Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 29 Nov 2005 04:26:11 -0500
From:      Forrest Aldrich <forrie@forrie.com>
To:        freebsd-pf@freebsd.org
Subject:   Re: Using / notation in tables?
Message-ID:  <438C1EB3.3040200@forrie.com>
In-Reply-To: <20051129090145.GB23781@insomnia.benzedrine.cx>
References:  <438BF404.7030009@forrie.com> <20051129084900.GA23781@insomnia.benzedrine.cx> <438C1700.7010805@forrie.com> <20051129090145.GB23781@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help 
I think this might be the problem.

$ext_if:network expands to 24.62.224.0/20, which is of course not my
network.   I've been following examples on the net about configuring this.

Perhaps I should put a variable in there as gw=24.62.224.xx/32.

It's not clear to me where that should be used (ext_if:network).


Thank you.




Daniel Hartmeier wrote:
> On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote:
>
>   
>> Here is what I'm using for the tables:
>>
>> block in quick on $ext_if proto { tcp, udp } from { <table1>, <table2> } \
>>    to $ext_if:network port 25
>>
>> I wonder if this should be written differently.
>>     
>
> I don't see anything obviously wrong. If a packet is passing despite
> this rule, there are two possibilities:
>
>   a) evaluation doesn't reach this rule at all, because the packet
>      matches an earlier quick rule
>
>   b) evaluation does reach this rule, but the rule isn't matching,
>      because
>
>        1) the interface is not $ext_if
>        2) the protocol is not tcp or udp (maybe some encapsulation or
>           tunnel protocol?)
>        2) the source address is not in either table (use pfctl -vTt to
>           test)
>        3) the destination address is not in $ext_if:network (use
>           pfctl -sr to see what it expands to, might be surprising if
>           $ext_if has multiple network aliases)
>
>    c) pf is not enabled at all (pfctl -si | head -n 1)
>
>    d) the packet is reaching the server through another path, not going
>       through the pf box at all
>
> If you can't spot it, provide the entire ruleset and a tcpdump showing
> the packet passing on $ext_if.
>
> Daniel
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?438C1EB3.3040200>