It is working but confused as to why it seems that the flags were
causing an issue nothing was wrong with the config or the install as I
thought. After reading the FAQ again and again and picking up Jacek 2nd
edition book and dusting it off I am wondering why I had to this as it
seems all that documentation refer to using synproxy instead.
None Working config
*Still being blocked
Nov 30 14:18:46.312785 rule 0/(match) block in on le1:
66.94.237.43.21100 > 192.168.11.250.25: [|tcp] (DF)*
#Macros
ext_if="le1"
prv_if="le0"
web_ports = "{ http, https }"
prv_hosts = "{192.168.11.0/24}"
www_mail = "192.168.11.250"
#Options
#Normalize Packets
scrub in all
scrub out all
#Translate packets
nat on $ext_if from $prv_if:network to any -> ($ext_if)
#Redirect for Internal Server
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> $www_mail
rdr on $ext_if proto tcp from any to ($ext_if) port $web_ports -> $www_mail
block in log on $ext_if
#Pass all connections originating from the firewall
pass out quick on $ext_if
#Pass all connections originating from the screened lan
pass in quick on $prv_if
pass proto tcp from any to $www_mail port 25 flags S/SA synproxy state
pass proto tcp from any to $www_mail port $web_ports flags S/SA synproxy
state
*Now the working config only thing changed was remove synproxy state and
changed to keep state*
#Macros
ext_if="le1"
prv_if="le0"
web_ports = "{ http, https }"
prv_hosts = "{192.168.11.0/24}"
www_mail = "192.168.11.250"
#Options
#Normalize Packets
scrub in all
scrub out all
#Translate packets
nat on $ext_if from $prv_if:network to any -> ($ext_if)
#Redirect for Internal Server
rdr on $ext_if proto tcp from any to ($ext_if) port 25 -> $www_mail
rdr on $ext_if proto tcp from any to ($ext_if) port $web_ports -> $www_mail
rdr on $ext_if proto tcp from any to ($ext_if) port 53 -> $www_mail
rdr on $ext_if proto udp from any to ($ext_if) port 53 -> $www_mail
#Filter Packets, Block all packets coming in from the outside and log them
block in log on $ext_if
#Pass all connections originating from the firewall
pass out quick on $ext_if
#Pass all connections originating from the screened lan
pass in quick on $prv_if
pass proto tcp from any to $www_mail port 25 keep state
pass proto tcp from any to $www_mail port $web_ports keep state
