OMG TYPO! Packet is going from 10.0.0.51 to 10.0.0.1 to 10.0.0.2 to 10.0.4.1 Maybe this clarifys it now, lol.
Machine1 Eth0=77.77.77.77 Eth1=10.0.0.1 network 10.0.0.0/24 Eth2=10.0.0.2 network 10.0.0.0/24 Machine2 Eth0=11.11.11.11 Eth1=10.0.0.2 network 10.0.0.0/24 Eth2=10.0.4.1 network 10.0.4.0/24 (routing table) Route Destination Gateway 10.0.0.0 Eth1 10.0.0.2 Eth1 10.0.1.0 Eth2 10.0.4.0 10.0.0.2 BTW, Thanks for working with me on this, and helping me figure where I am going wrong! Amir Seyavash Mesry [EMAIL PROTECTED] LSI Logic Corporation http://www.lsilogic.com/ Raid Support Test Technician 6145-D Northbelt Parkway Norcross, GA 30071 678-728-1211 NOTICE: This communication may contain privileged or other confidential information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this communication in error, and delete the copy you received. Thank you. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of j knight Sent: Monday, June 02, 2003 4:50 PM To: pf Subject: Re: Ruleset Problem Amir Seyavash Mesry wrote: > Sorry, I thought I gave enough info, they come in on eth1 and leave on > eth1. IE machine that pf.conf was given for is doing nat and some > small routing. Machine1(pf.conf given for this one) Eth0=internetip > Eth1=10.0.0.1 network 10.0.0.0/24 > Eth1=10.0.0.2 network 10.0.0.0/24 > > Machine2 > Eth0=internetip > Eth1=10.0.0.2 network 10.0.0.0/24 > Eth1=10.0.4.1 network 10.0.4.0/24 Now I'm really confused :(. Perhaps you could draw a simple diagram? > > If I am reading this right translation takes precendence over > filtering, which means If I have the following after translation, then > the packets will still pass, or do they get blocked after translation > on the outbound if.x Translated packets still pass through the filter engine and are subject to your filter rules.... > block in log all > block out log all ... so this will block translated packets. You'll need to "pass out on $ext ..." later on. > As for the keep state rules, what I was trying to accomplish is > passing packets between eth1 & eth2 checking state on each interface. > Maybe one 2 revised rules would be > > pass in on $eth1 inet proto udp from $lan1 to $lan2 keep state > pass in on $eth2 inet proto udp from $lan1 to $lan2 keep state Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary. > Do I need a corresponding one backtracking such as? > > pass in on $eth2 inet proto udp from $lan2 to $lan1 keep state > pass in on $eth1 inet proto udp from $lan2 to $lan1 keep state Same situation here with $lan2. What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, "keep state" only tracks state on one interface, not all of them. pass in on $eth1 from $lan1 to $lan2 keep state pass out on $eth2 from $lan1 to $lan2 keep state .joel
