From owner-freebsd-pf@FreeBSD.ORG Sat Aug 4 05:40:51 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 355F316A417 for ; Sat, 4 Aug 2007 05:40:51 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from smtp2f.orange.fr (smtp2f.orange.fr [80.12.242.152]) by mx1.freebsd.org (Postfix) with ESMTP id C6A5913C468 for ; Sat, 4 Aug 2007 05:40:50 +0000 (UTC) (envelope-from nicolas.cornu@ch-st-julien.fr) Received: from smtp2f.orange.fr (mwinf2f23 [10.232.18.123]) by mwinf2f20.orange.fr (SMTP Server) with ESMTP id 84B661D71B42 for ; Fri, 3 Aug 2007 09:38:37 +0200 (CEST) Received: from me-wanadoo.net (localhost [127.0.0.1]) by mwinf2f23.orange.fr (SMTP Server) with ESMTP id 2E5467000089 for ; Fri, 3 Aug 2007 09:38:36 +0200 (CEST) Received: from relais.ch-st-julien.fr (LNeuilly-152-21-111-175.w193-253.abo.wanadoo.fr [193.253.48.175]) by mwinf2f23.orange.fr (SMTP Server) with ESMTP id E9C887000086 for ; Fri, 3 Aug 2007 09:38:35 +0200 (CEST) X-ME-UUID: 20070803073835957.E9C887000086@mwinf2f23.orange.fr Received: from relais.ch-st-julien.fr (localhost [127.0.0.1]) by relais-back.ch-st-julien.fr (Postfix::smtpd) with ESMTP id 06DFC126F68 for ; Fri, 3 Aug 2007 10:38:32 +0200 (CEST) Received: from [172.16.0.41] (unknown [172.16.0.41]) by relais.ch-st-julien.fr (Postfix::smtpd) with ESMTP id D75B0126F67 for ; Fri, 3 Aug 2007 10:38:31 +0200 (CEST) Message-ID: <46B2DB78.7090001@ch-st-julien.fr> Date: Fri, 03 Aug 2007 09:38:32 +0200 From: "nicolas.cornu" User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070608 SeaMonkey/1.1.2 MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV using ClamSMTP X-Spam-Checker-Version: SpamAssassin 3.0.3 (2005-04-27) on relais.ch-st-julien.fr X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=disabled version=3.0.3 Subject: PF and proxytunnel X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 04 Aug 2007 05:40:51 -0000 Hi, I'm quite new in the PF experience. I'm trying to set a rule which can permit me to log on my home machine from work by using ssh and proxytunnel (http://proxytunnel.sourceforge.net/) I can't make it work. Each time the firewall is up, my ssh connection is broken. I think it's a flag problem but I can't make it work. So, this is my rule (And I'm blocking everuthing by default) : " pass in quick log on $ext_if proto tcp from to $ext_if port 443 flags S/SA keep state " The thing is in a forum, a guy asked me to try with the flag S/SA but it doesn't work. i tried some other fags without any succes. I also got a log of the packets which are blocked : 16:10:12.437424 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 0:112(112) ack 1 win 32844 16:10:12.437433 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 1:112(111) ack 1 win 32844 16:10:12.497175 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967056 win 32767 16:10:12.506673 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967104 win 32767 16:10:12.516765 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 4294967200 win 32767 16:10:12.524137 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: . ack 0 win 32767 16:10:12.698154 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:12.879724 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:13.086087 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:13.174156 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:13.661987 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:13.761762 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:14.613849 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:14.937784 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:16.317606 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:17.289307 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:17.381429 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:19.309147 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:21.992459 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:22.964584 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:29.280630 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:30.075509 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:31.399531 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:32.279624 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:38.278752 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:44.097373 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:10:50.211598 rule 0/0(match): block in on tun0: [work_ip_address].58797 > [home_ip_address].443: P 1:49(48) ack 0 win 32767 16:10:50.277124 rule 0/0(match): block in on tun0: [work_ip_address].58926 > [home_ip_address].443: S 3840383586:3840383586(0) win 5840 16:10:51.796096 rule 0/0(match): block in on tun0: [work_ip_address].58951 > [home_ip_address].443: S 3848980265:3848980265(0) win 5840 16:10:54.795329 rule 0/0(match): block in on tun0: [work_ip_address].58951 > [home_ip_address].443: S 3848980265:3848980265(0) win 5840 16:10:58.119242 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58797: FP 4294967008:112(400) ack 1 win 32844 16:14:05.064569 rule 0/0(match): block out on tun0: [home_ip_address].443 > [work_ip_address].58951: P 939245923:939246035(112) ack 3848991638 win 32844 I hope someone can help me. Regards, Nicolas