From owner-freebsd-pf@FreeBSD.ORG Wed Jul 26 17:46:41 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A8B6616A4DA for ; Wed, 26 Jul 2006 17:46:41 +0000 (UTC) (envelope-from jeff@sailorfej.net) Received: from mail.sailorfej.net (mail.sailorfej.net [66.93.72.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1812143D49 for ; Wed, 26 Jul 2006 17:46:41 +0000 (GMT) (envelope-from jeff@sailorfej.net) Received: from [192.168.150.100] (c-24-20-239-104.hsd1.wa.comcast.net [24.20.239.104]) (authenticated bits=0) by mail.sailorfej.net (8.13.4/8.13.4) with ESMTP id k6QHi4rW042023 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 26 Jul 2006 10:44:05 -0700 (PDT) (envelope-from jeff@sailorfej.net) Message-ID: <44C7AA7F.7060904@sailorfej.net> Date: Wed, 26 Jul 2006 10:46:39 -0700 From: Jeffrey Williams User-Agent: Thunderbird 1.5.0.4 (Windows/20060516) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <013101c6b0ba$371645d0$152ea8c0@phobos> In-Reply-To: <013101c6b0ba$371645d0$152ea8c0@phobos> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-0.6 required=6.0 tests=BAYES_00,RCVD_IN_SORBS_DUL autolearn=no version=3.1.1 X-Spam-Checker-Version: SpamAssassin 3.1.1 (2006-03-10) on mail.sailorfej.net Subject: Re: SV: nat/outbound traffic not passing in pf on FreeBSD 6.1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Jul 2006 17:46:41 -0000 Morgan wrote: >> pf.conf entries: >> >> oif="em0" >> onwr="o.o.33.40/29" >> oip="o.o.33.46" >> >> iif="em1" >> inwr="i.i.10.0/24" >> iip="i.i.10.1" >> >> is1="i.i.10.15" >> >> scrub in all >> >> nat on $oif from $inwr to any -> $oif >> >> rdr on $oif proto tcp from any to $oip port 1000 -> $is1 port 22 >> >> block in log all >> >> pass in on $oif proto tcp from any to $is1 port 22 keep state >> pass in on $oif proto tcp from any to $oip port 22 keep state >> >> pass in on $iif inet from $inwr to any keep state >> pass out on $oif inet from $oip to any keep state (additional rule >> referred to above that needed to be added to enable outbound >> connections, should not be needed?) >> >> antispoof for $oif >> antispoof for $iif > > Where is your pass rule for your internal interface and for your loopback > for that matter? > > Pass on lo0 all > Pass on em1 all > > /PP > > I am not running anything that is trying to use the loopback interface on this box. The following rule passes traffic in on the internal interface, "pass in on $iif inet from $inwr to any keep state", and there is no rule blocking traffic out on the internal interface. Thanks, Jeff