the "teach a man to fish" response here is: change your 'block all' line to 'block log all' and then 'tcpdump -n -e -ttt -i pflog0' and see what's getting blocked.
the "give a man a fish" response would involve something along the lines of (possibly amongst other things): pass in on $sec_if from $wi_net tag WI_INET keep state as an unrelated tip, you could also exploit the super-handy '$if:network' syntax to avoid creating macros for your networks... HTH... -j On Fri, 2004-07-02 at 22:15, RZR wrote: > Following the directions from > http://openbsd.sfobug.org/faq/pf/tagging.html, plus a little tweaking to > include access for ipsec laptops on $wi_if (isakmpd on firewall), I came > up with this. > However, ALL access becomes blocked; namely > -access from the firewall out > -access to the firewall from the ipsec laptops > -access to DMZ boxes from the ipsec laptops. > > I know I'm missing something (hopefully small). > > Any help would be much appreciated. > -RZR > > pf.conf -> > # macros > int_if = "fxp0" > wi_if = "fxp1" > dmz_if = "sk0" > sec_if = "enc0" > ext_if = "tun0" > int_net = "192.168.1.0/24" > wi_net = "192.168.2.0/24" > dmz_net = "172.16.1.0/24" > www_server = "172.16.1.2" > mail_server = "172.16.1.3" > > table <spamd> persist file "/etc/spammers" > set loginterface $ext_if > > ### AltQueue > altq on $ext_if priq bandwidth 100Kb queue { q_pri, q_def } > queue q_pri priority 7 > queue q_def priority 1 priq(default) > > ################################################################## > # classification -- classify packets based on the defined firewall > # policy. > #rdr on $ext_if proto tcp from <spamd> to port smtp \ > # tag SPAMD -> 127.0.0.1 port 8025 > rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr on $sec_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > #rdr on $DMZ_if proto tcp from any to any port 21 -> 127.0.0.1 port 8021 > rdr on $ext_if proto tcp from any to $ext_if port 22 \ > -> $mail_server port 22 > rdr on $ext_if proto tcp from any to $ext_if port 25 \ > -> $mail_server port 25 > rdr on $ext_if proto tcp from any to $ext_if port 80 \ > -> $www_server port 80 > rdr on $ext_if proto tcp from any to $ext_if port 443 \ > -> $www_server port 443 > nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if) > > block all > pass in on $int_if from $int_net tag LAN_INET keep state > pass in on $wi_if from $wi_net tag WI_INET keep state > pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state > pass in on $wi_if from $wi_net to $dmz_net tag WI_DMZ keep state > pass in on $ext_if proto tcp to $www_server port {www, https} \ > tag INET_DMZ keep state > pass in on $ext_if proto tcp to $mail_server port {ssh, smtp} \ > tag INET_DMZ keep state > > ######################################################################## > # policy enforcement -- pass/block based on the defined firewall policy. > pass in quick on $ext_if tagged SPAMD keep state > pass out quick on $ext_if tagged LAN_INET keep state queue(q_def, q_pri) > pass out quick on $ext_if tagged WI_INET keep state queue(q_def, q_pri) > pass out quick on $dmz_if tagged LAN_DMZ keep state > pass out quick on $dmz_if tagged WI_DMZ keep state > pass out quick on $dmz_if tagged INET_DMZ synproxy state queue(q_def, > q_pri) label "$dstaddr:$dstport" queue(q_def, q_pri) > ############################################################################ -- Jason Opperisano <[EMAIL PROTECTED]>
