Here is the raw logs of a call getting blocked.
Sep 5 21:52:07 fw-bsd-1.gnet pf: 20. 251565 rule 122/0(match): block
in on rl1: (tos 0x0, ttl 110, id 51208, offset 0, flags [DF], proto:
UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:08 fw-bsd-1.gnet pf: 498742 rule 122/0(match): block in
on rl1: (tos 0x0, ttl 110, id 8503, offset 0, flags [DF], proto: UDP
(17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:09 fw-bsd-1.gnet pf: 999812 rule 122/0(match): block in
on rl1: (tos 0x0, ttl 110, id 50193, offset 0, flags [DF], proto: UDP
(17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:11 fw-bsd-1.gnet pf: 2. 000010 rule 122/0(match): block
in on rl1: (tos 0x0, ttl 110, id 38161, offset 0, flags [DF], proto:
UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:15 fw-bsd-1.gnet pf: 4. 000036 rule 122/0(match): block
in on rl1: (tos 0x0, ttl 110, id 20736, offset 0, flags [DF], proto:
UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:23 fw-bsd-1.gnet pf: 8. 000728 rule 122/0(match): block
in on rl1: (tos 0x0, ttl 110, id 16435, offset 0, flags [DF], proto:
UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Sep 5 21:52:39 fw-bsd-1.gnet pf: 16. 004281 rule 122/0(match): block
in on rl1: (tos 0x0, ttl 110, id 44642, offset 0, flags [DF], proto:
UDP (17), length: 854) 216.181.136.7.5065 > 75.129.xx.xx.58562: UDP,
length 826
Here is the rest of the info you requested:
<nat>
<ipsecpassthru>
<enable/>
</ipsecpassthru>
<rule>
<protocol>tcp</protocol>
<external-port>22</external-port>
<target>172.16.0.99</target>
<local-port>22</local-port>
<interface>wan</interface>
<descr>Allow Backups from PPGNetServ using SSH</descr>
</rule>
<rule>
<protocol>tcp</protocol>
<external-port>5001</external-port>
<target>172.16.0.99</target>
<local-port>5001</local-port>
<interface>wan</interface>
<descr>Allow iperf connections from GoDaddy Server</descr>
</rule>
<onetoone>
<external>216.181.136.7</external>
<internal>10.0.0.1</internal>
<subnet>32</subnet>
<descr>Allow Incoming VoIP </descr>
<interface>wan</interface>
</onetoone>
</nat>
And the rules....
<filter>
<rule>
<interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>172.16.0.99</address>
<port>22</port>
</destination>
<descr>NAT Allow Backups from PPGNetServ using SSH</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>216.181.136.7</address>
</source>
<destination>
<address>10.0.0.0/24</address>
</destination>
<descr>Allow VoIP Inbound</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>72.167.141.110</address>
</source>
<destination>
<address>172.16.0.99</address>
<port>5001</port>
</destination>
<descr>Allow iperf connections from GoDaddy Server</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>172.16.0.1</address>
<port>443</port>
</destination>
<disabled/>
<descr>WAN -> Allow Remote Admin of FW</descr>
</rule>
<rule>
<type>pass</type>
<interface>wan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>1194</port>
</destination>
<disabled/>
<log/>
<descr>Allow Incoming Remote VPN Road Warriors</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>10.0.0.2</address>
</source>
<destination>
<address>216.181.136.7</address>
</destination>
<descr>Allow VoIP Outbound</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>216.181.136.7</address>
</source>
<destination>
<network>opt1</network>
</destination>
<descr>Allow VoIP from Lingo</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>opt1</network>
</source>
<destination>
<address>216.181.136.7</address>
</destination>
<descr>Allow VoIP to Lingo</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>10001</port>
</destination>
<descr>DMZ -> Allow IPSEC Clients</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>500</port>
</destination>
<descr>DMZ -> Allow IPSEC Clients</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>10.0.0.2</address>
</source>
<destination>
<any/>
<port>53</port>
</destination>
<descr>DMZ -> Allow DNS out</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>10.0.0.2</address>
</source>
<destination>
<any/>
<port>444</port>
</destination>
<descr>DMZ -> VoIP ?</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>10.0.0.2</address>
</source>
<destination>
<any/>
<port>123</port>
</destination>
<descr>DMZ -> Allow NTP Out</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>icmp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr>DMZ -> Allow ICMP</descr>
</rule>
<rule>
<type>pass</type>
<interface>opt1</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<address>10.0.0.2</address>
<port>59700-61000</port>
</destination>
<disabled/>
<descr>NAT Allow VoIP inbound to DMZ</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>3000</port>
</destination>
<descr>LAN -> NTOP/NetFlow</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<address>172.16.0.25</address>
</source>
<destination>
<any/>
</destination>
<disabled/>
<descr>LAN -> Allow Phill's mac ANY to ANY</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>8000-8030</port>
</destination>
<descr>LAN -> Allow FTP through Proxy</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>80</port>
</destination>
<descr>LAN -> 80</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>172.16.0.99</address>
</source>
<destination>
<any/>
<port>12489</port>
</destination>
<descr>LAN -> Nagios</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>10001</port>
</destination>
<descr>LAN -> 10001(vpn)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>500</port>
</destination>
<descr>LAN -> 500(vpn)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>443</port>
</destination>
<descr>LAN -> 443</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>5050</port>
</destination>
<descr>LAN -> Yahoo IM</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>icmp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
</destination>
<descr>LAN -> ICMP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>22</port>
</destination>
<descr>LAN -> SSH</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<address>172.16.0.99</address>
</source>
<destination>
<any/>
</destination>
<disabled/>
<descr>LAN -> Allow All</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>3389</port>
</destination>
<descr>LAN -> Remote Desktop</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>26</port>
</destination>
<descr>LAN -> 26(ssh godaddy/PPGNetServ)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp/udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>1194</port>
</destination>
<descr>LAN -> Allow 1194 for OpenVPN</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>110</port>
</destination>
<descr>LAN -> 110</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>139</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>137</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>138</port>
</destination>
<descr>LAN -> SMB</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>21</port>
</destination>
<descr>LAN -> FTP</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>995</port>
</destination>
<descr>LAN -> 995</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>587</port>
</destination>
<descr>LAN -> 587(Gmail)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>993</port>
</destination>
<descr>LAN -> 993</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>43</port>
</destination>
<descr>LAN -> whois query</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>25</port>
</destination>
<descr>LAN -> 25</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<address>192.168.1.0/24</address>
<port>5001</port>
</destination>
<descr>LAN -> 5001(iperf)</descr>
</rule>
<rule>
<type>pass</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<network>lan</network>
</source>
<destination>
<any/>
<port>441</port>
</destination>
<descr>LAN -> Firewall Admin</descr>
</rule>
<rule>
<type>block</type>
<interface>lan</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<log/>
<descr>Drop All Outbound Packets</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>10001</port>
</destination>
<descr>IPSEC -> 1001 vpn</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
<port>500</port>
</destination>
<descr>IPSEC -> 500 vpn</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<any/>
</source>
<destination>
<address>172.16.0.99</address>
<port>22</port>
</destination>
<descr>IPSEC -> ssh</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>tcp</protocol>
<source>
<address>192.168.1.0/24</address>
</source>
<destination>
<address>172.16.0.99</address>
<port>5001</port>
</destination>
<descr>IPSEC -> Allow iperf to connect (network
bandwidth)</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>udp</protocol>
<source>
<address>192.168.1.0/24</address>
</source>
<destination>
<address>172.16.0.99</address>
<port>514</port>
</destination>
<descr>IPSEC -> Allow Syslog to Arcadia</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>icmp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr>IPSEC -> ICMP</descr>
</rule>
<rule>
<type>pass</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<protocol>esp</protocol>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<descr>IPSEC -> vpn</descr>
</rule>
<rule>
<type>block</type>
<interface>enc0</interface>
<max-src-nodes/>
<max-src-states/>
<statetimeout/>
<statetype>keep state</statetype>
<os/>
<source>
<any/>
</source>
<destination>
<any/>
</destination>
<log/>
<descr>Drop All Packets</descr>
</rule>
</filter>
Thanks!
-phil
On Sep 5, 2008, at 9:28 PM, Chris Buechler wrote:
On Fri, Sep 5, 2008 at 10:17 PM, BSD Wiz <[EMAIL PROTECTED]> wrote:
man O man.... still getting blocked,
tried calling my VoIP phone from my cell phone and the traffic was
blocked
again by the default drop all rule. below is the log entry of the
blocked
traffic.
WAN 216.181.136.7:5065 xx.xx.xx.xx:63792
this after allowing source 216.181.136.7 through my WAN interface
destined
for any port and also creating a 1:1 entry as follows:
Interface External IP Internal IP
Description
WAN 216.181.136.7/32 10.0.0.1/32 Allow
Incoming VoIP
WTF, shouldn't that be allowed through?
What does the raw log look like that's blocking it? Also can you paste
from status.php config.xml section everything from <nat> to </nat> and
<filter> to </filter>?
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]