On Friday 26 November 2004 14:58, Jonathan Weiss wrote: > Hi folks, > > > Since yesterday my PF firewall acts strange. I have not touched the ruleset > and tried a new one only with pass-rules, but the problem is still there. > > I cannot "go" through the tunnel interface tun0 of ppp (I use DSL here in > Germany). Even a "pass on tun0" will not change anything. > > #pfctl -s rules > block return log-all all > pass on tun0 all > pass on ed0 all > pass on vr0 all > > > vr0 is the internal interface and ed0 the external. I am connected through > ppp with my ISP. Within the internal network over vr0 (192.168.0.0/24) I > can connect to a ssh-server on 192.168.0.196 for example, but ssh (or > telnet or whatever) will not work to an external ip. > > If a drop the block rule and reload the ruleset, it works! I can connect to > an external ssh-server. > > Does anyboy have an idea?
You are supposed to have a NAT rule somewhere. Please let us know the complete ruleset (including translation rules) and include match counters so that people can figure if a certain rule is matched at all (pfctl -vv -sn -sr). Make sure that the NAT rule has dynamic address tracking (as I think you get a dynamic IP from you ISP). The rule should look something like: nat on tun0 from $internalnet to any -> (tun0) Also note, that we have a pf related mailinglist on FreeBSD, called [EMAIL PROTECTED] You might want to subscribe and take the discussion there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpsWpbsorBCH.pgp
Description: PGP signature
