Date: Fri, 4 Mar 2005 19:00:24 +0100 From: Daniel Hartmeier <daniel@benzedrine.cx> To: Ben Shelton <netbsd-pf@shelton.ca> Cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? Message-ID: <20050304180024.GD6369@insomnia.benzedrine.cx> In-Reply-To: <4228A136.30707@shelton.ca> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > I'm actually trying to connect from an outside host through the firewall > to a host behind the firewall. I understood that the keep state would > handle the return packet, am I wrong here? > Also, at various times during the testing I had included a second rule: > pass out quick inet proto tcp from x.x.x.x port 80 to any keep state > as well. I can't guarantee that I did this in a completely orderly > fashion (it was the middle of the night), but this didn't work then. > I *think* I have the basics down here, but there probably is something > completely braindead I've done. When filtering on both interfaces, you have to create two state entries per forwarded connection. pass in on $if_towards_browser from any to $web_server port 80 \ keep state pass out on $if_towards_server from any to $web_server port 80 \ keep state This is just for the initial SYN packet, the state will allow further packets in the same direction (and replies in the reverse direction). Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be addressing replies, which isn't necessary. You need to allow the initial SYN in on the first interface, then out on the second one. A state entry does not grant passage _through_ the firewall, it only grants passage through one interface. Daniel
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050304180024.GD6369>