Simple pf ruleset

jhp · #1 **(View Single Post)** 29th March 2010

Hi Everyone

I'm new to FreeBSD and am attempting to set up pf rules which will allow all traffic through a gateway machine, and redirect port 80 requests for transparent squid proxying.

This is my pf.conf, a very simple one, but for some reason it doesn't seem to be redirecting, does anyone have any idea why?

Code:

## Definitions
int_if="em0"
ext_if="fxp0"
lan="192.168.0.0/24"

## Redirect WWW traffic to local cache
rdr on $int_if proto tcp from $lan to any port www -> 127.0.0.1 port 3128

## No restrictions on Loopback Interface
pass in quick on lo0 all
pass out quick on lo0 all

## No restrictions on Inside LAN Interface for private network
pass out quick on $int_if all
pass in quick on $int_if all

## No restrictions on WAN Interface
pass out quick on $ext_if all
pass in quick on $ext_if all

I'm using FBSD 6.1-Release.

Thanks

John

J65nko · #2 **(View Single Post)** 29th March 2010

Is the squid cache LISTENing on port 3128 of the lo0 interface?

Please post the output of
Code:
```
$ netstat -an -f inet
```

Your pf.conf really does not do any filtering

. It can be simplified even more:

Code:

## Definitions
int_if="em0"
ext_if="fxp0"

## No restrictions on Loopback Interface
## No restrictions on Inside LAN Interface for private network
## No restrictions on WAN Interface
set skip on { lo0, $int_if, $ext_if }

## Redirect WWW traffic to local cache
rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 3128

Is pf enabled? What is the output of
Code:
```
# pfctl -s info
```
?

jhp · #3 **(View Single Post)** 30th March 2010

Ahhhhh. Point 3. I'd loaded the module but not enabled it.

FWIW I had to modify the pf rules slightly to get it working, the one posted didn't redirect.

Code:

## Definitions
int_if="em0"
ext_if="fxp0"

## No restrictions on Loopback Interface
## No restrictions on WAN Interface
set skip on { lo0, $ext_if }

## Redirect WWW traffic to local cache
rdr on $int_if inet proto tcp from $int_if:network to any port www -> 127.0.0.1 port 3128
pass in on $int_if inet proto tcp from any to 127.0.0.1 port 3128 keep state
pass out on $ext_if inet proto tcp from any to any port www keep state

## No restrictions on Inside LAN Interface for private network
pass out quick on $int_if all
pass in quick on $int_if all

Thanks for your help!

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
improve ruleset	wesley	OpenBSD Security	2	21st January 2010 10:31 PM
A simple question	Mr-Biscuit	Off-Topic	1	16th April 2009 04:26 PM
ipfw ruleset double check	l2fl2f	FreeBSD Security	3	26th March 2009 05:32 AM
FTP ruleset questions	hitete	OpenBSD Security	2	25th November 2008 04:30 PM
Simple Firewall with PF	jones	FreeBSD General	3	7th November 2008 01:02 AM