On Mon, Sep 22, 2008 at 05:23:31AM -0700, Parvinder Bhasin wrote: > > On Sep 22, 2008, at 4:46 AM, Jason Dixon wrote: > >> On Mon, Sep 22, 2008 at 02:25:01AM -0700, Parvinder Bhasin wrote: >>> On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote: >>> >>>> On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> wrote: >>>>> I have users that can access the website fine (75.44.229.18) and >>>>> some >>>>> user that complain they can't access it. >>>> >>>> Include the dmesg so we can see what OS version you're running. >>>> Set pfctl -x misc and watch /var/log/messages, include any output >>>> from around the time of a failed connection. Include the relevant >>>> state table entries from pfctl -vss. >>> >>> Here is the output from pfctl -vss - with the host(75.18.177.36) >>> trying >>> to access the website: >> >> Please do that again, but grep only the relevant bits. I'm not going >> to >> sift through all the noise. >> >> $ sudo pfctl -ss | grep 75.18.177.36 >> >> I'm pretty sure your outbound nat needs to be moved *after* your >> rdr's. >> I think the inbound traffic is having the src_addr translated to your >> firewall's ($ext_if) > > Jason, > > Here it is without the noise. > > # pfctl -ss | grep 75.18.177.36 > all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056 > SYN_SENT:ESTABLISHED > all tcp 75.18.177.36:1056 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT > # pfctl -ss | grep 75.18.177.36 > all tcp 172.16.10.11:80 <- 75.44.229.18:80 <- 75.18.177.36:1056 > SYN_SENT:ESTABLISHED > all tcp 75.18.177.36:1056 -> 172.16.10.11:80 ESTABLISHED:SYN_SENT
Looks ok. Let's see the output of `pfctl -sr` and `pfctl -sn`. Also, let's correlate your states to the logged blocks. In separate terminals, do the `pfctl -ss | grep <foo>` and then find the corresponding traffic in pflog0 that's being blocked. Let's see them both. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/