My pflog interface shows something being blocked that simply shouldn't be
blocked as far as I understand my pf rules...
11:35:40.461658 rule 6/(match) block in on fxp0: 10.0.0.4.40926 >
141.101.113.245.443: FP 0:253(253) ack 1 win 2540 <nop,nop,timestamp
3483320 114932434> (DF)
My pf.conf...
menger:root # cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
#
# See pf.conf(5) for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
#interfaces
int_if="fxp0"
ext_if="pppoe0"
#networks
local_net="10.0.0.0/8"
#hosts
menger="10.0.0.1"
murphy="10.0.0.2"
fekete="10.0.0.3"
#host port forwarding
murphy_ports = "{ 8333 }"
fekete_ports = "{ 17001, 39191, 5938, 2222 }"
#other
tcp_services="{ 22 }"
icmp_types="echoreq"
#queue ports
ssh_ports = "{ 22, 2222 }"
im_ports = "{ 1863, 5190, 5222 }"
game_ports = "{ 27000:27050, 4380 }"
altq on $ext_if cbq bandwidth 375Kb queue { std, ssh_im, dns, game }
queue std on $ext_if bandwidth 100Kb cbq(default borrow)
queue ssh_im on $ext_if bandwidth 50Kb priority 3 cbq(red)
queue dns on $ext_if bandwidth 25Kb priority 4
queue game on $ext_if bandwidth 200Kb priority 5 cbq(red)
altq on $int_if cbq bandwidth 100Mb queue { lan, int }
queue lan on $int_if bandwidth 92Mb cbq(default)
queue int on $int_if bandwidth 7500Kb { std, ssh_im, dns, game }
queue std on $int_if bandwidth 6500Kb cbq(borrow)
queue ssh_im on $int_if bandwidth 200Kb priority 4
queue dns on $int_if bandwidth 200Kb priority 5
queue game on $int_if bandwidth 600Kb priority 6 cbq(red)
set skip on lo
# this is the squid proxy line
pass in quick on $int_if inet proto tcp to port http divert-to 127.0.0.1
port 3128
# filter rules and anchor for ftp-proxy(8)
anchor "ftp-proxy/*"
pass in quick on $int_if inet proto tcp to port ftp divert-to 127.0.0.1
port 8021
#nat rule for all interfaces
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass # to establish keep-state
# By default, do not permit remote connections to X11
block in on ! lo0 proto tcp to port 6000:6010
block in log #RULE 6
pass out quick
match inet proto { tcp udp } queue(std)
match inet proto { tcp udp } to port domain queue dns
match inet proto tcp to port $ssh_ports queue(std, ssh_im)
match inet proto tcp to port $im_ports queue(ssh_im)
match inet proto udp to port $game_ports queue game
match inet from $menger queue lan
match inet to $menger queue lan
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
#FTP
pass in on $ext_if proto tcp to port 21
pass in on $ext_if proto tcp to port > 49151
#nat port redirects
#pass in on egress inet proto tcp to (egress) port 80 rdr-to $comp3
pass in on egress inet proto { tcp udp } to (egress) port $murphy_ports
rdr-to $murphy
pass in on egress inet proto { tcp udp } to (egress) port $fekete_ports
rdr-to $fekete
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
--
www.johntate.org
