Dosn't matter what IP address on any interface you ping. All comes back with the same thing.
I turned on logging to see what wasn't making and such. I'm seeing DNS requests getting blocked... Routing is not an issue. The packets (ICMP, et al) are getting blocked. I do a pfctl -f /etc/pf.conf -e and I can't ping anything... I do a pfctl -d to turn it off... and everything goes back to working just fine. With one of them blocking ping packets when it shouldn't... take the "server network" for example. It has full access to the firewall, and the firewall has full access to it. But it can't ping anything on that network... -----Original Message----- From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 5:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Very Annoying problem... blocks everything... Your rule set is too large for me to debug without actually running it. But you can debug it step by step yourself: All your rules use 'quick', and you say the packets get blocked by the last two 'block' rules. That means the packets don't match a 'pass' rule that you expect them to match. You'll have to go through all connections that don't work and follow the same procedure, I'll just show it for the example you gave. When you ping 192.168.3.250 64 from the firewall, what interface do these pings get routed through? It's not clear from your pf.conf, but it might be dc1. What source IP address is the firewall using for the pings to 192.168.3.250? You can run tcpdump on the interface they pass out through to find out, if it's not clear from ifconfig output. So, now you know what interface the pings should go out through and what source and destination address they have. Now go through all your 'pass on dc1' rules, manually. You assume one of them should match these pings, but none of them does. That's why the final 'block' rules are the first and last matching rules. Maybe you forgot to allow a source or destination address on that interface, or a protocol, etc. I'd start with pinging hosts in all networks from the firewall, until that works. Then ping host across networks, in all combinations. Daniel
