From owner-freebsd-pf@FreeBSD.ORG Tue Nov 29 09:24:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 19A8616A420 for ; Tue, 29 Nov 2005 09:24:18 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from forrie.com (c-24-62-224-187.hsd1.nh.comcast.net [24.62.224.187]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8926643D46 for ; Tue, 29 Nov 2005 09:24:17 +0000 (GMT) (envelope-from forrie@forrie.com) Received: from [192.168.1.98] (monster.forrie.com [192.168.1.98]) (authenticated bits=0) by forrie.com (8.13.4/8.13.4) with ESMTP id jAT9OHen007478 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 29 Nov 2005 04:24:17 -0500 (EST) (envelope-from forrie@forrie.com) Message-ID: <438C1EB3.3040200@forrie.com> Date: Tue, 29 Nov 2005 04:26:11 -0500 From: Forrest Aldrich User-Agent: Thunderbird 1.5 (Windows/20051128) MIME-Version: 1.0 To: freebsd-pf@freebsd.org References: <438BF404.7030009@forrie.com> <20051129084900.GA23781@insomnia.benzedrine.cx> <438C1700.7010805@forrie.com> <20051129090145.GB23781@insomnia.benzedrine.cx> In-Reply-To: <20051129090145.GB23781@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV version 0.87, clamav-milter version 0.87 on server.forrie.com X-Virus-Status: Clean Subject: Re: Using / notation in tables? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2005 09:24:18 -0000 I think this might be the problem. $ext_if:network expands to 24.62.224.0/20, which is of course not my network. I've been following examples on the net about configuring this. Perhaps I should put a variable in there as gw=24.62.224.xx/32. It's not clear to me where that should be used (ext_if:network). Thank you. Daniel Hartmeier wrote: > On Tue, Nov 29, 2005 at 03:53:20AM -0500, Forrest Aldrich wrote: > > >> Here is what I'm using for the tables: >> >> block in quick on $ext_if proto { tcp, udp } from { , } \ >> to $ext_if:network port 25 >> >> I wonder if this should be written differently. >> > > I don't see anything obviously wrong. If a packet is passing despite > this rule, there are two possibilities: > > a) evaluation doesn't reach this rule at all, because the packet > matches an earlier quick rule > > b) evaluation does reach this rule, but the rule isn't matching, > because > > 1) the interface is not $ext_if > 2) the protocol is not tcp or udp (maybe some encapsulation or > tunnel protocol?) > 2) the source address is not in either table (use pfctl -vTt to > test) > 3) the destination address is not in $ext_if:network (use > pfctl -sr to see what it expands to, might be surprising if > $ext_if has multiple network aliases) > > c) pf is not enabled at all (pfctl -si | head -n 1) > > d) the packet is reaching the server through another path, not going > through the pf box at all > > If you can't spot it, provide the entire ruleset and a tcpdump showing > the packet passing on $ext_if. > > Daniel >