Hi,
We've added an new internal network segment for training, testing and
what-not. I'm having trouble trying to figure out what in my pf.conf is
blocking machines in that segment from communicating with my OpenBSD
machine (and vice-versa).
My internal network is 192.168.1.0/24 and I've added 172.16.0.0/24. The
default gateway is 192.168.1.254.
I've used the following command on the OBSD machine:
route add -inet 172.16.0.0/24 192.168.1.254
Once I disable the pf (pfctl -d) the machines can talk fine.
I have a feeling it's these two lines from the bottom of my pf.conf:
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
I'm guessing int_if is picking up the 192.168.1.0 address but not the
172.16.0.0 piece that I have added a route for manually.
Can anyone take a look at my pf.conf and suggest entires I would need to
add/modify?
Thanks for the help.
Warren
# $OpenBSD: pf.conf,v 1.27 2004/03/02 20:13:55 cedric Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
ext_if = "fxp1"
int_if = "fxp0"
lan_net = "192.168.1.0/24"
wan_net = "66.225.151.192/27"
tcp_services = "{ 25, 113, 53 }"
icmp_types = "echoreq"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
#table <spamd> persist
#table <spamd-white> persist
# options
set block-policy return
set loginterface $ext_if
#scrub in
scrub in all
nat on $ext_if from $int_if:network to any -> ($ext_if)
rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
port 8021
#Redirect any mail from our internal, trusted servers to port 10025
rdr on $int_if proto tcp from 192.168.1.0/24 to any port 25 -> 127.0.0.1
port 10025
# filter rules
block all
pass quick on lo0 all
#block in
#pass out keep state
#pass quick on { lo $int_if }
#antispoof quick for { lo $int_if }
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to ($ext_if) \
user proxy flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) \
port 53 keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
_______________________________________________
Openbsd-newbies mailing list
[email protected]
http://mailman.theapt.org/listinfo/openbsd-newbies
