Hi Erik,
Remember that any quick rule will apply on it and pf will not search
anymore, maybe you should clean up your pf.conf a little bit.
Maybe removing all quick rules you get what you want ;)
-----------------------------
block in log on $wlan_if inet from $wlan_net to <local_net>
pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
<local_net> port $local_tcp flags S/SA keep state
pass in log quick on $wlan_if inet proto udp from $wlan_net to \
<local_net> port $local_udp keep state
pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
<local_net> icmp-type $local_icmp keep state
# REMOVE THIS
# block in log quick on $wlan_if inet from $wlan_net to <local_net>
block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
keep state
# REMOVE THIS
# here you are saying to pf block this connection, no matter all pass
rules above
# block out log quick on $srv_if
--------------------------------
Tell me if this helps you,
Regards,
Erik Norgaard wrote:
Hi,
I have a problem connecting from one local subnet to another crossing
an FBSD box with pf. Should be trivial, I have the following ruleset:
<snip>
# Local services accessible from wlan
block in log on $wlan_if inet from $wlan_net to <local_net>
pass in log quick on $wlan_if inet proto tcp from $wlan_net to \
<local_net> port $local_tcp flags S/SA keep state
pass in log quick on $wlan_if inet proto udp from $wlan_net to \
<local_net> port $local_udp keep state
pass in log quick on $wlan_if inet proto icmp from $wlan_net to \
<local_net> icmp-type $local_icmp keep state
block in log quick on $wlan_if inet from $wlan_net to <local_net>
block out log on $srv_if
pass out quick on $srv_if inet from $srv_ip to $srv_net keep state
pass out quick on $srv_if inet from $srv_ip to !<local_net> \
keep state
block out log quick on $srv_if
</snip>
<local_net> is a table of the directly attached local networks, I try
to connect from my wireless to a wired lan.
But, tcpdump on pflog0 shows this:
000000 rule 54/0(match): pass in on ath0: 172.17.1.254.49347 >
192.168.0.254.80: [|tcp]
000081 rule 94/0(match): block out on vr0: 172.17.1.254.49347 >
192.168.0.254.80: tcp 44 [bad hdr length 0 - too short, < 20]
Evidently, the packet is matched by the correct pass in rule, yet no
state is created and it is subsequently blocked by the block out rule.
I can add a pass out rule to get through, but that shouldn't be the
correct solution, why does pf not keep state?
Thanks, Erik
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"