On Tuesday, December 24, 2002, at 11:27 AM, Daniel Hartmeier wrote:
No address pools. Criticism welcome.On Tue, Dec 24, 2002 at 10:02:50AM -0600, Joe Nall wrote:I took the reply-to out of pf.conf and disabled the cable modem and the
box is fine.
Can you post the significant reply-to to rule here? If it's using address pools (round-robin), I hope Ryan can take a look...
dhcp_if="dc0" # roadrunner cable modem dhcp
static_if="rl0" # dsl 16 static IPs
internal_if="rl1"
ext_if="{ dc0, rl0 }"
internal_net="192.168.20.1/24"
tcp_svcs="{ ssh, http, https, smtp, auth }"
udp_svcs="{ domain }"
bad_ip="{
127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/8,
169.254.0.0/16, 192.0.2.0/24, 204.152.64.0/23, 224.0.0.0/3, 255.255.255.255/32
}"
set block-policy return
set optimization conservative
scrub in all fragment reassemble
scrub out all no-df max-mss 1452
nat on $dhcp_if from $internal_net to any -> $dhcp_if
nat on $static_if from $internal_net to any -> $static_if
block quick inet6 all label "block inet6"
block in log quick on $ext_if inet from $bad_ip to any label "bad IPs"
block in quick on $ext_if proto igmp all label "drop igmp"
block in log all label "default block"
pass in on $dhcp_if reply-to $dhcp_if inet proto tcp from any to ($dhcp_if) port 22 keep state
pass out on $dhcp_if proto { tcp, udp } all keep state
pass in on $static_if reply-to $static_if inet proto tcp from any to $static_if port $tcp_svcs keep state
pass in on $static_if reply-to $static_if inet proto udp from any to $static_if port $udp_svcs keep state
pass out on $static_if proto { tcp, udp } all keep state
pass in on $internal_if all
pass out on $internal_if all
pass in on $static_if reply-to $static_if inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type echoreq keep state
antispoof for rl0 inet
antispoof for rl1 inet
antispoof for dc0 inet
