From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 17:42:14 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 67AE916A4CF for ; Fri, 4 Mar 2005 17:42:14 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15B3E43D5E for ; Fri, 4 Mar 2005 17:42:14 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j24HgDL24482 for ; Fri, 4 Mar 2005 09:42:13 -0800 Message-ID: <42289DEA.5050205@shelton.ca> Date: Fri, 04 Mar 2005 09:42:02 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 17:42:14 -0000 Hi there, I've been trying to convert a firewall for a site from ipfw to pf (under FreeBSD.) I had all the rules translated over to pf format and then went ahead, took down ipfw, brought up pf and... nothing. Couldn't connect to any services at all behind the firewall. After thinking I must have screwed up some rule or something, I started cutting things down to simple rules. I ended up with: ---- # begin rules pass quick on lo0 all # block by default #block log # commented out only for testing - should work instead of the # following two lines block in all block out all pass in quick proto icmp from any to any keep state pass out quick proto icmp from any to any keep state pass in quick inet proto tcp from any to x.x.x.x keep state #pass in quick inet proto tcp from any to any keep state # works ---- So the last 2 lines are completely odd. If I enable the first of them, I cannot contact the x.x.x.x machine via tcp (http port, etc.) and a tcpdump on the firewall's internal interface confirms that the packets are not going through. ICMP works, however, according to the preceding 2 rules. If I enable the last rule, all tcp then works. When I cannot connect, I get a "no route to host" error when attempting to, for example, telnet to port 80. The funny thing is that if I change the x.x.x.x rule to: pass in quick inet proto tcp from any to any port 80 keep state it ALSO doesn't work. It seems any specifier for destination address or port screws everything up. I am totally stumped. Can anyone offer any advice? I run a pf firewall at home and don't have any issues at all. Then again, it's slightly different at home with NAT and stuff. This one that's not working should be even simpler - no NAT, routing from real internet addresses to real internet addresses, etc. As a note, this is a FreeBSD 5.3 on amd64 (Xeon EM64T) system. I don't know if that might have something to do with it. Any help is greatly appreciated. Thanks, Ben