Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it.
Here's my setup:
AMD 2300 w/ 512mb DDR ram
512mb flash drive
5 10/100 network cards
I have 4 networks right now, one of them is the internet. So let's call them, Inet,
A, B,and C.
Network C is the network with all mail/web
Shawn,
Multi-interface packet filtering can be tricky. Could you post your
rules?
Without that, all we can probably say is that you have a
misconfiguration somewhere.
IIRC, creating stateful inspection on one interface does not allow the
packets to go through other interfaces. This is my first
Yeah, I'll post them up on a webpage real quick.
and to answer someone's question earler, yes, I'm using "quick" rules. I'm wanting to
try and keep the
latency down as low as I can. And I figured that would be the best way to keep it
down.
> Shawn,
>
> Multi-interface packet filtering can be
Routing isn't an issue.
if I turn off packet filtering (pfctl -d) everything works perfect.
I turn it on... and I can get onto the firewall from my "full access" workstations
outside of the network.
I can't hit anything else in any networks while it's turnned on, unless I comment out
the "blo
Only on the dc0 interface. the 192.168.3.0/24 block is on the dc1 interface.
The dc0 interface goes to the internet... I don't want/need to send anything from
192.168/16 to the internet
since their 1918 addys...
-Shawn
>
>
>
>
>> Do you have all routing set up correctly? Is the network that
>
Your rule set is too large for me to debug without actually running it.
But you can debug it step by step yourself:
All your rules use 'quick', and you say the packets get blocked by the
last two 'block' rules. That means the packets don't match a 'pass' rule
that you expect them to match.
You'l
the
firewall has full access to it.
But it can't ping anything on that network...
-Original Message-
From: Daniel Hartmeier [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 16, 2002 5:27 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: Very Annoying pro
[EMAIL PROTECTED] wrote:
http://www.iodamedia.net/pf.conf
Go grab it.. and tell me what I'm doing wrong!
-Shawn
Your ruleset is quite large to debug it just by looking at it.
But one error quickly sprang to my eyes: You're blocking the loopback
interface, which is certainly a bad idea.
C
On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote:
> Dosn't matter what IP address on any interface you ping. All comes back
> with the same thing.
>
> I turned on logging to see what wasn't making and such. I'm seeing DNS
> requests getting blocked...
>
> Routing is not an issue. The packets
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jason Dixon
Sent: Monday, December 16, 2002 8:42 PM
To: PF Mailing List
Subject: RE: Very Annoying problem... blocks everything...
On Mon, 2002-12-16 at 19:50, Shawn Mitchell wrote:
> Dosn't matter
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote:
> on the "tcpdump -nettti pflog0" command, should everything match the last
> two rules, which are:
>
> pass in log quick inet from any to any
> pass out log quick inet from any to any
No. You have a gazillion other "quick" rules in front of thes
:08:16.979785 68.40.56.75.4934 > 208.23.207.24.445: S
974117744:974117744(0) win 16384 (DF)
22:08:16.979791 68.40.56.75.4934 > 208.23.207.24.445: S
974117744:974117744(0) win 16384 (DF)
22:08:16.979872 68.40.56.75.4934 > 208.23.207.24.445: S
974117744:974117744(0) win 16384 (DF)
22:08:16.97
Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of
Jason Dixon
Sent: Monday, December 16, 2002 9:52 PM
To: PF Mailing List
Subject: RE: Very Annoying problem... blocks everything...
On Mon, 2002-12-16 at 22:46, Shawn Mitchell wrote:
> on the "tcpdump -nettti pflog0
On Tue, Dec 17, 2002 at 01:33:18AM -0600, Shawn Mitchell wrote:
> 07:23:28.793476 rule 6/0(match): block in on dc1: 65.172.62.147.3086 >
> 205.188.179.233.5190: S 3584173258:3584173258(0) win 16384 1460,nop,nop,sackOK> (DF)
> 07:23:29.042444 rule 6/0(match): block in on dc1: 65.172.62.145.1145 >
Do you have all routing set up correctly? Is the network that
192.168.3.250 is on in the same subnet as one of the firewall interfaces?
Or is it a separate network? You'd need to add a route for it if it's
separate.
I had something funky happen with my routes at one point and had to
re-add.
Good
7, 2002 11:21 AM
To: [EMAIL PROTECTED]
Subject: Re: Very Annoying problem... blocks everything...
On Mon, Dec 16, 2002 at 04:20:01PM -0600, [EMAIL PROTECTED] wrote:
> http://www.iodamedia.net/pf.conf
> Go grab it.. and tell me what I'm doing wrong!
Sorry dude, but your con
> Now for another question... How do I control the bandwidth via OpenBSD
to
> any given IP Address?
If you're running -current; man pf.conf, if else; man altq
Anders Rosvoldaunet
17 matches
Mail list logo
