Re: Need Help badly - PF related

Mon, 22 Sep 2008 01:35:39 -0700 

On Sun, Sep 21, 2008 at 10:00:58PM -0700, Parvinder Bhasin wrote:
> I have users that can access the website fine (75.44.229.18) and some  
> user that complain they can't access it.  I don't know what gives.  I  
> have asked on the list for help but haven't still resolved this.   I  
> would really appreciate any help.  Why is the user in the below pflog  
> getting blocked.  Where as most of the user can access the website  
> just fine.  I have spent countless hours on this.  I really don't want  
> a PIX firewall.  When I switch to the pix the access seems fine.
> 
> 
> tcpdump: listening on pflog0, link-type PFLOG
> Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:  
> 172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF)
> Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:  
> 75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF)
> 
> 
> 
> Here is my pf.conf file:
> 
> ##### MACROS ####
> ext_if="fxp1"
> int_if="fxp0"
> pf_log="pflog0"
> 
> icmp_types="echoreq"
> 
> #### OPTIONS #####
> set loginterface $ext_if
> set loginterface $int_if
> set block-policy return
> set skip on lo
> 
> # scrub
> scrub in
> 
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> 
> rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 ->  
> 172.16.10.11 port 80
> rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 ->  
> 172.16.10.12 port 3128
> 
> # filter
> block in log (all, to pflog0)
> 
> pass out keep state
> antispoof quick for { lo $int_if }
> 
> pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80  
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22  
> flags S/SA keep state
> pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128  
> flags S/SA synproxy state
> pass in inet proto icmp all icmp-type $icmp_types keep state
> pass in quick on $int_if
 
Show the output of `pfctl -sr` and `pfctl -sn`.  Also, capture the
states of this client when this is happening:

$ sudo pfctl -ss | grep 75.18.177.36

-- 
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/

Reply via email to