TheSG wrote:
I have been struggling with this issue for a few days now. I have a
Citrix server (customer site) that I cannot connect to through my
OpenBSD 3.7 pf firewall. I am able to reach this Citrix server if I go
direct (no firewall). I know the Citrix server is open to everyone on
the Internet. However, something is happening when my Windows client
passes through the OpenBSD pf firewall - I do not receive any packets
back from the Citrix server. I have tcpdump running on the outside and
inside of the firewall and I see the match rules that allow out from
the Inside interface then out the outside interface but I never see
any traffic back from the Citrix server.
My rules are simple. I have actually done a pass in log all keep state
& pass out log all keep state in my rules with nothing else (no block
or pass) and it still fails. I see the traffic go through the pf box
but never see anything from the Citrix server.
I do know this Citrix server is being firewalled by a Check Point NG
firewall. I do not believe they are running any IDS or anything else
that would block my connection attempts.
Has anyone got this to work? If so, what does the rule(s) look like?
Thanks.
I'm able to connect to my company's Citrix without any trouble, though I
don't know offhand who the firewall vendor is. I believe my "magic
pixie dust" is this line...
nat on $ext_if from $int_if:network to any -> ($ext_if:0) static-port
the ':0' suffix tells PF not to include aliases, while 'static-port'
tells it not to translate outbound TCP/UDP ports.
