I had the same thing happen on the WAN side too, no one can get to the web server:
@55 pass in quick on bge1 inet proto tcp from any to 10.x.y.z port = http flags S/SA keep state label "USER_RULE: web server" . . . @87 block drop in log quick on bge1 all label "USER_RULE: catchall" Log: pf: 054917 rule 87/0(match): block in on bge1: (tos 0x0, ttl 245, id 11247, offset 0, flags [none], proto TCP (6), length 40) 68.58.xx.xx.36288 > 10.x.y.z.80: R, cksum 0x5544 (correct), 0:0(0) win 0 10.x.y.z is setup as a 1:1 NAT. Why is rule 55 not being matched? On Tue, Jan 20, 2009 at 10:54 AM, Peter Pauly <[email protected]> wrote: > I did a test of pfsense this weekend, temporarily replacing my PIX > firewall with pfsense. > > I was not able to communicate from the inside to the internet. I have > a "catch-all" rule on the LAN side that should have allowed traffic > through, but according to the logs, the default rule is being > triggered, even though it is farther down in the list: > > (bge0 is the LAN interface) > > > From pfctl -s rules -vv : > @108 pass in quick on bge0 all flags S/SA keep state label "USER_RULE: > catchall" > . > . > . > @115 block drop in log quick all label "Default deny rule" > > > A log entry: > pf: 710005 rule 115/0(match): block in on bge0: (tos 0x0, ttl 63, id > 14015, offset 0, flags [DF], proto TCP (6), length 64) 10.x.y.z.80 > > 72.30.xxx.xxx.54707: S, cksum 0xb09a (correct), > 1222312383:1222312383(0) ack 2341411941 win 49232 <nop,nop,timestamp > 12784312 1491842314,mss 1460,nop,wscale 0,nop,nop,sackOK> > > The ip's on the inside (10.x.y.z) are not on the LAN subnet, but are > on other internal subnets that are being routed to pfsense. There are > static routes for the internal networks that point to the inside > router that pfsense is connected to. > > So.... why is rule 115 getting matched and not 108? > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] Commercial support available - https://portal.pfsense.org
