On 04/22/10 18:22, Allie Daneman wrote:
> Why are you doing "from any to (fxp0)" ? That's your problem. Change all
I fail to see why that would cause any issues. Care to elaborate?
/Alexander
> the rules like that to "from any to any" since you're already putting
> the rule on that interface and it should fix you up. As long as you're
> not redirecting you can turn logging on specific rules and see why
> they're blocking as well if that doesn't fix your issue.
>
> Andres Salazar wrote:
>> Hello,
>>
>> Yes it loaded properly. Yes I had missied the macro for the external
>> NIC it is included in the original ruleset. t_externa = "fxp0"
>>
>>
>> This is the result for pfctl -sr:
>>
>> match in all scrub (no-df)
>> block drop all
>> pass out all flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
>> port = domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
>> port = domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
>> domain flags S/SA keep state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
>> domain flags S/SA keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
>> port = domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
>> port = domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
>> domain keep state
>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
>> domain keep state
>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
>> flags S/SA keep state
>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
>> flags S/SA keep state
>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh
>> keep state
>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
>> state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
>> flags S/SA modulate state
>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
>> flags S/SA modulate state
>> pass out inet proto icmp all icmp-type echoreq keep state
>> pass out inet proto icmp all icmp-type unreach keep state
>>
>>
>>
>> As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
>> cannot SSH in from the outside.
>>
>> Where am I blocking port SSH in? :(
>>
>> Andres
>>
>>
>> On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet <dan...@presscom.net>
>> wrote:
>>
>>>> ## Traffic IN
>>>> pass in log quick on $t_externa inet proto { tcp, udp } from any
>>>> to ($t_externa) \
>>>> port { 22 8080 } keep state
>>>>
>>> In your pf configuration it doesn't show where you actually define the
>>>
>> macro
>>
>>> for your interface $t_externa.
>>>
>>> Are you sure the rules you run are what you think they are.
>>>
>>> Did it load properly and may be you want to check the rules as active
>>> with
>>>
>>> pfctl -sr
>>>
>>> And check that display. I think you may find what you are looking for.
>>>
>>> Compare your pf.conf with what you actually see in pfctl -sr and you
>>> will
>>> work your issue out.
>>>
>>> Best,
>>>
>>> Daniel
