Date: Thu, 31 Mar 2005 16:18:55 +1000 From: Jayel Villamin <jarthel@gmail.com> To: freebsd-pf@freebsd.org Subject: weird PF behavior Message-ID: <b2d2a52705033022181ea45294@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Here's a rough sketch of the home network
FBSD 5.3 box ===>>> xl0 ===>>> ADSL modem
===>>> xl1 ===>>> 10/100 Mbps switch ===>>>
several Windows PC are connected to the switch
===>>> xl2 ===>>> Windows PC (via x-over cable).
This is the FTP server.
I have an FTP server running in a windows box with IP = 192.168.2.2
here's a snippet of my rules
==========
ext_if = "tun0"
elayne_ftp_service = "19985:19989"
elayne = "192.168.2.2/32"
rdr on $ext_if proto tcp from any to ($ext_if) port
$elayne_ftp_service -> $elayne
block log all #This is the very first rule after the nat/rdr rules
pass in quick on $ext_if inet proto tcp from any to $elayne port {
$elayne_ftp_service } flags S/SA keep state
============
Looking at the PF FAQ in openbsd.org, this seem to be correct.
But when I try to connect from work to the FTP, I get the following
tcpdump entries:
=====================
15:44:38.009604 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
49640 <mss 1402,nop,nop,sackOK>
15:44:41.423697 IP SOURCE_IP_HIDDEN_FOR_PRIVACY.43318 >
TARGET_IP_HIDDEN_FOR_PRIVACY.19989: S 1052116979:1052116979(0) win
49640 <mss 1402,nop,nop,sackOK>
===================
If I change the last rule in the snippet to:
===========
pass in quick inet proto tcp from any to $elayne port {
$elayne_ftp_service } flags S/SA keep state
===========
it works.
Well I thought that having "on $ext_if" is correctly as well as the
traffic from work to home FTP server must pass thru $ext_if.
Any ideas for this behavior?
Thanks
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b2d2a52705033022181ea45294>