Hello,
THat solved the issue but I have about 20 rulesets that have the same
syntax. I dont see anything yet also about this.
Please elaborate.
Andres
On Thu, Apr 22, 2010 at 3:59 PM, Alexander Hall <alexan...@beard.se> wrote:
> On 04/22/10 18:22, Allie Daneman wrote:
>> Why are you doing "from any to (fxp0)" ? That's your problem. Change all
>
> I fail to see why that would cause any issues. Care to elaborate?
>
> /Alexander
>
>> the rules like that to "from any to any" since you're already putting
>> the rule on that interface and it should fix you up. As long as you're
>> not redirecting you can turn logging on specific rules and see why
>> they're blocking as well if that doesn't fix your issue.
>>
>> Andres Salazar wrote:
>>> Hello,
>>>
>>> Yes it loaded properly. Yes I had missied the macro for the external
>>> NIC it is included in the original ruleset. t_externa = "fxp0"
>>>
>>>
>>> This is the result for pfctl -sr:
>>>
>>> match in all scrub (no-df)
>>> block drop all
>>> pass out all flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.220
>>> port = domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 208.67.222.222
>>> port = domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.1 port =
>>> domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to 4.2.2.2 port =
>>> domain flags S/SA keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.220
>>> port = domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 208.67.222.222
>>> port = domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.1 port =
>>> domain keep state
>>> pass out quick on fxp0 inet proto udp from (fxp0) to 4.2.2.2 port =
>>> domain keep state
>>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = ssh
>>> flags S/SA keep state
>>> pass in quick on fxp0 inet proto tcp from any to (fxp0) port = 8080
>>> flags S/SA keep state
>>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = ssh
>>> keep state
>>> pass in quick on fxp0 inet proto udp from any to (fxp0) port = 8080 keep
>>> state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = www
>>> flags S/SA modulate state
>>> pass out quick on fxp0 inet proto tcp from (fxp0) to any port = https
>>> flags S/SA modulate state
>>> pass out inet proto icmp all icmp-type echoreq keep state
>>> pass out inet proto icmp all icmp-type unreach keep state
>>>
>>>
>>>
>>> As soon as I hit pfctl -f /etc/pf.conf and pfctl -e iam locked and I
>>> cannot SSH in from the outside.
>>>
>>> Where am I blocking port SSH in? :(
>>>
>>> Andres
>>>
>>>
>>> On Wed, Apr 21, 2010 at 9:45 PM, Daniel Ouellet <dan...@presscom.net>
>>> wrote:
>>>
>>>>> ## Traffic IN
>>>>> pass in log quick on $t_externa inet proto { tcp, udp } from any
>>>>> to ($t_externa) \
>>>>> port { 22 8080 } keep state
>>>>>
>>>> In your pf configuration it doesn't show where you actually define the
>>>>
>>> macro
>>>
>>>> for your interface $t_externa.
>>>>
>>>> Are you sure the rules you run are what you think they are.
>>>>
>>>> Did it load properly and may be you want to check the rules as active
>>>> with
>>>>
>>>> pfctl -sr
>>>>
>>>> And check that display. I think you may find what you are looking for.
>>>>
>>>> Compare your pf.conf with what you actually see in pfctl -sr and you
>>>> will
>>>> work your issue out.
>>>>
>>>> Best,
>>>>
>>>> Daniel
