Hello: I've been trying to diagnose this problem for some time and I can't even get debugging info out of this box. I'm really thinking that I'm missing something simple, but can't see it for the trees.
Here's the setup. inet ------ andrew ------ xander | ------------ users I'm trying to setup andrew (OBSD 3.5) as the DMZ (finally getting around to it). Xander (OBSD 3.7) is going to be my webserver, etc box. Please don't say upgrade, that'll happen when 3.9 comes out. Everything is working, NAT, RDR for the other stuff, just not the web server. I've tried some variations for rdr used rdr pass, etc, but nothing in the logs. I use: tcpdump -n -e -ttt -i pflog0 port 80 Which I believe is corrent. But, nothing shows in the logs even though I'm telling pf, pass in log quick ... for port 80. Plus xander is told to let port 80 through and it does so when I plug in his internal address. So, this is a andrew problem. But, this is as far as I've been able to take it. Hopefully, I'm not doing something entirely stupid. Here is xanders pf.conf: incoming_if = "ne3" bittorrent = "{ 49150, 49151, 49152, 49153, 49154, 49155, 49156, 49157, 49158, 49159, 49160, 49161, 49162, 49163, 49164, 49165 }" set block-policy return set loginterface $incoming_if scrub in all max-mss 1452 scrub out all max-mss 1452 block log all pass quick on lo0 all pass in on $incoming_if proto tcp from any to any port $bittorrent flags S/SA keep state pass in on $incoming_if proto tcp from any to any port ssh flags S/SA keep state #**************************** pass in log quick on $incoming_if proto tcp from any to any port 80 flags S/SA keep state pass out on $incoming_if from any to any flags S/SA keep state Here is andrews pf.conf: # macros int_if = "xl0" ext_if = "tun0" xander = 192.168.0.2 giles = 192.168.0.1 tcp_services = "{ 22, 25 }" bittorrent = "{ 49150, 49151, 49152, 49153, 49154, 49155, 49156, 49157, 49158, 49159, 49160, 49161, 49162, 49163, 49164, 49165 }" bittorrentstart = 49150 msn = "{ 6891, 6892, 6893, 6894, 6895, 6896, 6897, 6898, 6899, 6900 }" msnStart = 6891 icmp_types = "echoreq" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" set block-policy return set loginterface $ext_if scrub in all max-mss 1452 scrub out all max-mss 1452 altq on $ext_if cbq bandwidth 320Kb qlimit 100 queue { std_out, ssh_out, dns_out, tcp_ack_out, btorrent_out, tcp_serv_out } queue std_out bandwidth 40% cbq(default, borrow) queue tcp_serv_out bandwidth 10% cbq(borrow) queue ssh_out bandwidth 10% cbq(ecn, borrow) queue dns_out bandwidth 10% cbq(borrow) queue tcp_ack_out bandwidth 10% cbq(borrow) queue btorrent_out bandwidth 20% cbq(ecn, borrow) altq on $int_if cbq bandwidth 100Mb qlimit 100 queue { std } queue std cbq(default) # nat/rdr nat on $ext_if from $int_if:network to any -> ($ext_if) rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \ port 8021 rdr on $ext_if proto tcp from any to any port $bittorrent -> $xander port $bittorrentstart:* #******************** rdr pass on $ext_if proto tcp from any to any port 80 -> $xander port 80 rdr on $ext_if proto tcp from any to any port $msn -> $giles port $msnStart:* rdr on $ext_if proto tcp from any to any port 49166 -> 192.168.0.10 port 49166 rdr on $ext_if proto udp from any to any port 49166 -> 192.168.0.10 port 49166 # filter rules block log all pass quick on lo0 all #*********************** # I tried this with just rdr and rdr without this. Neither worked #pass in log quick on $ext_if proto tcp from any to any port 80 \ # flags S/SA synproxy state queue tcp_serv_out pass in quick on $ext_if proto tcp from any to $xander \ port $bittorrent flags S/SA synproxy state queue btorrent_out pass in quick on $ext_if proto { tcp, udp } from any to $giles \ port $msn flags S/SA synproxy state queue btorrent_out pass in quick on $ext_if proto tcp from any to 192.168.0.10 \ port 49166 flags S/SA synproxy state queue btorrent_out pass in quick on $ext_if proto tcp from any to $ext_if \ port 49166 flags S/SA keep state queue btorrent_out pass in quick on $ext_if proto udp from any to 192.168.0.10 \ port 49166 synproxy state queue btorrent_out pass in quick on $ext_if proto udp from any to $ext_if \ port 49166 keep state queue btorrent_out block drop in log quick on $ext_if from $priv_nets to any block drop out log quick on $ext_if from any to $priv_nets block drop in log quick on $ext_if inet proto tcp from any to ($ext_if) port ssh pass in on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state queue tcp_serv_out pass in inet proto icmp all icmp-type $icmp_types keep state queue std_out pass in on $int_if from $int_if:network to any keep state queue std_out pass out on $int_if from any to $int_if:network keep state queue std_out pass in on $int_if from $int_if:network to $int_if:network keep state queue std pass out on $int_if from $int_if:network to $int_if:network keep state queue std pass out on $ext_if proto tcp all modulate state flags S/SA queue std_out pass out on $ext_if inet proto tcp from any to any flags S/SA \ keep state queue(std_out, tcp_ack_out) pass out on $ext_if inet proto { udp, icmp } all keep state queue std_out pass out on $ext_if inet proto { tcp, udp } from any to any port domain \ keep state queue(dns_out) pass out on $ext_if inet proto tcp from any to any port ssh \ flags S/SA keep state queue(std_out, ssh_out) best regards, Reid Nichol Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com