From owner-freebsd-pf@FreeBSD.ORG Fri Mar 4 21:30:44 2005 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9945616A4CE for ; Fri, 4 Mar 2005 21:30:44 +0000 (GMT) Received: from atlas.spiretech.com (atlas.spiretech.com [207.173.200.232]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DDA843D48 for ; Fri, 4 Mar 2005 21:30:44 +0000 (GMT) (envelope-from fbsd-pf@shelton.ca) Received: from [192.168.0.110] (ben.shelton.ca [207.173.201.46]) (authenticated) by atlas.spiretech.com (8.11.6/8.11.6) with ESMTP id j24LUZL13472; Fri, 4 Mar 2005 13:30:35 -0800 Message-ID: <4228D370.6020802@shelton.ca> Date: Fri, 04 Mar 2005 13:30:24 -0800 From: Ben Shelton User-Agent: Mozilla Thunderbird 1.0 (Macintosh/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Daniel Hartmeier References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> <20050304180024.GD6369@insomnia.benzedrine.cx> In-Reply-To: <20050304180024.GD6369@insomnia.benzedrine.cx> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Mar 2005 21:30:44 -0000 Daniel, Thanks for the help. Pretty silly of me - I guess I assumed that it allowed it right through the firewall, which would be pretty bad. Anyway I've tested allowing through both sides at various times, just probably not in the right combination. I'll rewrite stuff and give it a shot tonight. Thanks, Ben Daniel Hartmeier wrote: > On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > > >>I'm actually trying to connect from an outside host through the firewall >>to a host behind the firewall. I understood that the keep state would >>handle the return packet, am I wrong here? >>Also, at various times during the testing I had included a second rule: >>pass out quick inet proto tcp from x.x.x.x port 80 to any keep state >>as well. I can't guarantee that I did this in a completely orderly >>fashion (it was the middle of the night), but this didn't work then. >>I *think* I have the basics down here, but there probably is something >>completely braindead I've done. > > > When filtering on both interfaces, you have to create two state entries > per forwarded connection. > > pass in on $if_towards_browser from any to $web_server port 80 \ > keep state > pass out on $if_towards_server from any to $web_server port 80 \ > keep state > > This is just for the initial SYN packet, the state will allow further > packets in the same direction (and replies in the reverse direction). > > Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be > addressing replies, which isn't necessary. > > You need to allow the initial SYN in on the first interface, then out on > the second one. A state entry does not grant passage _through_ the > firewall, it only grants passage through one interface. > > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"