From owner-freebsd-questions@FreeBSD.ORG Mon Nov 15 23:13:14 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1C4816A4CE for ; Mon, 15 Nov 2004 23:13:14 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70B7743D2D for ; Mon, 15 Nov 2004 23:13:14 +0000 (GMT) (envelope-from adnichols@gmail.com) Received: by wproxy.gmail.com with SMTP id 71so271680wra for ; Mon, 15 Nov 2004 15:13:13 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=SZA0ZjeFq2otaAGljMYJJsdiDoa8DlYUfFpyMuD1qEP943+oM3uTud+f/CVurwVplbzymV0flnGEGtZqjHNe7JdnLNemefgTces2f0VqhvnlmBbgRzYnAVbXwE14G5Qz4f0uYk11wEGLaMGSCY6T6lzr22ulhBJiCCM1re754e0= Received: by 10.54.38.45 with SMTP id l45mr423750wrl; Mon, 15 Nov 2004 15:13:13 -0800 (PST) Received: by 10.54.35.52 with HTTP; Mon, 15 Nov 2004 15:13:13 -0800 (PST) Message-ID: Date: Mon, 15 Nov 2004 15:13:13 -0800 From: Aaron Nichols To: Andrew Smith In-Reply-To: <001e01c4cb50$be9933b0$19c8a8c0@loriandsmith> Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit References: <001e01c4cb50$be9933b0$19c8a8c0@loriandsmith> cc: freebsd-questions@freebsd.org Subject: Re: ipf firewall questions X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Aaron Nichols List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Nov 2004 23:13:14 -0000 On Mon, 15 Nov 2004 15:21:47 -0500, Andrew Smith wrote: > I'm using ipf as my firewall, and I can't figure out why OWA is being blocked going to 172.20.0.11. Below is the current config file which works. But if I removed the fourth line, my users can't access OWA externally. I would have thought the lines: pass out quick from 172.20.0.0/24 to any keep state and pass in quick from any to 172.20.0.0/24 would have superceded the line block out log proto tcp from any to any port = 80. > > Any suggestions would be helpful. > > Andrew > > -------------------------------------------------------------------- > > # > # Permit Outlook Web Access > # > pass in quick proto tcp from any to 172.20.0.11 port = 80 keep state Sorry - I missed the very first rule - how thorough of me. Given that - and my lack of familiarity with ipf vs. ipfw or pf - I'd say the problem may be the lack of any "check state" type rule which applies to the response traffic. I haven't exhaustively looked at the man page on ipf to verify this, but reviewing what rules will cause ipf to check for any existing states may help. If they are hitting that rule and nothing below is catching response traffic based on existing states then I'm guessing that is what's needed. Sorry for the confusion on the last post and my apologies if this one causes any more. Aaron Aaron