On Thu, Oct 14, 2004 at 09:54:08AM -0700, Justin Cluer wrote: > # block in log on $dmz_if from $dmz_net to $lan_net > # block in log on $dmz_if from $dmz_net to $cust_net
> As you can see, I have "block in log on $dmz_if from $dmz_net to > $lan_net" at the beginning and end of the section. The specific issue is > this: > - Traffic from the DMZ to LAN1/LAN2 for only the Citrix machines is to > be allowed > - All other direct traffic from the DMZ to LAN1/LAN2 should be blocked. > Currently, if the "block in log on $dmz_if from $dmz_net to $lan_net" > rule is left in play, then ALL traffic is blocked. This happens whether > or not the rule is used at the start or end of the section (only the > rule number in pflog changes). If the rule is removed, then all traffic > between the networks is permitted. that sounds to me like it means the other 'pass quick' rules aren't taking effect at all - that they're not matching packets. it's kinda hard to make a correct judgement since i don't know what all the $whatever_dmz stuff stands for. this is too bad. sometimes people post their whole rules and sometimes nobody answers, but sometimes people post just a fragment and it seems even if they post the whoe thing later after someone makes it an issue, they get fewer answers than the others :( also, what would've been real helpful is since you are logging your blocks on those lines that are commented out, a few lines of tcpdump of pflog0 showing a packet get caught by that should let you see what is wrong with the rules that aren't matching, if you compare them visually to see what the difference is. jared -- [ openbsd 3.6 GENERIC ( sep 11 ) // i386 ]
