From owner-freebsd-pf@FreeBSD.ORG Sun Jul 31 15:58:31 2005 Return-Path: X-Original-To: freebsd-pf@FreeBSD.org Delivered-To: freebsd-pf@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8904516A41F for ; Sun, 31 Jul 2005 15:58:31 +0000 (GMT) (envelope-from arved@arved.at) Received: from 21322530218.direct.eti.at (21322530218.direct.eti.at [213.225.30.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 517A543D5C for ; Sun, 31 Jul 2005 15:58:29 +0000 (GMT) (envelope-from arved@arved.at) Received: from [192.168.1.24] (ische.arved.de [192.168.1.24]) by 21322530218.direct.eti.at (8.13.3/8.13.1) with ESMTP id j6VFwRxk066000; Sun, 31 Jul 2005 17:58:27 +0200 (CEST) (envelope-from arved@arved.at) Mime-Version: 1.0 (Apple Message framework v622) X-Gpgmail-State: !signed Content-Type: text/plain; charset=US-ASCII; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Tilman Linneweh Date: Sun, 31 Jul 2005 17:58:23 +0200 To: freebsd-pf@FreeBSD.org X-Mailer: Apple Mail (2.622) Cc: Tilman Linneweh Subject: PF on 6.0 and ICQ X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Jul 2005 15:58:31 -0000 Hi list, I upgraded my Firewall to RELENG_6, the Firewall does NAT for an RFC1918 net, and the relevant part of the ruleset looks like this: nat on $ext_if from $internal_net to any -> ($ext_if) pass in on $int_if from {$internal_net, 224.0.0.0/4} to any keep state allow-opts pass out on $int_if from any to {$internal_net, 224.0.0.0/4} keep state allow-opts pass out on $ext_if proto { tcp, udp } all keep state With RELENG_5 ICQ from the hosts on the RFC1918 network worked, but now they are not able to connect to the ICQ Server. The logged traffic on pflog0 looks like this: 17:45:25.966685 IP (tos 0x0, ttl 62, id 63506, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:28.871854 IP (tos 0x0, ttl 62, id 63512, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:31.872076 IP (tos 0x0, ttl 62, id 63515, offset 0, flags [DF], proto: TCP (6), length: 60) 192.168.1.24.49231 > 205.188.7.248.5190: S 920618149:920618149(0) win 65535 17:45:34.874595 IP (tos 0x0, ttl 62, id 63518, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, cksum 0x7097 (correct), 920618149:920618149(0) win 65535 17:45:37.874576 IP (tos 0x0, ttl 62, id 63520, offset 0, flags [DF], proto: TCP (6), length: 44) 192.168.1.24.49231 > 205.188.7.248.5190: S, cksum 0x7097 (correct), 920618149:920618149(0) win 65535 Anyone got an idea, why this traffic doesn't match the pass rules anymore? regards tilman