From owner-freebsd-pf@FreeBSD.ORG Thu Sep 7 03:17:55 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BB02916A4DA for ; Thu, 7 Sep 2006 03:17:55 +0000 (UTC) (envelope-from ask@develooper.com) Received: from x8.develooper.com (x8.develooper.com [216.52.237.208]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A0B243D45 for ; Thu, 7 Sep 2006 03:17:55 +0000 (GMT) (envelope-from ask@develooper.com) Received: (qmail 28130 invoked from network); 7 Sep 2006 03:17:55 -0000 Received: from gw.develooper.com (HELO ?10.0.201.111?) (ask@cleverpeople.org@64.81.84.140) by smtp.develooper.com with (RC4-SHA encrypted) SMTP; 7 Sep 2006 03:17:55 -0000 Mime-Version: 1.0 (Apple Message framework v752.2) Content-Transfer-Encoding: 7bit Message-Id: <596996E2-D643-4D66-ADE3-36099FF2BDD6@develooper.com> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed To: freebsd-pf@freebsd.org From: =?ISO-8859-1?Q?Ask_Bj=F8rn_Hansen?= Date: Wed, 6 Sep 2006 20:17:53 -0700 X-Mailer: Apple Mail (2.752.2) Subject: bad ruleset - pf not keeping state for some bridged connections? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 03:17:55 -0000 Hi everyone, I am having a bit of trouble with my pf ruleset that I can't figure out. My ISP gives me a few static IPs, so I have a Soekris box running as a bridging firewall running 6.0-RELEASE-p4. It does NAT for my RFC1918 net and does the bridging firewall for my public IPs. I've posted my pf.conf here: http://tmp.askask.com/2006/09/pf.conf The bridge is setup with net.link.bridge.pfil_bridge=0 net.link.bridge.pfil_member=1 Some months ago I must have changed something that makes incoming ssh connections not (always) work. If I ssh from an outside client to 64.81.84.17 the connection is established and the traffic from 64.81.84.17 to the outside IP makes it (the sshd banner), but after that the packets from the client doesn't make it through the BSD box. I can see with tcpdump that they come in on sis0, but there's nothing on sis1. Any ideas? Also, any suggestions for general cleanup and optimizations of the rulesets are welcome. The box is also doing ipsec to another 10/8 network, but I'm honestly not sure if it's even being filtered (?!) - ask -- http://www.askbjoernhansen.com/