Why are you doing "from any to (fxp0)" ? That's your problem. Change all
the rules like that to "from any to any" since you're already putting
the rule on that interface and it should fix you up. As long as you're
not redirecting you can turn logging on specific rules and see why
they're blocking as well if that doesn't fix your issue.
Andres Salazar wrote:
Hello,
Yes it loaded properly. Yes I had missied the macro for the external
NIC it is included in the original ruleset. t_externa = "fxp0"
This is the result for pfctl -sr:
match in all scrub (no-df)
block drop all
pass out all flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
port = domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
domain flags S/SA keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
port = domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
domain keep state
pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
domain keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
flags S/SA keep state
pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
flags S/SA keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh keep state
pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
flags S/SA modulate state
pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
flags S/SA modulate state
pass out inet proto icmp all icmp-type echoreq keep state
pass out inet proto icmp all icmp-type unreach keep state
As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
cannot SSH in from the outside.
Where am I blocking port SSH in? :(
Andres
On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet <dan...@presscom.net> wrote:
## Traffic IN
pass in log quick on $t_externa inet proto { tcp, udp } from any
to ($t_externa) \
port { 22 8080 } keep state
In your pf configuration it doesn't show where you actually define the
macro
for your interface $t_externa.
Are you sure the rules you run are what you think they are.
Did it load properly and may be you want to check the rules as active with
pfctl -sr
And check that display. I think you may find what you are looking for.
Compare your pf.conf with what you actually see in pfctl -sr and you will
work your issue out.
Best,
Daniel
