Date: Fri, 9 Jun 2006 05:52:15 -0600 From: "Pat Maddox" <pergesu@gmail.com> To: "Erik Norgaard" <norgaard@locolomo.org>, "FreeBSD Questions" <freebsd-questions@freebsd.org> Subject: Re: Need some help with PF rule letting two machines access each other Message-ID: <810a540e0606090452t99aa8c5t772ccee21a12504d@mail.gmail.com> In-Reply-To: <4489501F.7070501@locolomo.org> References: <810a540e0606082221n488bf220q3846d9c79b47e1ad@mail.gmail.com> <4489501F.7070501@locolomo.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 6/9/06, Erik Norgaard <norgaard@locolomo.org> wrote: > Pat Maddox wrote: > > 12.34.56.78 runs a server on port 1234 > > 87.65.43.21 should connect to this > > > > Both of them have PF rulesets that block off most traffic, keeping > > open the publically available ports I need open. In this case though, > > any traffic over this port should only be between these two machines. > > I've tried to set this up, but I keep getting operation not permitted, > > connection refused, and connection reset by peer errors. Thanks for > > any info. > > It's quite difficult to tell which rule catches your packets without the > ruleset. Try this: > > 1) Add "log" to all block rules > 2) Check you have keep state in pass rules > 3) Check you have quick in your pass rules > > If you have a default block policy, then you should generally have quick > in pass rules or you might have packets marked for passing being caught > later by a block rule. > > I generally prefer having the default policy at top without quick, and > then set quick on rules taking an explicit action. > > Cheers, Erik > > Okay, I got it working. On the client, the rule is pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $SERVER port 7721 keep state and on the server, it's just the opposite pass in quick on $EXT_IF inet proto tcp from $CLIENT to $EXT_IF port 7721 keep state The only difference between that rule and the one I had earlier includes a "flags S/SA" directive on each. Of course now I just tried adding the flags and it works...I'm guessing because the state was already made. If I add "flags S/SA" is there any reason that'd cause problems. It seems to work fine right now, but didn't earlier - though perhaps I had a typo or something. Pat
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?810a540e0606090452t99aa8c5t772ccee21a12504d>