I have simplified the config file down to: # $Id: pf.conf 202 2007-02-13 23:44:37Z mc $
nic_dmz = fxp2 nic_pri = fxp1 nic_wan = fxp0 # ip addresses for this machine and the wan router ip_dmz = 192.168.3.1 ip_pri = 192.168.2.1 ip_wan = 192.168.1.2 ip_dtek = 192.168.1.1 # network net_pri = "192.168.2.0/24" net_dmz = "192.168.3.0/24" # privileged terminals ip_priv_term1= 192.168.2.5 # blacklist table <blacklist> persist file "/etc/pf.blacklist" #---------------------------------------------------------------------- # global normalize rules scrub in all fragment reassemble #---------------------------------------------------------------------- # NAT nat on $nic_wan from $nic_pri:network to any -> ($nic_wan) nat on $nic_wan from $nic_dmz:network to any -> ($nic_wan) #---------------------------------------------------------------------- # global filter rules block log all block log quick from <blacklist> to any block log quick from any to <blacklist> pass quick on lo0 all #---------------------------------------------------------------------- # WAN subnet # allow outgoing pass out on $nic_wan proto tcp \ from $ip_wan to any flags S/SA modulate state pass out on $nic_wan proto udp \ from $ip_wan to any modulate state #---------------------------------------------------------------------- # private subnet block in log quick on $nic_pri from ! $net_pri to any block out log quick on $nic_pri from any to ! $net_pri # allow the private administrative terminal to connect to the SSH port pass in log quick on $nic_pri proto tcp \ from $ip_priv_term1 to $ip_pri port 22 modulate state # allow connections from admin terminal to dtek pass in log quick on $nic_pri proto tcp \ from $ip_priv_term1 to $ip_dtek port 8080 modulate state # allow private lan to connect out pass in log on $nic_pri proto tcp \ from $net_pri to any flags S/SA modulate state pass in log on $nic_pri proto udp \ from $net_pri to any modulate state #---------------------------------------------------------------------- # dmz block in log quick on $nic_dmz from ! $net_dmz to any block out log quick on $nic_dmz from any to ! $net_dmz # allow into the DMZ pass out log on $nic_dmz proto tcp \ from any to $net_dmz flags S/SA modulate state pass out log on $nic_dmz proto udp \ from any to $net_dmz modulate state ...but it still just isn't working. I'm scratching my head over this one. This is the exact same system I've been using for a good year and a half. Have there been any changes to pf that I've missed (in terms of interface - obviously there have been new features and fixes etc.)? MC
