From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 18:00:27 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79B7116A4CE for ; Fri, 4 Mar 2005 18:00:27 +0000 (GMT) Received: from insomnia.benzedrine.cx (insomnia.benzedrine.cx [62.65.145.30]) by mx1.FreeBSD.org (Postfix) with ESMTP id 792C843D2F for ; Fri, 4 Mar 2005 18:00:26 +0000 (GMT) (envelope-from dhartmei@insomnia.benzedrine.cx) Received: from insomnia.benzedrine.cx (dhartmei@localhost [127.0.0.1]) j24I0Pr3010596 (version=TLSv1/SSLv3 cipher=DHE-DSS-AES256-SHA bits=256 verify=NO); Fri, 4 Mar 2005 19:00:25 +0100 (MET) Received: (from dhartmei@localhost) by insomnia.benzedrine.cx (8.13.3/8.12.10/Submit) id j24I0Ps1015962; Fri, 4 Mar 2005 19:00:25 +0100 (MET) Date: Fri, 4 Mar 2005 19:00:24 +0100 From: Daniel Hartmeier To: Ben Shelton Message-ID: <20050304180024.GD6369@insomnia.benzedrine.cx> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4228A136.30707@shelton.ca> User-Agent: Mutt/1.5.6i cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 18:00:27 -0000 On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > I'm actually trying to connect from an outside host through the firewall > to a host behind the firewall. I understood that the keep state would > handle the return packet, am I wrong here? > Also, at various times during the testing I had included a second rule: > pass out quick inet proto tcp from x.x.x.x port 80 to any keep state > as well. I can't guarantee that I did this in a completely orderly > fashion (it was the middle of the night), but this didn't work then. > I *think* I have the basics down here, but there probably is something > completely braindead I've done. When filtering on both interfaces, you have to create two state entries per forwarded connection. pass in on $if_towards_browser from any to $web_server port 80 \ keep state pass out on $if_towards_server from any to $web_server port 80 \ keep state This is just for the initial SYN packet, the state will allow further packets in the same direction (and replies in the reverse direction). Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be addressing replies, which isn't necessary. You need to allow the initial SYN in on the first interface, then out on the second one. A state entry does not grant passage _through_ the firewall, it only grants passage through one interface. Daniel