On Tue, Sep 17, 2013 at 10:42:55PM +1000, John Tate wrote:
> I am having trouble accessing anything which uses SSL behind my NAT,
> though I can access the same services from the firewall itself. There
> is nothing unusual in /var/log/messages, dmesg, etc. I don't know why
> this is happening. The system has been running fine for months, and
> nothing I am aware of has changed.
>
> # cat /etc/pf.conf
> #Firewall ruleset for KintaroABODE router.
>
> int_if="fxp0"
> wifi_if = "athn0"
>
> tcp_services="{ 22, 113 }"
> icmp_types="echoreq"
>
> fekete="192.168.0.3"
> fekete_tcp="{ 17001, 8333 }"
> fekete_udp="{ 8333 }"
> mises="192.168.0.4"
> mises_tcp="{ 25565 }"
>
> #options
>
> set block-policy drop
> set loginterface egress
> set skip on lo
>
> anchor "ftp-proxy/*"
> pass in on $int_if inet proto tcp to any port ftp \
> divert-to 127.0.0.1 port 8021
>
> table <sshguard> persist
>
> #match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> #filter rules
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if $wifi_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> port $tcp_services
>
> block in quick on egress proto tcp from <sshguard> \
> to any port ssh label "ssh bruteforce"
>
> pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
> rdr-to $fekete
> pass in on egress inet proto tcp from any to (egress) port $fekete_udp
> rdr-to $fekete
> pass in on egress inet proto tcp from any to (egress) port $mises_tcp
> rdr-to $mises
>
> pass in inet proto icmp all icmp-type $icmp_types
> pass in on $int_if
> pass in on $wifi_if
>
> If anyone could help and tell me where to start looking that would be
> good. Some SSL services appear to work fine, such as gmail which I'm
> using to send this.
sysctl -a ?
j.
