.2" # primary domain server router = "10.10.110.1" # router access_server = "172.16.110.2" # cisco pod access server print_server = "192.168.100.251" # print server proxy_server = " 192.168.100.248" # proxy server ### internal network hosts venus = "192.168.110.242" # ami's system saturn = "192.168.110.243" # my system mercury = "192.168.110.249" # laptop uranus = "192.168.110.248" # backup server neptune = "192.168.110.253" # OpenBSD hosts = "{" $venus $saturn $mercury $uranus "}" ### Private addresses spoof_ips= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" # private addresses ### Services www = "{ 80, 443}" # http/https ################################################## ################ ### Options: tune the behavior of pf ################################################## ################ ### Sets the interface for which PF should gather statistics such as bytes in/out and packets passed/blocked ### Optimize PF for one of the following network environments ### packet is silently dropped # default options #set require-order yes #set optimization normal #set block-policy drop #set fingerprints "/etc/pf.os" set loginterface hme4 ########################## ###Packet Filtering Table ########################## ### Clean up fragmented packets and abnormal packets scrub in all fragment reassemble ### redirect/nat rules nat on $ext_if from any to any -> $ext_ip ### ### traffic rules ### ### pass in all pass out all ---------------- i'd appreciate any and all help      |
|
02-16-2008, 05:07 AM
| |||
| |||
| Re: pf not working properly even with only "pass in all" and "pass out all" rules Sameer wrote: > i have two rules in my pf.conf file, "pass in all" and "pass out all" > > i was having issues with getting pf working to begin with, so i went > with starting from nothing and working on up. > > i have an ultrasparc ultra1 200e, with an added 4-port fast ethernet > sbus card, running "3.4 GENERIC#85 sparc64" > > i have my access server on one and my workstation on two separate > ports that are different networks. > > i can ping the access server from my workstation and my OBSD box, > however, i > can't telnet to the access server from my workstation. i can telnet > to the access server through the OBSD box. > > my pf.conf is as follows: > > ------------- > ################################### > # $OpenBSD: pf.conf 11/9/2003 > ################################### > > ##################################### > ### macros > ##################################### > > ### IP addresses > ext_ip = "10.10.110.2" # external interface > ip address > int_ip = "192.168.110.253" # internal interface > ip address > pub_ip = "172.16.210.1" # public servers > interface ip address > pvt_ip = "192.168.210.1" # private servers > interface ip address > pod_ip = "172.16.110.1" # cisco router pod > interface ip address > > ### physical interfaces > int_if = "hme0" # internal interface > pvt_srv_if = "hme1" # private server > interface > pub_svr_if = "hme2" # public server > interface > cisco_pod_if = "hme3" # router lab interface > ext_if = "hme4" # external interface > all_if = "{ hme0, hme1, hme2, hme3, hme4}" # all interfaces > > ### networks > int_net = "192.168.110.240/28" # internal LAN > ext_net = "10.10.110.0/30" # external LAN > pvt_net = "192.168.210.0/30" # private server > network > pub_net = "172.16.210.0/30" # public server > network > pod_net = "172.16.110.0/30" # cisco router pod > network > > ### servers > web_server = "172.16.210.2" # webserver > PDC = "192.168.210.2" # primary domain > server > router = "10.10.110.1" # router > access_server = "172.16.110.2" # cisco pod access > server > print_server = "192.168.100.251" # print server > proxy_server = " 192.168.100.248" # proxy server > > ### internal network hosts > venus = "192.168.110.242" # ami's system > saturn = "192.168.110.243" # my system > mercury = "192.168.110.249" # laptop > uranus = "192.168.110.248" # backup server > neptune = "192.168.110.253" # OpenBSD > hosts = "{" $venus $saturn $mercury $uranus "}" > > ### Private addresses > spoof_ips= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > }" > # private addresses > > ### Services > www = "{ 80, 443}" # http/https > > ################################################## ################ > ### Options: tune the behavior of pf > ################################################## ################ > > ### Sets the interface for which PF should gather statistics such as > ### bytes > in/out and packets passed/blocked > ### Optimize PF for one of the following network environments > ### packet is silently dropped > > # default options > #set require-order yes > #set optimization normal > #set block-policy drop > #set fingerprints "/etc/pf.os" > set loginterface hme4 > > ########################## > ###Packet Filtering Table > ########################## > > ### Clean up fragmented packets and abnormal packets > scrub in all fragment reassemble > > ### redirect/nat rules > nat on $ext_if from any to any -> $ext_ip > > ### > ### traffic rules ### > ### > > pass in all > pass out all > ---------------- > > i'd appreciate any and all help The most logical first question would then be: is the telnet service running? The next would be: what are the routing tables? EJ -- Remove the obvious part (including the dot) for my email address. http://www.vanwesten.net for examples of ipf and pf. |
|
02-16-2008, 05:07 AM
| |||
| |||
| Re: pf not working properly even with only "pass in all" and "pass out all" rules "Sameer" <ssnewsgroups@hotmail.com> writes: > i can ping the access server from my workstation and my OBSD box, however, i > can't telnet to the access server from my workstation. i can telnet to the > access server through the OBSD box. First make 100% sure the problem is pf related. Disable pf with # pfctl -d Does the problem still exist? If so it's not a pf problem. // marc |
|
02-16-2008, 05:07 AM
| |||
| |||
| Re: pf not working properly even with only "pass in all" and "pass out all" rules >>>>> "Marco" == Marco S Hyman <marc@snafu.org> writes: Marco> First make 100% sure the problem is pf related. Disable pf with Marco> # pfctl -d Marco> Does the problem still exist? If so it's not a pf problem. Of course, now that translation rules are also handled by pf, that could actually bring problems in, not remove them. It might make more sense to ask the poster to say: pfctl -F rules -F queue thus keeping the translation rules in place (I think). -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 <merlyn@stonehenge.com> <URL:http://www.stonehenge.com/merlyn/> Perl/Unix/security consulting, Technical writing, Comedy, etc. etc. See PerlTraining.Stonehenge.com for onsite and open-enrollment Perl training! |
|
02-16-2008, 05:07 AM
| ||||
| ||||
| Re: pf not working properly even with only "pass in all" and "pass out all" rules merlyn@stonehenge.com (Randal L. Schwartz) writes: > Of course, now that translation rules are also handled by pf, that > could actually bring problems in, not remove them. Ahh, didn't notice that he was doing NAT. // marc |
Linear Mode
