Re: Need Help badly - PF related

[Parvinder Bhasin]

Thanks a lot guys, I seem to have resolved the problem.  So in short  
it seems like the netopia 30xx series router was doing some funky  
thing with packets which PF was rightfully rejecting (as they were not  
normalized).  This is just my theory.  Once I converted my openbsd box  
to the router and the netopia box to a dumb bridge.  It all worked  
like a charm.

Appreciate the group's help on this.
I would like to personaly thank you guys in taking time to  
troubleshoot this with me.

Thanks:  John Jackson , Stuart henderson, Bryan , Mark and above all  
Jason Dixon.

-Parvinder Bhasin

On Sep 22, 2008, at 1:14 AM, Stuart Henderson wrote:

On 2008-09-22, Parvinder Bhasin <[EMAIL PROTECTED]> wrote:
I have users that can access the website fine (75.44.229.18) and some
user that complain they can't access it.

Include the dmesg so we can see what OS version you're running.
Set pfctl -x misc and watch /var/log/messages, include any output
from around the time of a failed connection. Include the relevant
state table entries from pfctl -vss.

                                  Why is the user in the below pflog
getting blocked.  Where as most of the user can access the website
just fine.


tcpdump: listening on pflog0, link-type PFLOG
Sep 21 21:53:21.903554 rule 0/(match) block in on fxp0:
172.16.10.11.80 > 75.18.177.36.1106: [|tcp] (DF)
Sep 21 21:53:34.570469 rule 0/(match) block in on fxp1:
75.18.177.36.1105 > 172.16.10.11.80: [|tcp] (DF)


Here is my pf.conf file:

##### MACROS ####
ext_if="fxp1"
int_if="fxp0"
pf_log="pflog0"

icmp_types="echoreq"

#### OPTIONS #####
set loginterface $ext_if
set loginterface $int_if
set block-policy return
set skip on lo

# scrub
scrub in

nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"

rdr on $ext_if proto tcp from any to 75.44.229.18 port 80 ->
172.16.10.11 port 80
rdr on $ext_if proto tcp from any to 75.44.229.19 port 3128 ->
172.16.10.12 port 3128

# filter
block in log (all, to pflog0)

pass out keep state
antispoof quick for { lo $int_if }

pass in on $ext_if inet proto tcp from any to 172.16.10.11 port 80
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 75.44.229.17 port 22
flags S/SA keep state
pass in on $ext_if inet proto tcp from any to 172.16.10.12 port 3128
flags S/SA synproxy state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in quick on $int_if

If this is a newer OS version, flags S/SA and keep state are  
redundant.
If it's an old one, your "pass in quick on $int_if" should also use  
them.