On 2007/12/01 3:04 PM, "Aaron" <[EMAIL PROTECTED]> muttered eloquently:
I believe I see the issue with general traffic flow. The clue being that
you are being blocked by the generic block drop in log rule (you can get
rule numbers with 'pfctl -vvsr'). You have the destination port on the
source side of the rules. See below...
<snip/>
> lan_net = "172.16.10.0/24"
> set skip on lo
> #set state-policy if-bound
> scrub in
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr log on fxp0 inet proto { tcp udp } from 192.168.3.96/27 to carp0
> port 5900:5905 -> 172.16.10.26
> rdr on fxp3 proto tcp from $lan_net to any port 21 -> 127.0.0.1 port 8021
> nat log on fxp0 from $lan_net to any -> carp0
> pass in on fxp0
> pass out on fxp3
> block in log on fxp3
> pass out on fxp0 from $lan_net to any
> pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https
> smtp imap imaps domain } to any
This should be:
pass in on fxp3 inet proto tcp from $lan_net to any port { ssh www ntp
https smtp imap imaps domain } modulate state
> #pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https
> smtp imap imaps domain } to any no state
> pass in on fxp3 inet proto udp from $lan_net port { domain ntp } to any
This should be:
pass in on fxp3 inet proto udp from $lan_net to any port { domain ntp }
> pass in on fxp3 inet proto icmp from $lan_net to any
<snip/>
I'd probably do it a little different however, changing the pass out on fxp0
and pass in on fxp3 to:
pass out quick on fxp0 proto tcp from $lan_net to any modulate state
pass out quick on fxp0 proto { udp, icmp } from $lan_net to any keep state
pass out quick on fxp3 keep state
pass in quick on fxp3 proto tcp from $lan_net to any port { ssh www ntp
https smtp imap imaps domain } keep state
pass in quick on fxp3 proto udp from $lan_net to any port { domain ntp }
keep state
That may have more to do with my own mental logic and configuration style
than any real change in efficacy.
In general I find it most logical to put the general block rule(s) at the
top of the list and then pass/block quick thereafter. That's largely a
personal choice first and out logic fits my brain best, but as your ruleset
grows it can also impact performance since the entire list of rules does not
necessarily have to be processed on all packets.
;P mn
--
Preston M Norvell <[EMAIL PROTECTED]>
Systems/Network Administrator
Serials Solutions <http://www.serialssolutions.com>
Phone: (866) SERIALS (737-4257) ext 1094
