Re: PF Citrix ICA
TheSG wrote: I have been struggling with this issue for a few days now. I have a Citrix server (customer site) that I cannot connect to through my OpenBSD 3.7 pf firewall. I am able to reach this Citrix server if I go direct (no firewall). I know the Citrix server is open to everyone on the Internet. However, something is happening when my Windows client passes through the OpenBSD pf firewall - I do not receive any packets back from the Citrix server. I have tcpdump running on the outside and inside of the firewall and I see the match rules that allow out from the Inside interface then out the outside interface but I never see any traffic back from the Citrix server. My rules are simple. I have actually done a pass in log all keep state pass out log all keep state in my rules with nothing else (no block or pass) and it still fails. I see the traffic go through the pf box but never see anything from the Citrix server. I do know this Citrix server is being firewalled by a Check Point NG firewall. I do not believe they are running any IDS or anything else that would block my connection attempts. Has anyone got this to work? If so, what does the rule(s) look like? Thanks. I'm able to connect to my company's Citrix without any trouble, though I don't know offhand who the firewall vendor is. I believe my magic pixie dust is this line... nat on $ext_if from $int_if:network to any - ($ext_if:0) static-port the ':0' suffix tells PF not to include aliases, while 'static-port' tells it not to translate outbound TCP/UDP ports.
Re: PF Citrix ICA
Chris Zakelj wrote: TheSG wrote: I have been struggling with this issue for a few days now. I have a Citrix server (customer site) that I cannot connect to through my OpenBSD 3.7 pf firewall. I am able to reach this Citrix server if I go direct (no firewall). I know the Citrix server is open to everyone on the Internet. However, something is happening when my Windows client passes through the OpenBSD pf firewall - I do not receive any packets back from the Citrix server. I have tcpdump running on the outside and inside of the firewall and I see the match rules that allow out from the Inside interface then out the outside interface but I never see any traffic back from the Citrix server. My rules are simple. I have actually done a pass in log all keep state pass out log all keep state in my rules with nothing else (no block or pass) and it still fails. I see the traffic go through the pf box but never see anything from the Citrix server. I do know this Citrix server is being firewalled by a Check Point NG firewall. I do not believe they are running any IDS or anything else that would block my connection attempts. Has anyone got this to work? If so, what does the rule(s) look like? Thanks. I'm able to connect to my company's Citrix without any trouble, though I don't know offhand who the firewall vendor is. I believe my magic pixie dust is this line... nat on $ext_if from $int_if:network to any - ($ext_if:0) static-port the ':0' suffix tells PF not to include aliases, while 'static-port' tells it not to translate outbound TCP/UDP ports. Chris - that was it Many thanks for your help. Now I need to figure out why this rule works. I have never used the static-port before. Thanks again.
