Chris Watson wrote: > vv# ipfstat -i > pass in quick on lo0 from any to any > > #I added the following 3 as a catch all just to see if i had a problem > in my ruleset, by blocking something i shouldnt. > #but they are not in the actual ruleset. > > pass in quick on rl0 proto tcp from any to any keep state > pass in quick on rl0 proto udp from any to any keep state > pass in quick on rl0 proto icmp from any to any keep state > > > pass in quick on rl0 proto tcp from any to any port = 22 keep state > pass in quick on rl0 proto tcp from any to any port = 25 keep state > pass in quick on rl0 proto tcp/udp from any to any port = domain keep > state > pass in quick on rl0 proto tcp from any to any port = 80 keep state > pass in quick on rl0 proto tcp from any to any port = 110 keep state > pass in quick on rl0 proto tcp from any to any port = 143 keep state > pass in quick on rl0 proto tcp from any to any port = 3128 keep state
+pass in quick on rl0 proto tcp from any to 66.178.44.105 port = 9090 keep state +pass in quick on rl0 proto tcp from any to 200.99.90.217 port = 9877 keep state +pass in quick on rl0 proto tcp from any to 200.99.90.209 port = 9877 keep state > pass in quick on rl0 proto icmp from any to any icmp-type unreach > pass in quick on rl0 proto icmp from any to any icmp-type timex > pass in quick on dc0 proto icmp from any to any icmp-type unreach > pass in quick on dc0 proto icmp from any to any icmp-type timex > pass in quick on dc1 proto icmp from any to any icmp-type unreach > pass in quick on dc1 proto icmp from any to any icmp-type timex > pass in quick on dc0 proto tcp from any to any keep state > pass in quick on dc0 proto udp from any to any keep state > pass in quick on dc0 proto icmp from any to any keep state > pass in quick on dc1 proto tcp from any to any keep state > pass in quick on dc1 proto udp from any to any keep state > pass in quick on dc1 proto icmp from any to any keep state > pass in quick on dc0 proto tcp from any to any port = 22 keep state > pass in quick on dc1 proto tcp from any to any port = 22 keep state > [...] > IPNat rules: > > map dc0 10.0.0.0/16 -> 66.178.44.108/32 > #map dc1 10.0.0.0/16 -> 200.99.90.211/32 > #rdr rl0 0.0.0.0/0 port 3128 -> 66.178.44.105 port 9090 tcp round-robin > #rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.217 port 9877 tcp round-robin > #rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.209 port 9877 tcp round-robin +rdr rl0 0.0.0.0/0 port 3128 -> 66.178.44.105 port 9090 tcp round-robin +rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.217 port 9877 tcp round-robin +rdr rl0 0.0.0.0/0 port 3128 -> 200.99.90.209 port 9877 tcp round-robin > The rdr's are commented since they obviously don't work. > I just dont know why. [...] > Any idea's of what I have borked would be very much appreciated. ipnat comes before ipf. btw Are you sure you want to 'pass in' everything from WAN interfaces? -- hope this helps, Slawek Piotrowski
