On Tue, 28 Oct 2014 13:40:52 -0400 trondd <tro...@gmail.com> wrote: > Are you telnetting to the external IP of the server from the internal > client?
Yes. Actually i've tried using the external IP and the internal IP. Both have the same result - telnet says 'telnet: Unable to connect to remote host: Connection refused'. Telneting from an external machine works fine. > > Have you enabled logging in pf? Are the packets blocked or are they passed > by a different rule that doesn't give the expected results? Yes, i've enabled logging and i see various items such as: ju...@server-55.my.domain:~ > sudo tcpdump -v -i pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 18:51:26.909339 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29686, len 48) 18:51:27.465183 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29765, len 48) 18:51:27.909397 142-93-134-95.pool.ukrtel.net.4758 > 82-68-48-10.dsl.in-addr.zen.co.uk.microsoft-ds: S [tcp sum ok] 3330667214:3330667214(0) win 65535 <mss 1440,nop,nop,sackOK> (DF) [tos 0xc] (ttl 117, id 29841, len 48) But i don't see anything when the internal connection is refused. I enabled logging with: sudo ifconfig pflog0 up sudo tcpdump -v -i pflog0 For completeness, here's my pf.conf: ======== int_if="sk0" ext_if="rl0" tcp_services="{ 22, 80, 113 }" icmp_types="echoreq" # options set block-policy return set loginterface egress set skip on lo # match rules match out on egress inet from !(egress:network) to any nat-to (egress:0) # filter rules block in log pass out quick antispoof quick for { lo $int_if } pass in on egress inet proto tcp from any to (egress) \ port $tcp_services pass in inet proto icmp all icmp-type $icmp_types # Redirect Undo keyserver connections to pc5: pass in on egress proto tcp from any to any port 5281 rdr-to pc5 port 5281 # Attempting to allow 5281 to forward to pc5 from internal network. But doesn't # work... pass in on $int_if proto tcp from $int_if:network to $ext_if port 5281 rdr-to pc5 pass out on $int_if proto tcp to pc5 port 5281 received-on $int_if nat-to $int_if #pass out on egress proto tcp from any to any port 5281 received-on $int_if nat-to $int_if pass in on $int_if # for our ftp server. pass in on egress proto tcp to port 21 pass in on egress proto tcp to port > 49151 pass in on rl0 proto tcp to port 21 pass in on rl0 proto tcp to port > 49151 ======== Many thanks, - Julian -- http://op59.net