Here is the relevant text of my rules.debug file. It looks like the
interface on the connection "computer support" has the same interface as
the rest of the tunnels. This is the test connection that should be
using OPT3.
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on $lan proto icmp keep state label "let out anything
from firewall host itself"
pass out quick on $wan proto icmp keep state label "let out anything
from firewall host itself"
pass out quick on em1 all keep state label "let out anything from
firewall host itself"
# pass traffic from firewall -> out
anchor "firewallout"
pass out quick on em1 all keep state label "let out anything from
firewall host itself"
pass out quick on em0 all keep state label "let out anything from
firewall host itself"
pass out quick on em4 all keep state label "let out anything from
firewall host itself"
pass out quick on em2 all keep state label "let out anything from
firewall host itself"
pass out quick on $pptp all keep state label "let out anything from
firewall host itself pptp"
pass out quick on $enc0 keep state label "IPSEC internal host to host"
# let out anything from the firewall host itself and decrypted IPsec traffic
pass out quick on em4 proto icmp keep state label "let out anything from
firewall host itself"
pass out quick on em4 all keep state label "let out anything from
firewall host itself"
# VPN Rules
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.137
port = 500 keep state label "IPSEC: Fire Station 3 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.137 to 209.218.218.138
port = 500 keep state label "IPSEC: Fire Station 3 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.137
keep state label "IPSEC: Fire Station 3 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.137 to 209.218.218.138
keep state label "IPSEC: Fire Station 3 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.129
port = 500 keep state label "IPSEC: Street Department - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.129 to 209.218.218.138
port = 500 keep state label "IPSEC: Street Department - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.129
keep state label "IPSEC: Street Department - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.129 to 209.218.218.138
keep state label "IPSEC: Street Department - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 65.119.178.154
port = 500 keep state label "IPSEC: Fire Station 2 - outbound isakmp"
pass in quick on $wan proto udp from 65.119.178.154 to 209.218.218.138
port = 500 keep state label "IPSEC: Fire Station 2 - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 65.119.178.154
keep state label "IPSEC: Fire Station 2 - outbound esp proto"
pass in quick on $wan proto esp from 65.119.178.154 to 209.218.218.138
keep state label "IPSEC: Fire Station 2 - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.227.28.14
port = 500 keep state label "IPSEC: EMS Building - outbound isakmp"
pass in quick on $wan proto udp from 70.227.28.14 to 209.218.218.138
port = 500 keep state label "IPSEC: EMS Building - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.227.28.14
keep state label "IPSEC: EMS Building - outbound esp proto"
pass in quick on $wan proto esp from 70.227.28.14 to 209.218.218.138
keep state label "IPSEC: EMS Building - inbound esp proto"
pass out quick on $wan proto udp from 209.218.218.138 to 70.237.44.110
port = 500 keep state label "IPSEC: Computer Support - outbound isakmp"
pass in quick on $wan proto udp from 70.237.44.110 to 209.218.218.138
port = 500 keep state label "IPSEC: Computer Support - inbound isakmp"
pass out quick on $wan proto esp from 209.218.218.138 to 70.237.44.110
keep state label "IPSEC: Computer Support - outbound esp proto"
pass in quick on $wan proto esp from 70.237.44.110 to 209.218.218.138
keep state label "IPSEC: Computer Support - inbound esp proto"
pass in quick on em0 inet proto tcp from any to $loopback port 8021 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em0 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em1 inet proto tcp from port 20 to (em1) port > 49000
user proxy flags S/SA keep state label "FTP PROXY: PASV mode data
connection"
# enable ftp-proxy
pass in quick on em4 inet proto tcp from any to $loopback port 8022 keep
state label "FTP PROXY: Allow traffic to localhost"
pass in quick on em4 inet proto tcp from any to $loopback port 21 keep
state label "FTP PROXY: Allow traffic to localhost"
Vaughn
Scott Ullrich wrote:
On 3/29/07, Vaughn L. Reid III <[EMAIL PROTECTED]> wrote:
I didn't get the request, but I'll be happy check to see if rules are
being added. Should I remove the manual rules that I created first
before checking?
Yes, please. Then open up /tmp/rules.debug and look for "VPN
Rules".. Below that marker is the system generated IPSEC rules. Do
you see entries for the OPT interface?
Scott
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
