I have recently put in a transparent firewall running openbsd 3.2 stable and am having problems with the computers being able to access the internet. I copied the pf.conf from a template I use for all my transparent firewalls which usually works but for some reason it doesn't work at this office. I'll give a basic idea of what pf.conf looks like, the syntax im giving here WILL be wrong because im not in front of my machine at the moment, but the syntax on the machine IS correct. I've doible checked every line multiple times and that is not the problem.
<code>
Int_if = "rl0"
Ext_if = "dc0"
Pass in all on $ext_if Pass out all on $ext_if
(Here is my problem) Block all log quick on $int_if
Pass in on $int_if proto tcp from any to 192.168.0.1 port = 3389 keep state
Allow icmp out from $int_if (I don't remember the syntax offhand)
Pass out on $int_if {tcp, udp} from any to any keep state </code>
Now as I have stated before the syntax here will be wrong, that is not my problem. If I comment out the line that by default blocks all in on $int_if then the internet works fine. If I uncomment the line then no computer can get on the internet. Im thinking about just formatting and starting over with a clean install just to make sure I didn't mess anything up, but when I started this morning I did start with a clean install. Does anyone have any suggestions? Also can someone please tell me how to restart packet filtering after making changes to pf.conf without having to reboot the machine?
The problem with block all log quick on $int_if is the "quick". Quick tells pf not to evaluate any other rules. It should be:
block in log on $int_if
block out log on $int_if
You want to read the pf.conf man page (man pf.conf).
Really, I think If you just changed the rules, try: pfctl -F rules -f /etc/pf.conf
If you've changed other things, try: pfctl -F all -f /etc/pf.conf
If you're not logged in as root (which is a good idea), try "sudo pfctl -F all -f /etc/pf.conf"...
You want to read the pfctl man page too.
Thanks for any help I may receive, Eddie Breaux --Eddie
--
---------------------------------------------
Michael H. Semcheski
(412)383-9872
1640 Biomedical Sciences Tower
200 Lothrop St.
Pittsburgh, PA 15261
---------------------------------------------
Systems Programmer
Department of Neurobiology
School of Medicine
University of Pittsburgh
---------------------------------------------
GPG Public Key available at http://www.nedyah.org/[EMAIL PROTECTED]
---------------------------------------------
