You haven't really supplied enough information, the full pf.conf and
firewall ip addresses would have been better. This is a slight guess at
whats wrong.
You say the request is from access point to radius server I would expect
to see a rule like this in your pf.conf
pass in on $xxxx proto udp from 10.50.3.11 to 172.30.30.5 port 1812
The pass rules keeps the state, allowing the return udp traffic. What
your seeing is blocked return udp traffic, because the udp state is
established in the opposite direction, the pass is ignored. Looks like
you have the rule on the wrong interface also. The other interfaces are
missing as full pf.conf not supplied. You might have to pass port 1813
also replacing 1812 by { 1812, 1813 }.
Regards
Nigel Taylor
[EMAIL PROTECTED] wrote:
> I have a Domain Controller in a DMZ which is handling radius requests from
> my access point. I'm having problems passing the radius information
> successfully through pf. The pf box is a soekris running 4.1.
>
> Mar 09 09:58:56.467664 rule 3/(match) block in on sis4: 172.30.30.5.1812 >
> 10.50.3.11.2055: Axs! id:1 [1477] [|radius] (frag 25868:[EMAIL PROTECTED])
> Mar 09 09:58:56.467745 rule 3/(match) block in on sis4: 172.30.30.5 >
> 10.50.3.11: (frag 25868:[EMAIL PROTECTED])
>
> # more /etc/pf.conf | grep pix_if
> pix_if = "sis4"
> pass quick log on $pix_if from any to 10.50.3.11
> block in log on $pix_if
> pass out on $pix_if
>
> In this case, 172.30.30.5 is my radius server, and 10.50.3.11 is my access
> point. Even though I am logging the pass rule, I do not seeing getting
> hit through tcpdump. If I take out the block in log on $pix_if, radius
> information flows ok.
>
> Thanks,
>
> runelind at runelind dot net
