On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: > I have users that can access the website fine (75.44.229.18) and some > user that complain they can't access it.
Include the dmesg so we can see what OS version you're running. Set pfctl -x misc and watch /var/log/messages, include any output from around the time of a failed connection. Include the relevant state table entries from pfctl -vss. > Why is the user in the below pflog > getting blocked. Where as most of the user can access the website > just fine. > > > tcpdump: listening on pflog0, link-type PFLOG > Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0: > 172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF) > Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1: > 75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF) > > > Here is my pf.conf file: > > ##### MACROS #### > ext_if="fxp1" > int_if="fxp0" > pf_log="pflog0" > > icmp_types="echoreq" > > #### OPTIONS ##### > set loginterface $ext_if > set loginterface $int_if > set block-policy return > set skip on lo > > # scrub > scrub in > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -> > 172.16.10.11 port 80 > rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -> > 172.16.10.12 port 3128 > > # filter > block in log (all, to pflog0) > > pass out keep state > antispoof quick for { lo $int_if } > > pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80 > flags S/SA keep state > pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22 > flags S/SA keep state > pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128 > flags S/SA synproxy state > pass in inet proto icmp all icmp-type $icmp_types keep state > pass in quick on $int_if If this is a newer OS version, flags S/SA and keep state are redundant. If it's an old one, your "pass in quick on $int_if" should also use them.