From owner-freebsd-pf@FreeBSD.ORG Tue Jul 14 00:47:36 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6136A106564A for ; Tue, 14 Jul 2009 00:47:36 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: from ey-out-2122.google.com (ey-out-2122.google.com [74.125.78.26]) by mx1.freebsd.org (Postfix) with ESMTP id DE5328FC08 for ; Tue, 14 Jul 2009 00:47:35 +0000 (UTC) (envelope-from allicient3141@googlemail.com) Received: by ey-out-2122.google.com with SMTP id 9so595436eyd.3 for ; Mon, 13 Jul 2009 17:47:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:date:x-google-sender-auth:message-id:subject:from:to :content-type:content-transfer-encoding; bh=ZA7/Z0BwmAxOugvsHfRbhsre7DceQgo7sZ6aCViXqeI=; b=QjuilCxtElf9IMekd+RTgFh1MNwSvul2rvE0hDiwN1zFTQRvJ/iHBfFtqq2l5Sz/cl QNTSaugml5oyWmq75qAN3thlSNkGki0dMymLmHu1a30XEA1gzFHdU8R8BAZAyozgvqUi makVtKfsCSZp9izaTBi0ircsnfusvD+7qbBUE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; b=CqUbzSELF0MsM/lJUHmvuIK123BMfOBNkxr4o33hYnIjaqTCltPoRaUi51zFGsuyq8 ciB7tQdIELfVt0SmHzdj4yspe3hriUbjHALMt7GCZ6JQBKGv5NWQCtEmyghroiZ2+CL9 EXr8T9du6s5Uq37QYIq/HtlCuAB4aZq2b2RMo= MIME-Version: 1.0 Sender: allicient3141@googlemail.com Received: by 10.210.118.13 with SMTP id q13mr6980704ebc.45.1247530926922; Mon, 13 Jul 2009 17:22:06 -0700 (PDT) In-Reply-To: <17838240D9A5544AAA5FF95F8D520316065A8437@ad-exh01.adhost.lan> References: <3228ef7c0907111044i55b965d3me10ad146314517bf@mail.gmail.com> <20090712155707.4925813c@overlord> <17838240D9A5544AAA5FF95F8D520316065A8437@ad-exh01.adhost.lan> Date: Tue, 14 Jul 2009 01:22:06 +0100 X-Google-Sender-Auth: af30c68766af6cd0 Message-ID: <7731938b0907131722v460e5429ve4906ff822b2719@mail.gmail.com> From: Peter Maxwell To: freebsd-pf@freebsd.org, apetar@gmail.com Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Subject: Re: pf between two lans X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2009 00:47:36 -0000 Hi Aleksic, On a cursory glance, your pf.conf looks ok. The tcpdump you supplied is showing both incoming and outgoing packets being blocked which is wierd - why would there be a return packet if the initial SYN didn't get through? Can you post the output of: pfctl -s r What happens if you try things without pf loaded, and with pf loaded but a pass all ruleset? Have you got gateway_enable set in your rc.conf (I think it shows as net.inet.ip.forwarding being set to 1 in your sysctl)? Can you post the results of the same tcpdump with a larger window size ( -s 1024 ) and/or a tcpdump on the network interface itself? There's probably a simple explanation I'm not seeing, but those are the kind of things I'd try/check. Peter 2009/7/13 Michael K. Smith - Adhost : > Hello Aleksic: >> >> no nat on $extIF inet proto {tcp, udp} from $intIF:network to >> $intIF2:network >> no nat on $extIF inet proto {tcp, udp} from $intIF2:network to >> $intIF:network >> > If nothing else, these rules won't match because the traffic isn't > traversing the External Interface. > > no nat on $intIF2 inet proto {tcp, udp} from $intIF:network to > $intIF2:network > no nat on $intIF inet proto {tcp, udp} from $infIF2:network to > $intIF:network > > Regards, > > Mike > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" >