"Chris Willis" <[EMAIL PROTECTED]> writes: > I used FWBuilder to create the policy for the FreeBSD box. When I > install Linux 2.6 in place of the freebsd box, and use the exact same > FWBuilder ruleset, then outbound PPTP works great.
To me, this sounds like FWBuilder's PF rule generator is buggier than its iptables script generator. You may not be aware that something or other did something seriously ugly to your rule set before it made it out to us. Recovering the format was not pleasant. Reading your rule set, a few things jump out at once (that is, after inserting sensible line breaks): * logic: have you checked that the address ranges in the tables you 'block quick' do not overlap with the address ranges you are actually using yourself? Rule evaluation order could be tripping you up. * logic: why do you list which protocols to NAT? If you NAT, you want to NAT everything, but limit what to *pass*. * logic: why is every filter rule a quick rule? * readability: why is every 'pass in' paired with a matching 'pass out' rule? * readability: why do you go for protocol numbers in your rdr rules, not names? This is certainly not a comprehensive analysis, but do look into the logic issues here. The readability issues are probably byproducts of using a GUI tool, so I won't beat you over the head with them just yet. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/ "First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales" 20:11:56 delilah spamd[26905]: 146.151.48.74: disconnected after 36099 seconds.
