Shawn, Multi-interface packet filtering can be tricky. Could you post your rules?
Without that, all we can probably say is that you have a misconfiguration somewhere. IIRC, creating stateful inspection on one interface does not allow the packets to go through other interfaces. This is my first guess as to your problem. ==ml On Mon, Dec 16, 2002 at 03:03:53PM -0600, [EMAIL PROTECTED] wrote: > Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it. > > Here's my setup: > > AMD 2300 w/ 512mb DDR ram > 512mb flash drive > 5 10/100 network cards > > I have 4 networks right now, one of them is the internet. So let's call them, Inet, >A, B,and C. > > Network C is the network with all mail/web/dns/etc servers on it. > > A and B are networks, I could really care less what traffic goes to them, and from >them, going to/from the > internet and each other. > > I want networks A and B to be able to only access the mail servers on ports >25/110/80/443, dns servers on > port 53, webservers on ports 80/443, and a couple of other servers via ftp. > > Should be very simple, I setup some rules to allow all traffic from Inet going to A >and B. I then allowed > all traffic from A and B going to Inet to pass through. > I then setup some holes on C, to allow those ports to those servers that I want >open. I also allowed > network C to access http/https/ftp/dns/mail outside of it's network. > I have a "catch all" in the bottom of my script, to just block everything that >doesn't fit into anything else. > > I enable it.. what happens.. I loose connectivity to all the networks. Nothing can >see anything outside of > their network. > do a ping from the firewall, and you get: > > ping: sendto: No route to host > ping: wrote 192.168.3.250 64 chars, ret=-1 > > > Anyone have any ideas? > > -- Michael Lucas [EMAIL PROTECTED], [EMAIL PROTECTED] http://www.oreillynet.com/pub/q/Big_Scary_Daemons Absolute BSD: http://www.AbsoluteBSD.com/
