Hey there You have just forgotten that each packet goes through the rules set twice, once for the interface it comes in on and one for the interface it goes out on. So, you rdr rule is translating your outbound connections on that range of ports, then your anti-spoof check is blocking the packet.
Let me explain by tracing an outbound (from your 10.0.0.101 workstation) packet through the rules set: 1. Ok, so your bitTorrent client on 10.0.0.101 sends out a packet ala: 10.0.0.101.6887 > \ c210-49-38-219.rochd2.qld.optusnet.com.au.59853 2. Hits the firewall and the first rule it matches is: pass in on $int_if from $int_if:network to any keep state 3. Then the packet (still with 10.0. address) routes over to the ext_if 4. Then it is NAT'd so the source address of 10.0.0.101 gets changed to "hydronium.demon.nl" 5. Then it hits the rdr rule of: > rdr on $ext_if proto tcp from any to any port 6881:6999 -> \ 10.0.0.101 port 6881:6999 and it matches as you have used "any" for the "from" qualifier (might want to try "! $int_if:network"). So the packet is rdr'd back to 10.0.0.101 but is still on the external interface card. 6. So, now the packet that is outbound on the external card but has had its destination address changed to 10.0.0.101 so it will be blocked and dropped by: > block drop out log quick on $ext_if from any to $priv_nets And that, as they say in the classics, is all folks. You might want to think about redoing your ruleset as it is a bit messy. Have a look at the pf guide. It has a good ruleset to start with. Available at: http://www.openbsd.org/faq/pf/index.html Hope that helps Andrew --- Bj�rn Ketelaars <[EMAIL PROTECTED]> wrote: > Hello, > > In an effort to redirect some ports (6881:6999) to one of my > computers > (10.0.0.101) I�m using pf.conf given beneath. Everything inbound > works > fine. There is just one strange �thing� when I�m monitoring pflog0, > I�m > receiving messages which indicate that outbound traffic originating > from > port 6887 (and others in the 6881:6999 range) is prohibited. Example > (hydronium.demon.nl is the firewall): > > 13:32:00.716083 hydronium.demon.nl.6887 > > c210-49-38-219.rochd2.qld.optusnet.com.au.59853: . ack 4223293259 win > > 65535 (DF) [tos 0x10] > > I do not fully understand why this happens, my config should pass all > > outbound traffic, but why not from this range? > > > # macros > ext_if = "fxp0" > int_if = "fxp1" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > }" > > # options > set block-policy return > set loginterface $ext_if > > # scrub > scrub in all > > # nat/rdr > nat on $ext_if from $int_if:network to any -> ($ext_if) > nat on $ext_if from $wir_if:network to any -> ($ext_if) > > rdr on $ext_if proto tcp from any to any port 6881:6999 -> 10.0.0.101 > > port 6881:6999 > > # filter rules > block log all > > pass in on $ext_if inet proto tcp from any to 10.0.0.101 port > 6881:6999 > flags S/SA synproxy state > > pass quick on lo0 all > > block drop in log quick on $ext_if from $priv_nets to any > block drop out log quick on $ext_if from any to $priv_nets > > pass in on $int_if from $int_if:network to any keep state > pass out on $int_if from any to $int_if:network keep state > > pass out on $ext_if proto tcp all modulate state flags S/SA > pass out on $ext_if proto { udp, icmp } all keep state > > > Regards, > > Bj�rn > Find local movie times and trailers on Yahoo! Movies. http://au.movies.yahoo.com
