I think this might be the problem. $ext_if:network expands to 24.62.224.0/20, which is of course not my network. I've been following examples on the net about configuring this.
Perhaps I should put a variable in there as gw=24.62.224.xx/32. It's not clear to me where that should be used (ext_if:network). Thank you. Daniel Hartmeier wrote:
On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote:Here is what I'm using for the tables: block in quick on $ext_if proto { tcp, udp } from { <table1>, <table2> } \ to $ext_if:network port 25 I wonder if this should be written differently.I don't see anything obviously wrong. If a packet is passing despite this rule, there are two possibilities: a) evaluation doesn't reach this rule at all, because the packet matches an earlier quick rule b) evaluation does reach this rule, but the rule isn't matching, because 1) the interface is not $ext_if 2) the protocol is not tcp or udp (maybe some encapsulation or tunnel protocol?) 2) the source address is not in either table (use pfctl -vTt to test) 3) the destination address is not in $ext_if:network (use pfctl -sr to see what it expands to, might be surprising if $ext_if has multiple network aliases) c) pf is not enabled at all (pfctl -si | head -n 1) d) the packet is reaching the server through another path, not going through the pf box at all If you can't spot it, provide the entire ruleset and a tcpdump showing the packet passing on $ext_if. Daniel
_______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
