On Tue, Sep 03, 2002 at 12:38:40PM -0500, [EMAIL PROTECTED] wrote: > 'tcpdump -i pflog0' doesn't display anything coming through, both when I try >accessing the webserver through the gateway from an internal LAN machine as well as >an external machine from the Internet.
tcpdump on interface pflog0 will only show packets blocked by pf with block rules that have the 'log' option, so it's expected that you don't see anything there. > I am 100% sure that my ISP has not blocked port 80 because I can serve web pages >through port 80 using a hardware gateway or with the webserver connected directly to >the Internet. Ok, because that's the number one explanation in cases like this. Well, we'll have to debug. 1) Confirm that the external connections actually arrive at your firewall, run tcpdump -nvvvpi xl0 tcp port 80, you should see packets being logged when you connect from the outside. If not, something _is_ blocking them on the way to your firewall, and it's not your pf. 2) Confirm that your firewall can reach the internal web server, run telnet 192.168.1.112 80, you should see 'Connected to 192.168.1.112', then try lynx http://192.168.1.112/, does the web server reply? 3) Make sure the internal web server uses the pf machine as default gateway, so that all packets it sends actually go through pf (otherwise the setup can't possibly work). Is there another route to the Internet besides the pf box? 4) If all of the above test works, verify that IP forwarding is enabled (sysctl -a | grep ip.forward), pf is enabled (pfctl -si) and that you have the right filter and translation rules loaded (pfctl -sn, pfctl -sr). 5) Then connect to 142.179.111.111 port 80 from the outside. The redirection won't work from local machines, you have to connect from the outside, so that the connection actually arrives at the firewall _through_ xl0. This is confirmed by 1) as well. 6) If the redirection still doesn't work, enable verbose logging in pf (pfctl -x m), retry, and quote the pfctl -ss output. Daniel
