Date: Mon, 15 Nov 2004 15:13:13 -0800 From: Aaron Nichols <adnichols@gmail.com> To: Andrew Smith <andsmith@andsmith.com> Cc: freebsd-questions@freebsd.org Subject: Re: ipf firewall questions Message-ID: <ac0553840411151513628f9c1d@mail.gmail.com> In-Reply-To: <001e01c4cb50$be9933b0$19c8a8c0@loriandsmith> References: <001e01c4cb50$be9933b0$19c8a8c0@loriandsmith>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith <andsmith@andsmith.com> wrote: > I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. > > Any suggestions would be helpful. > > Andrew > > -------------------------------------------------------------------- > > # > # Permit Outlook Web Access > # > pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state Sorry - I missed the very first rule - how thorough of me. Given that - and my lack of familiarity with ipf vs. ipfw or pf - I'd say the problem may be the lack of any "check state" type rule which applies to the response traffic. I haven't exhaustively looked at the man page on ipf to verify this, but reviewing what rules will cause ipf to check for any existing states may help. If they are hitting that rule and nothing below is catching response traffic based on existing states then I'm guessing that is what's needed. Sorry for the confusion on the last post and my apologies if this one causes any more. Aaron Aaron
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ac0553840411151513628f9c1d>