pf.conf frustration

[Wayne Freeman]

Hi, I am new to pf and I am having some issues with my pf.conf. I need to get my website from behind this firewall and I can't seem to get it to work. The requests for the website appear in the pflog (as seen in tcpdump -i) but it never makes it to the web server (nothing ever in the logs). I am running openbsd 3.2.   My system is set up with a static external IP on one NIC, and mygate has the DFGW of the static external connection. The internal IP is on the second NIC, and uses 192.168.0.0/24 subnet.   I can surf out from the firewall, but nothing comes in. rc.conf and sysctl.conf have been edited as needed. I can ping everything everywhere from the PF machine, internal machines and external machines (doesn't reply but shows in the log)   Here is a copy of my pf.conf...   spamassassinexception   #    $OpenBSD: pf.conf,v 1.2 2001/06/26 22:58:31 smart Exp $ # # See pf.conf(5) for syntax and examples   # pass all packets in and out (these are the implicit last two rules)   outside="fxp0" inside="le1" #stealth="ne1" desktop="192.168.0.46" webserver="192.168.0.201" internal_net="192.168.0.0/24" outside_ip="208.38.11.118"   NoRouteIPs="{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8, 0.0.0.0/7, 2.0.0.0/8, 5.0.0.0/8, 10.0.0.0/8, 23.0.0.0/8, 27.0.0.0/8, 31.0.0.0/8, 69.0.0.0/8, 70.0.0.0/7, 72.0.0.0/5, 82.0.0.0/7, 84.0.0.0/6, 88.0.0.0/5, 96.0.0.0/3, 127.0.0.0/8, 128.0.0.0/16, 128.66.0.0/16, 169.254.0.0/16, 172.16.0.0/12, 191.255.0.0/16, 192.0.0.0/19, 192.0.48.0/20, 192.0.64.0/18, 192.0.128.0/17}"   EMailAssholes="{207.34.112.32, 220.116.0.0/12, 218.70.0.0/16, 61.72.0.0/14}"   #IP Range                Who                    Block Specification #207.34.112.32                Taco                    207.34.112.32 #220.116.0.0 - 220.127.255.255        Korea Telecom                #220.116.0.0/12 #218.70.0.0 - 218.70.255.255        CHINANET Chongqing  province #network    218.70.0.0/16 #61.72.0.0 - 61.77.255.255        KOREA TELECOM                61.72.0.0/14   scrub in all   #NAT nat on $outside from $internal_net to any -> $outside_ip   #web server rdr on $outside proto tcp from any to any port 80 -> $webserver port 80   #batttle.net rdr on $outside proto {tcp, udp} from any to any port 6112 -> $desktop port 6112   #rtcw rdr on $outside proto {tcp, udp} from any to any port 27960 -> $desktop   #hlds rdr on $outside proto {tcp, udp} from any to any port 27015 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 27016 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 27050 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 27052 -> $desktop   #nwn rdr on $outside proto {tcp, udp} from any to any port 5121 -> $desktop   #age of empires rdr on $outside proto {tcp, udp} from any to any port 27999 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 28805 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 28806 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 28807 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 28808 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 28800 -> $desktop rdr on $outside proto {tcp, udp} from any to any port 2300:2400 -> $desktop   #serious sam rdr on $outside proto {tcp, udp} from any to any port 25600:25603 -> $desktop   #quake2 rdr on $outside proto {tcp, udp} from any to any port 27910 -> $desktop   #quake rdr on $outside proto {tcp, udp} from any to any port 26000 -> $desktop   #default block all block in log on $outside all   #block emailassholes (fucking completely block the cunts.  not just port 25) block in quick on $outside proto {tcp, udp} from $EMailAssholes to any   #$stealth can't respond #block out quick on $stealth from any to any   # don't allow anyone to spoof non-routeable addresses block in  quick on $outside from $NoRouteIPs to any block out quick on $outside from any to $NoRouteIPs   #ssh pass in quick on $outside proto tcp from any to any port = 22 flags S/SA keep state   #smtp pass in quick on $outside proto tcp from any to any port = 25 flags S/SA keep state pass in quick on $outside proto udp from any to any port = 25 keep state   #dns pass in quick on $outside proto udp from any to any port = 53 keep state pass in quick on $outside proto tcp from any to any port = 53 flags S/SA keep state   #http pass in quick on $outside proto tcp from any to any port = 80 flags S/SA keep state   #ident pass in quick on $outside proto tcp from any to any port = 113   #battle.net pass in quick on $outside proto {tcp,udp} from any to any port = 6112   #serious sam pass in quick on $outside proto {tcp,udp} from any to any port = 25600 pass in quick on $outside proto {tcp,udp} from any to any port = 25601 pass in quick on $outside proto {tcp,udp} from any to any port = 25602 pass in quick on $outside proto {tcp,udp} from any to any port = 25603   #quake pass in quick on $outside proto {tcp,udp} from any to any port = 26000   #quake2 pass in quick on $outside proto {tcp,udp} from any to any port = 27910   #default pass out on $outside proto { tcp, udp, icmp } all keep state   Any ideas?   Thanks Heaps for any responses!!   Cheers, Wayne