On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote: > I have users that can access the website fine (75.44.229.18) and some > user that complain they can't access it. I don't know what gives. I > have asked on the list for help but haven't still resolved this. I > would really appreciate any help. Why is the user in the below pflog > getting blocked. Where as most of the user can access the website > just fine. I have spent countless hours on this. I really don't want > a PIX firewall. When I switch to the pix the access seems fine. > > > tcpdump: listening on pflog0, link-type PFLOG > Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0: > 172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF) > Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1: > 75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF) > > > > Here is my pf.conf file: > > ##### MACROS #### > ext_if="fxp1" > int_if="fxp0" > pf_log="pflog0" > > icmp_types="echoreq" > > #### OPTIONS ##### > set loginterface $ext_if > set loginterface $int_if > set block-policy return > set skip on lo > > # scrub > scrub in > > nat on $ext_if from !($ext_if) -> ($ext_if:0) > nat-anchor "ftp-proxy/*" > rdr-anchor "ftp-proxy/*" > > rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 -> > 172.16.10.11 port 80 > rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 -> > 172.16.10.12 port 3128 > > # filter > block in log (all, to pflog0) > > pass out keep state > antispoof quick for { lo $int_if } > > pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80 > flags S/SA keep state > pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22 > flags S/SA keep state > pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128 > flags S/SA synproxy state > pass in inet proto icmp all icmp-type $icmp_types keep state > pass in quick on $int_if Show the output of `pfctl -sr` and `pfctl -sn`. Also, capture the states of this client when this is happening:
$ sudo pfctl -ss | grep 75.18.177.36 -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/