I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it. I don't know what gives. I
have asked on the list for help but haven't still resolved this. I
would really appreciate any help. Why is the user in the below pflog
getting blocked. Where as most of the user can access the website
just fine. I have spent countless hours on this. I really don't want
a PIX firewall. When I switch to the pix the access seems fine.
tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF)
Here is my pf.conf file:
##### MACROS ####
ext_if="fxp1"
int_if="fxp0"
pf_log="pflog0"
icmp_types="echoreq"
#### OPTIONS #####
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo
# scrub
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 ->
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 ->
172.16.10.12 port 3128
# filter
block in log (all, to pflog0)
pass out keep state
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if
