The most likely cause for the RST is because you are not keeoing state on the inbound HTTP request hence the out going packet gets natted and the other end doesn't like the different port number hence sends the RST or is being blocked by a firewall rule on ep0. If you have ipmon running and the log directive in your firewall rules in appropriate locations you should see the which rule is blocking it. Personally I think your problem is related to the former.
You will need a rule for ipf such as:
pass in on tun0 proto tcp from any port > 1023 to 192.168.2.2 port = 80 flags S keep state
Alas, that didn't fix the problem--I placed the above rule into a separate file and reloaded ipf with it (so it was the only rule present besides "pass in all; pass out all") and still got the same behavior. Looking at ipmon -a (after adding a few more "pass log ..." rules to track the behavior), I see:
04/04/2003 11:34:25.914493 tun0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F IN
04/04/2003 11:34:25.914660 ep0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F OUT
04/04/2003 11:34:25.915512 ep0 @3:12 p 192.168.2.2,80 -> YYY.YYY.YYY.YYY,1124 PR tcp len 20 60 -AS K-S K-F IN
04/04/2003 11:34:25.915693 ep0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 40 -R K-S K-F OUT
04/04/2003 11:34:25.914348 @1 NAT:RDR 192.168.2.2,80 <- -> XXX.XXX.XXX.XXX,80 [YYY.YYY.YYY.YYY,1124]
04/04/2003 11:34:25.914471 STATE:NEW YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp
04/04/2003 11:34:28.913192 tun0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F IN
04/04/2003 11:34:28.913351 ep0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F OUT
04/04/2003 11:34:28.914300 ep0 @3:12 p YYY.YYY.YYY.YYY,1124 -> 192.168.2.2,80 PR tcp len 20 40 -R K-S K-F OUT
This differs from a normal traffic pattern (from the host at work which I said was able to get through without troubles), which shows:
04/04/2003 11:46:46.514547 tun0 @3:12 p ZZZ.ZZZ.ZZZ.ZZZ,37883 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F IN
04/04/2003 11:46:46.514712 ep0 @3:12 p ZZZ.ZZZ.ZZZ.ZZZ,37883 -> 192.168.2.2,80 PR tcp len 20 60 -S K-S K-F OUT
04/04/2003 11:46:46.515804 ep0 @3:12 p 192.168.2.2,80 -> ZZZ.ZZZ.ZZZ.ZZZ,37883 PR tcp len 20 60 -AS K-S K-F IN
04/04/2003 11:46:46.515981 tun0 @3:12 p XXX.XXX.XXX.XXX,80 -> ZZZ.ZZZ.ZZZ.ZZZ,37883 PR tcp len 20 60 -AS K-S K-F OUT
04/04/2003 11:46:46.821606 tun0 @3:12 p ZZZ.ZZZ.ZZZ.ZZZ,37883 -> 192.168.2.2,80 PR tcp len 20 52 -A K-S K-F IN
04/04/2003 11:46:46.821768 ep0 @3:12 p ZZZ.ZZZ.ZZZ.ZZZ,37883 -> 192.168.2.2,80 PR tcp len 20 52 -A K-S K-F OUT
04/04/2003 11:46:46.514397 @1 NAT:RDR 192.168.2.2,80 <- -> XXX.XXX.XXX.XXX,80 [ZZZ.ZZZ.ZZZ.ZZZ,37883]
04/04/2003 11:46:46.514524 STATE:NEW ZZZ.ZZZ.ZZZ.ZZZ,37883 -> 192.168.2.2,80 PR tcp
Where, as in the last message, XXX.XXX.XXX.XXX is my network's outside IP address, YYY.YYY.YYY.YYY is a client which cannot access the web server from outside, and ZZZ.ZZZ.ZZZ.ZZZ is my host at work which is able to connect just fine.
Any other ideas?
-Chris
