On 6/9/06, Erik Norgaard <[EMAIL PROTECTED]> wrote:
Pat Maddox wrote:
> 12.34.56.78 runs a server on port 1234
> 87.65.43.21 should connect to this
>
> Both of them have PF rulesets that block off most traffic, keeping
> open the publically available ports I need open.  In this case though,
> any traffic over this port should only be between these two machines.
> I've tried to set this up, but I keep getting operation not permitted,
> connection refused, and connection reset by peer errors.  Thanks for
> any info.

It's quite difficult to tell which rule catches your packets without the
ruleset. Try this:

1) Add "log" to all block rules
2) Check you have keep state in pass rules
3) Check you have quick in your pass rules

If you have a default block policy, then you should generally have quick
in pass rules or you might have packets marked for passing being caught
later by a block rule.

I generally prefer having the default policy at top without quick, and
then set quick on rules taking an explicit action.

Cheers, Erik



Okay, I got it working.  On the client, the rule is
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $SERVER port
7721 keep state

and on the server, it's just the opposite
pass in quick on $EXT_IF inet proto tcp from $CLIENT to $EXT_IF port
7721 keep state

The only difference between that rule and the one I had earlier
includes a "flags S/SA" directive on each.  Of course now I just tried
adding the flags and it works...I'm guessing because the state was
already made.

If I add "flags S/SA" is there any reason that'd cause problems.  It
seems to work fine right now, but didn't earlier - though perhaps I
had a typo or something.

Pat
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to