On 27 Jan 2005 09:34:30 -0800, [EMAIL PROTECTED] (Russell Morrison) wrote: >Greetings list; > >I am a newbie at PF but have used IPFilter for many years. I am in the >process of installing a new OpenBSD box with PF. I have read and re-read >the Man page (PF.CONF 5), and also read and re-read the PF manual on the >OpenBSD website. However, I am at a loss as to why my traffic is always >blocked.
Unlike IPF, keep state doesnt get you a free ride across all interfaces. That had me scratching the head when I ported over an ipf policy for the 1st time. You *should* change # Default Block Policy block all to block log all Debugging a firewall without logging dropped traffic is impossible. You'll find a recipe for immediate logging via syslog using tcpdump and logger here http://www.freebsdforums.org/forums/showthread.php?s=&postid=139518#post139518 Get rid of all other rfc1918 style blocks until you have a working policy. NAT happens before packet filtering. so rdrs require an explicit pass rule for the portwarded traffic. Log *everything*, you cannot debug a policy without logging. greg -- Yeah - straight from the top of my dome As I rock, rock, rock, rock, rock the microphone
