On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
> I have users that can access the website fine (75.44.229.18) and some
> user that complain they can't access it.
Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.
> Why is the user in the below pflog
> getting blocked. Where as most of the user can access the website
> just fine.
>
>
> tcpdump: listening on pflog0, link-type PFLOG
> Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
> 172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF)
> Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
> 75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF)
>
>
> Here is my pf.conf file:
>
> ##### MACROS ####
> ext_if="fxp1"
> int_if="fxp0"
> pf_log="pflog0"
>
> icmp_types="echoreq"
>
> #### OPTIONS #####
> set loginterface $ext_if
> set loginterface $int_if
> set block-policy return
> set skip on lo
>
> # scrub
> scrub in
>
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 ->
> 172.16.10.11 port 80
> rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 ->
> 172.16.10.12 port 3128
>
> # filter
> block in log (all, to pflog0)
>
> pass out keep state
> antispoof quick for { lo $int_if }
>
> pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
> flags S/SA synproxy state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in quick on $int_if
If this is a newer OS version, flags S/SA and keep state are redundant.
If it's an old one, your "pass in quick on $int_if" should also use them.
