silly pf config issues

Fri Sep 8 11:54:43 PDT 2006

Hi,

I'm stuck on something obvious and I don't seem to be able to catch it. 

I got a small test subnet 192.168.0.0 under my own subnet 10.1.0.0, where I 
test this firewall.

Internet--[firewall]--10.1.0.0--[this test firewall]--192.168.0.0

Queues are not active yet, nor are web or ftp servers. 
I added a test machine IP (192.138.0.2) to the managers table file, and 
10.1.0.34  + google.com as allowed web sites for testing purposes.

I can ping them by both IP and domain name, but not browse.

## Macros
# Interfaces
WAN="bge0"
LAN="xl0"
LANip="192.168.0.0/24"
RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/24 }"
#RFC1918="{ 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8  }"

Web="{ 80, 443 }"
Web-server="192.168.0.2"
Ftp="21"
Ftp-server="192.168.0.2"

## Tables 	(Content in brackets)
table <admins> file "/etc/tAdmins" ( )
table <managers> file "/etc/tManagers" (192.168.0.2)
table <operators> file "/etc/tOperators" (192.168.0.128/26)
table <http-managers> file "/etc/tHttp-managers" (google.com)
table <http-operators> file "/etc/tHttp-operators" (example.com)
table <customers> file "/etc/tCustomers" ( )
table <extadmin> file "/etc/tExtadmin" ( )

## Options

## Traffic Normalization
scrub in all

## Bandwidth Management
altq on $WAN cbq bandwidth 3000Kb queue { ssh, http-out, http-in, ftp-in, 
mail, dns, ftp, misc }
#queue LOCAL bandwidth 98456Kb cbq(borrow)

queue ftp-in bandwidth 12% priority 4 cbq(borrow red)
queue http-in bandwidth 13% priority 4 cbq(borrow red)
queue http-out bandwidth 25% priority 3 cbq(borrow red) { develusers, 
normalusers }
queue  develusers bandwidth 50% cbq(borrow)
queue  normalusers bandwidth 50% cbq(borrow)
queue mail bandwidth 10% priority 1 cbq(borrow ecn)
queue dns bandwidth 5% priority 5 cbq(borrow ecn)
queue ftp bandwidth 15% priority 2 cbq(borrow ecn)
queue ssh bandwidth 10% priority 6 cbq(borrow) { ssh_interactive, ssh_bulk }
queue  ssh_interactive bandwidth 50% cbq(borrow)
queue  ssh_bulk bandwidth 50% cbq(borrow)
queue misc bandwidth 10% cbq(borrow,default)

## Translations
#special = "{ 10.2.1.10 }"
#no nat on $WAN from $special to any
#nat on $WAN from $LAN to any -> $WAN
#binat on $WAN from $special to any -> $WAN

nat on $WAN from $LAN:network to any -> $WAN 

## Redirection

## Packet Filtering
# Allow all loopback traffic.
pass quick on lo0

# Default deny.
block in  log quick on $WAN from $RFC1918
block in  log on $WAN 
block out log on $WAN

# Allow basic networking communication 
pass in  log on $WAN proto icmp from any to any keep state  
pass out log on $WAN inet proto icmp all icmp-type 8 code 0 keep state 

# Allow dns and ntp out
pass out log on $WAN proto udp from any to any port 53 keep state
pass out log on $WAN proto udp from any to any port 123 keep state

# Allow ssh in and out 
pass in  log on $WAN proto tcp from any to any port 22 keep state  
pass out log on $WAN proto tcp from any to any port 22 keep state  

# Allow web out based on tables
pass in  log on $LAN proto tcp from <managers> to any port $Web keep state 
pass out log on $WAN proto tcp from <admins> to any port $Web keep state
pass out log on $WAN proto tcp from <managers> to <http-managers> port $Web 
keep state
pass out log on $WAN proto tcp from <operators> to <http-operators> port $Web 
keep state

# Allow web and ftp in based on table
#pass in log on $WAN proto tcp from <customers> to $Web-server port $Web 
#pass in log on $WAN proto tcp from <customers> to $Ftp-server port $Ftp

-- 
Bulk