On 2007/12/01 3:04 PM, "Aaron" <[EMAIL PROTECTED]> muttered eloquently:
I believe I see the issue with general traffic flow. The clue being that you are being blocked by the generic block drop in log rule (you can get rule numbers with 'pfctl -vvsr'). You have the destination port on the source side of the rules. See below... <snip/> > lan_net = "172.16.10.0/24" > set skip on lo > #set state-policy if-bound > scrub in > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > rdr log on fxp0 inet proto { tcp udp } from 192.168.3.96/27 to carp0 > port 5900:5905 -> 172.16.10.26 > rdr on fxp3 proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021 > nat log on fxp0 from $lan_net to any -> carp0 > pass in on fxp0 > pass out on fxp3 > block in log on fxp3 > pass out on fxp0 from $lan_net to any > pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https > smtp imap imaps domain } to any This should be: pass in on fxp3 inet proto tcp from $lan_net to any port { ssh www ntp https smtp imap imaps domain } modulate state > #pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https > smtp imap imaps domain } to any no state > pass in on fxp3 inet proto udp from $lan_net port { domain ntp } to any This should be: pass in on fxp3 inet proto udp from $lan_net to any port { domain ntp } > pass in on fxp3 inet proto icmp from $lan_net to any <snip/> I'd probably do it a little different however, changing the pass out on fxp0 and pass in on fxp3 to: pass out quick on fxp0 proto tcp from $lan_net to any modulate state pass out quick on fxp0 proto { udp, icmp } from $lan_net to any keep state pass out quick on fxp3 keep state pass in quick on fxp3 proto tcp from $lan_net to any port { ssh www ntp https smtp imap imaps domain } keep state pass in quick on fxp3 proto udp from $lan_net to any port { domain ntp } keep state That may have more to do with my own mental logic and configuration style than any real change in efficacy. In general I find it most logical to put the general block rule(s) at the top of the list and then pass/block quick thereafter. That's largely a personal choice first and out logic fits my brain best, but as your ruleset grows it can also impact performance since the entire list of rules does not necessarily have to be processed on all packets. ;P mn -- Preston M Norvell <[EMAIL PROTECTED]> Systems/Network Administrator Serials Solutions <http://www.serialssolutions.com> Phone: (866) SERIALS (737-4257) ext 1094