Here is my rules (without macro & table definitions which are before, sensible rules are hidden, but are in the same template as shown rules and same place)
## ## Options ## set skip on lo0 set block-policy drop set limit { states 50000, frags 20000, src-nodes 40000, table-entries 600000 } ## ## NAT /!\ toujours avant le filtrage ! /!\ ## pass out quick proto tcp from $iogspriv_addr to !$priv_addr port { $smtp_ports $mail_ports $ldap_ports 16286 16287 22745 22734 49157 } nat-to $natto_iface pass out quick proto tcp from $priv_addr to !$priv_addr port { ssh } nat-to $natto_iface pass out quick proto tcp from <serviceinfo> to !$priv_addr port { $tse_port } nat-to $natto_iface pass out quick proto { tcp udp } from <icloud_allowed_clients> to <icloud> port { https $jabber_ports 16384 16385 16386 16387 } nat-to $natto_iface pass out quick proto icmp to { !$priv_addr } nat-to $natto_iface pass out quick proto tcp from $administration to <socgen> nat-to $natto_iface ## ## Filtrage ## # # Regles par defaut (entrees bloquees et loguees, sorties autorisees) # block in log all pass out quick all pass in quick on $internet_iface pass in quick on $internet_carp_iface pass in quick on $proxy_iface pass in quick on $lan_iface pass in quick proto carp pass in quick on $lan_iface proto pfsync # antispoofing, for hackers #antispoof log for $clientlan_ifaces block in quick from $poubelle pass in quick proto icmp pass in quick proto tcp to $proxy_addr pass in quick proto tcp to { $proxy_addr1 $proxy_addr2 } port { 3128 http } pass in quick from { $srv_gw1 $srv_gw2 } pass in quick from <serviceinfo> to { $lan_addrs $toip_srv } pass in quick from { $lan_addrs $toip_srv } to <serviceinfo> pass in quick proto udp to port { bootps bootpc domain ntp } pass in quick proto tcp from $srv_monitor pass in quick proto tcp to $srv_monitor pass in quick proto { tcp udp } from { $srv_logs $srv_ads } to { $srv_gw1 $srv_gw2 $priv_addr } pass in quick proto { tcp udp } from { $srv_gw1 $srv_gw2 $priv_addr } to { $srv_logs $srv_ads } # Serveurs accessibles a tout le LAN en TCP pass in quick proto tcp from { $srv_debian_repo $srv_ftp $srv_cloud } to $priv_addr pass in quick proto tcp from $priv_addr to { $srv_debian_repo $srv_ftp $srv_cloud } # Serveurs accessibles a tout le LAN en UDP pass in quick proto udp from { $srv_logs $srv_serveurmac } to $priv_addr pass in quick proto udp from $priv_addr to { $srv_logs $srv_serveurmac } # serveurs de fichiers & partages windows (Zeus/Hera) pass in quick from $srv_fichiers_adm to { } pass in quick from { } to $srv_fichiers_adm pass in quick from $srv_fichiers_ecole to { } pass in quick from { } to $srv_fichiers_ecole # view + physique pass in quick from { } to { $view} pass in quick from { $view } to { } pass in proto { tcp udp } from <icloud_allowed_clients> to <icloud> port { https 5223 16384 16385 16386 16387 } pass in proto { tcp udp } from <icloud> port { https 5223 16384 16385 16386 16387 } to <icloud_allowed_clients> pass in proto tcp from $priv_addr to port { ssh $ldap_ports $smtp_ports $mail_ports $pcoip_ports $tse_port } pass in proto tcp from port { ssh $ldap_ports $smtp_ports $mail_ports $pcoip_ports $tse_port } to $priv_addr pass in proto tcp from $priv_addr to { $kms } pass in proto tcp from { $kms } to $priv_addr ## ## RDR web ## pass in quick proto tcp from !$proxy_addr to any port 80 rdr-to $proxy_addr port 3128 -- Cordialement, Loïc BLOT, expertise en systèmes UNIX, sécurité et réseaux Frost Sapphire Studios Le mardi 27 novembre 2012 à 08:45 +0100, Laurent Caron (Mobile) a écrit : > "Loïc BLOT" <loic.b...@frostsapphirestudios.com> a écrit : > > >Hello to OpenBSD users, > > > >i have a little problem, i think it's linked with PF, but i have no > >proofs. System is OpenBSD 5.1 but OpenBSD 5.2 get the same things (with > >different card, 5.1 uses bnx and 5.2 use em) > >I have a router with squid proxy, named and isc-dhcpd. The problem is, > >sometimes i get "no route to host" for some transmissions (often on the > >proxy), but randomly. Our connexion is perfectly stable (Renater 1Gbit > >fiber connection), and the routes are static and right. > >When squid says no route to host and i refresh the page, it works. I > >think it's a packet filter problem. Nmap has sometimes the same problem > >and says no route to host when i try to scan. Example: > > > >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:56 CET > >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, aaa.bbb.ccc.20, > >16) => No route to host > >Offending packet: TCP xxx.yyy.zzz.1:42282 > aaa.bbb.ccc.20:5200 S > >ttl=37 > >id=32702 iplen=44 seq=2453102157 win=2048 <mss 1460> > >Sleeping 15 seconds then retrying > > > >This scan was realized in two differents networks, but in this capture, > >this is the same networks > > > >Starting Nmap 5.51 ( http://nmap.org ) at 2012-11-26 23:58 CET > >sendto in send_ip_packet_sd: sendto(4, packet, 44, 0, xxx.yyy.zzz.50, > >16) => No route to host > >Offending packet: TCP xxx.yyy.zzz.1:49053 > xxx.yyy.zzz.50:161 S ttl=52 > >id=62248 iplen=44 seq=3073961720 win=1024 <mss 1460> > >Sleeping 15 seconds then retrying > > > >if don't have the problem with pf disabled. > > > >All my outgoing packets are allowed and somes are nated. > > > >Where do you think the problem comes ? > > > >Thanks for Advance. > > > >Lo��c Blot, > >UNIX systems engineer. > > Hello Loïc > > What does your ruleset look like ? > > Do.you have à .log of rejected packets (tcpdump on pflog 0)?