Hi Shane, Heya and others. I tried a new setup, using tables (look more eficient than using a thousan rules to each variable). But is still failing :(
# tables table <msn-rdr> persist const file "/etc/pf.conf.d/msn-rdr" table <msn-allow> persist const file "/etc/pf.conf.d/msn-allow" # msn proxy rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any port 1863 -> $proxy rdr on { $lan1_iface, $lan2_iface } proto tcp from <msn-rdr> to any port 25000:30000 -> $proxy # msn filter pass out quick on { $lan1_iface, $lan2_iface } inet proto tcp from <msn-rdr> to $proxy port 1863 block out quick on ! $inet_iface inet proto tcp from ! <msn-allow> to any port 1863 In the msn-rdr table are IP of the hosts that should be redirected to the proxy, and in the msn-allow are the IP of the hosts that should be allowed to connect directly with the MSN over the internet (including the host $proxy). The $proxy host is in a fourth interface named $dmz_iface. If i remove the "quick" statement of the block rule, anyone in any interface can connect, and with the 'quick' statement, no one can =S. Also, back in february, when i just redirected everyone to the proxy, the rdr rules used to work, but with this more selective rule, it's not working at all. Tks in advance. Leonardo Carneiro - Veltrac wrote: > Shane Lazarus wrote: >> Heya >> >> On Tue, Apr 20, 2010 at 5:43 AM, Leonardo Carneiro - Veltrac >> <lscarne...@veltrac.com.br <mailto:lscarne...@veltrac.com.br>> wrote: >> >> My OpenBSD firewall has 4 interfaces: 2 lan, 1 wan and 1 dmz. >> What i'm trying to do is: >> >> >> >> >> 1. Allow some hosts to use MSN; >> 2. Redirect the MSN connections of some hosts from the LAN >> interfaces to a MSN proxy in the DMZ interface; >> 3. Block the rest. >> >> This is how i'm trying to achieve: >> >> # msn proxy redirect >> rdr on $lan1_iface proto tcp from $msn-redirect to any port >> 1863 -> >> $proxy >> rdr on $lan1_iface proto tcp from $msn-redirect to any port >> 25000:30000 -> $proxy >> # msn filter >> pass out quick on $inet_iface inet proto tcp from >> $msn-redirect to >> $proxy port 1863 keep state >> pass out quick on $inet_iface inet proto tcp from >> $msn-allowed1 to >> any port 1863 keep state >> pass out quick on $inet_iface inet proto tcp from >> $msn-allowed2 to >> any port 1863 keep state >> pass out quick on $inet_iface inet proto tcp from $proxy to any >> port >> 1863 keep state >> block out on $inet_iface inet proto tcp from any to any port 1863 >> >> >> Is the reference to passing out the redirected traffic to the $proxy >> via the $inet_interface instead of the $dmz_interface correct, a typo >> or the issue? >> >> Shane >> >> > Hi Shane. No, it's not a typo. It's a last second modification that i > tried before send the email. Was 'any' before i replace with '$proxy'. > However, like you well observed, it's wrong :( > > I'll try other rules today and i'll post then here. Tks for you concern.