What the output tells you is that only your log and block rules are being hit. None of the traffic seen during your sample matches your pass rules.
Most of the pass rules aren't going to pass traffic as (I think ) you intend, because you've set source port requirements that clients typically don't use. I would re-write them without the source port requirements, or with a source port requirement of >1023. For example: "@17 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to any port = smtp keep state " This rule has both source and destination ports set as 25 (smtp). Systems won't be using smtp as the source port when mailing, they'll be using an ephemeral port. The rule should (if I understand your intent) read: @17 pass out quick on hme0 proto tcp from 172.16.0.0/16 to any port = smtp keep state or @17 pass out quick on hme0 proto tcp from 172.16.0.0/16 port >1023 to any port = smtp keep state Likewise, @41 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.158/32 port = ssh keep state @42 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.158/32 port = 80 keep state should be written: @41 pass in quick on hme0 proto tcp from any to 68.16.185.158/32 port = ssh keep state @42 pass in quick on hme0 proto tcp from any to 68.16.185.158/32 port = 80 keep state Hope that helps. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of mdpeters Sent: Monday, January 22, 2007 6:29 PM To: [email protected] Subject: Re: Where did I go wrong? Here is the ipfstat output as requested. What does this really tell me? # ipfstat -ionh 5251 @1 log level local7.debug out on qfe0 all 0 @2 log level local7.debug out on qfe2 all 1541 @3 log level local7.debug out on hme0 all 1541 @4 block out on hme0 all >>Shows the rule hit counts for each of the rules. 0 @5 block out log quick on hme0 from any to 192.168.0.0/16 0 @6 block out log quick on hme0 from any to 172.16.0.0/12 0 @7 block out log quick on hme0 from any to 10.0.0.0/8 0 @8 block out log quick on hme0 from any to 127.0.0.0/8 0 @9 block out log quick on hme0 from any to 0.0.0.0/8 0 @10 block out log quick on hme0 from any to 169.254.0.0/16 0 @11 block out log quick on hme0 from any to 192.0.2.0/24 0 @12 block out log quick on hme0 from any to 204.152.64.0/23 >>The previous shows that ipfilters saw no traffic destined matching rules 5-12. 1541 @13 block out log quick on hme0 from any to 224.0.0.0/3 >>All traffic seen on hme0 was destined for 224/3 address space and was dropped. 5264 @14 pass out quick on qfe0 all >>qfe0 parsed 5264 outbound packets 0 @15 pass out quick on qfe2 all 0 @16 pass out quick on lo0 all 0 @17 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = smtp to any port = smtp keep state >> This rule will likely never be hit, as it shouldn't have smtp as the source port. 0 @18 pass out quick on hme0 proto tcp from 172.16.0.0/16 port = domain to any port = domain keep state 0 @19 pass out quick on hme0 proto udp from 172.16.0.0/16 port = domain to any port = domain >> The previous 2 rules will very infrequently be hit, as generally, only server to server >> DNS communication uses both source and destination port 53. >> Clients typically use ephemeral source ports. They weren't hit at all during your sample. 0 @20 pass out quick on hme0 proto tcp/udp from 192.168.200.0/24 port = ntp to any port = ntp >> As with mail and DNS, ntp clients don't typically use 123 as the source port. 0 @21 pass out quick on hme0 proto tcp from 172.16.0.0/12 to any keep state 0 @22 pass out quick on hme0 proto udp from 172.16.0.0/12 to any 0 @23 pass out quick on hme0 proto icmp from 172.16.0.0/12 to any keep state >> No traffic from the source networks listed above were seen on interface hme0 7004 @1 log level local7.debug in on qfe0 all >> 7004 packets were seen and logged inbound on qfe0 0 @2 log level local7.debug in on qfe2 all 0 @3 log level local7.debug in on hme0 all 0 @4 block in on hme0 all 0 @5 block in log quick on hme0 from 192.168.0.0/16 to any 0 @6 block in log quick on hme0 from 172.16.0.0/12 to any 0 @7 block in log quick on hme0 from 10.0.0.0/8 to any 0 @8 block in log quick on hme0 from 127.0.0.0/8 to any 0 @9 block in log quick on hme0 from 0.0.0.0/8 to any 0 @10 block in log quick on hme0 from 169.254.0.0/16 to any 0 @11 block in log quick on hme0 from 192.0.2.0/24 to any 0 @12 block in log quick on hme0 from 204.152.64.0/23 to any 0 @13 block in log quick on hme0 from 224.0.0.0/3 to any 0 @14 block in quick on hme0 proto tcp from any port = 113 to any 0 @15 block in log quick from any to any with short 0 @16 block in log quick on hme0 from any to 68.16.185.128/27 0 @17 block in log quick on hme0 proto icmp from any to any 0 @18 block in log quick on hme0 proto tcp from any to any port = telnet 0 @19 block in log quick on hme0 proto tcp/udp from any to any port = sunrpc 0 @20 block in log quick on hme0 proto tcp from any to any port = login 0 @21 block in log quick on hme0 proto tcp/udp from any to any port = 514 0 @22 block in log quick on hme0 proto tcp from any to any port = printer 0 @23 block in log quick on hme0 proto tcp from any to any port = 1214 0 @24 block in log quick on hme0 proto tcp/udp from any to any port = nfsd 0 @25 block in log quick on hme0 proto tcp from any to any port = 4661 0 @26 block in log quick on hme0 proto tcp from any to any port = 4662 0 @27 block in log quick on hme0 proto udp from any to any port = 4665 0 @28 block in log quick on hme0 proto tcp from any to any port = 5190 0 @29 block in log quick on hme0 proto udp from any to any port = 4000 0 @30 block in log quick on hme0 proto tcp from any to any port = 6000 0 @31 block in log quick on hme0 proto udp from any to any port = 8998 >> No inbound traffic matched the previous rules on hme0. >> Because no block rules were hit, the packet will have to work its way >> through the rest of the rules. Until now, its only logged, not passed. 7038 @32 pass in quick on qfe0 from any to any >> 7038 packets were seen on qfe0 0 @33 pass in quick on qfe2 from any to any 0 @34 pass in quick on lo0 all 0 @35 pass in quick on hme0 proto tcp from any port = smtp to 68.16.185.134/32 port = smtp keep state 0 @36 pass in quick on hme0 proto udp from any port = domain to 68.16.185.134/32 port = domain keep state 0 @37 pass in quick on hme0 proto udp from any port = domain to 68.16.185.134/32 port = domain 0 @38 pass in quick on hme0 proto tcp from any port = ntp to 68.16.185.134/32 port = ntp keep state 0 @39 pass in quick on hme0 proto udp from any port = 443 to 68.16.185.135/32 port = 443 keep state 0 @40 pass in quick on hme0 proto udp from any port = 22 to 68.16.185.135/32 port = 22 keep state 0 @41 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.158/32 port = ssh keep state 0 @42 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.158/32 port = 80 keep state 0 @43 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.158/32 port = 443 keep state 0 @44 pass in quick on hme0 proto tcp from any port = 12345 to 68.16.185.158/32 port = 12345 keep state 0 @45 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.154/32 port = ssh keep state 0 @46 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.154/32 port = 80 keep state 0 @47 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.154/32 port = 443 keep state 0 @48 pass in quick on hme0 proto tcp from any port = 12345 to 68.16.185.154/32 port = 12345 keep state 0 @49 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.136/32 port = ssh keep state 0 @50 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.136/32 port = 80 keep state 0 @51 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.136/32 port = 443 keep state 0 @52 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.140/32 port = ssh keep state 0 @53 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.140/32 port = 80 keep state 0 @54 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.140/32 port = 443 keep state 0 @55 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.141/32 port = ssh keep state 0 @56 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.141/32 port = 80 keep state 0 @57 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.141/32 port = 443 keep state 0 @58 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.142/32 port = ssh keep state 0 @59 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.142/32 port = 80 keep state 0 @60 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.142/32 port = 443 keep state 0 @61 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.143/32 port = ssh keep state 0 @62 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.143/32 port = 80 keep state 0 @63 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.143/32 port = 443 keep state 0 @64 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.144/32 port = ssh keep state 0 @65 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.144/32 port = 80 keep state 0 @66 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.144/32 port = 443 keep state 0 @67 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.145/32 port = ssh keep state 0 @68 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.145/32 port = 80 keep state 0 @69 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.145/32 port = 443 keep state 0 @70 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.146/32 port = ssh keep state 0 @71 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.146/32 port = 80 keep state 0 @72 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.146/32 port = 443 keep state 0 @73 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.147/32 port = ssh keep state 0 @74 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.147/32 port = 80 keep state 0 @75 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.147/32 port = 443 keep state 0 @76 pass in quick on hme0 proto tcp from any port = ssh to 68.16.185.148/32 port = ssh keep state 0 @77 pass in quick on hme0 proto tcp from any port = 80 to 68.16.185.148/32 port = 80 keep state 0 @78 pass in quick on hme0 proto tcp from any port = 443 to 68.16.185.148/32 port = 443 keep state >> None of the previous rules were matched. It looks like most of your rules are written >> with improper source port requirements. >>Snipped for brevity<<
