From owner-freebsd-pf@freebsd.org Thu Apr 20 00:24:50 2017 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB591D453A5; Thu, 20 Apr 2017 00:24:50 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: from mail-yb0-x229.google.com (mail-yb0-x229.google.com [IPv6:2607:f8b0:4002:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 63247F0E; Thu, 20 Apr 2017 00:24:50 +0000 (UTC) (envelope-from ultima1252@gmail.com) Received: by mail-yb0-x229.google.com with SMTP id 6so17216165ybq.2; Wed, 19 Apr 2017 17:24:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=d6sV7tL1USHGRelKAgoQHKdcoxlavYnJULGpq/nhKhs=; b=n/bKsGp09zvvu3C2U3j1aUiwI+oGclRs4YFH1WMVjGjyI54t2MaCf70Wi/HiXuJq5V H7Wki8i8V36hN7jpKYjArrQBfjMYcblvzW4ATAPhkmIrAf+LWiubrJjocvWTSg+DF/ZQ vpwWAnca8JDy+0PjqKjoHcxks/9cUfC3eeTiDvjCA9VPDdvhd5NYH2TguqFdQEqg92lG vgW9waKpvVY7eIMuzARmfJpaQLvXJ+2ke7TDWOhj23Kw192DSm0gkK3f84kHImT8drqX Nr1C51ceUGYUG+V5DQfmoC0fYUr0ZNETdegSqIzDKjX+EbF1lc5KodAIbmSvLzidWLJO DNhA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=d6sV7tL1USHGRelKAgoQHKdcoxlavYnJULGpq/nhKhs=; b=qzkaMWst2GDr+UuaC8nJWH4pF7O4G2uVJTN+WuFDjvzOfFcjoXLvnWdNBVvWJXxoOP FCQ8lkwOgWPMz7+Xqke4y0H1/gUtf8rShmFIM9iLkRVZFYPFkbB6xsELjkZTy6CFrgcZ FhHI2WFodDX79zCfIfdMCLt6tUqDXBp8HBA3YHysK4fKr2Th76GcWOVyciCUrGDrxq6y JDoH16XZ0wCWulryH8quuAqVBLtY9HczB2Zv1DKtmtu2hBj0+hh3nkhSSwV37MRhUvH7 Z3vZH3jMM5bxkaHPudkur42QIKZ9ERyDutIQg3MTn1HvJTN3NGgMb4sa6TfAiFVlatcG qWLA== X-Gm-Message-State: AN3rC/4+g+XkK0/SZhC2mmwF0AFwCDlTV/9FPCdDAQFe0AwLaVqGmWaA l0pVw4EInFyhwHc6P5QG2Xz2NjGYG2KKnsg= X-Received: by 10.37.17.68 with SMTP id 65mr4768827ybr.62.1492647889123; Wed, 19 Apr 2017 17:24:49 -0700 (PDT) MIME-Version: 1.0 Received: by 10.129.72.144 with HTTP; Wed, 19 Apr 2017 17:24:48 -0700 (PDT) In-Reply-To: References: From: Ultima Date: Wed, 19 Apr 2017 20:24:48 -0400 Message-ID: Subject: Re: freebsd 10.3, pf, and openvpn To: David Mehler Cc: FreeBSD Mailing List , freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Apr 2017 00:24:50 -0000 I keep looking at the rules and finally decided to rewrite some of them. This may not fix the issue you are having with openvpn tho. The issue with that is most likely the passing out rules. This rule is kinda written wierd and I suggest just removing it and passing everything out and verifying if that is the cause. The problem is many connections that the host will open is opened at the high end ports, I believe it was around 40000:65535. I could be wrong tho and hope someone corrects my errors if so. > # Pass out only the desired ports from host and jails > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port $tcp_services $tcpstate > pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services $udpstate If ur still having issues with openvpn, with this ruleset, then first, try changing the block all rule to block on ext_if. This will determine if a pass rule internally is the cause. > block all block on $ext_if all Going to CC freebsd-pf@freebsd.org I hope this helps Ultima # # Required order: macros, options, normalization, queueing, # translation, filtering. # Note: translation rules are first match while filter rules are last match= . # Macros ext_if=3D"vtnet0" ext_gateway=3D"10.0.0.1" int_if =3D "lo1" vpn_if =3D "tun0" jailnet =3D "10.0.0.0/8" vpnnet=3D"10.8.0.0/8" icmp_types=3D"{echoreq, unreach}" #IPV6 ICMP types: # packet to big and echo request type ping # Neighbor Discovery Protocol (NDP) (types 133-137): # Router Solicitation (RS), Router Advertisement (RA) # Neighbor Solicitation (NS), Neighbor Advertisement (NA) # Route Redirection icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" #synstate=3D"flags S/SA synproxy state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global)" tcpstate=3D"flags S/SA modulate state" udpstate=3D"keep state" # allowed traffic tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, imap, https, submission, imaps, 2703}" udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, bootpc, http, ntp, imap, https, submission, imaps, 1194, 3690, 6277, 24441, 4500, 500, 50, 51}" # Name and IP of jails webmail=3D"10.0.0.15" # Name and IP of jailed ssh servers jssh1=3D"10.0.0.15" jssh2=3D"10.0.0.16" jssh3=3D"10.0.0.17" jssh4=3D"10.0.0.18" jssh1_tcp=3D"2220" jssh2_tcp=3D"2221" jssh3_tcp=3D"2222" jssh4_tcp=3D"2223" # The Asterisk Server asterisk=3D"10.0.0.17" asterisk_tcp=3D"5060:5061" asterisk_udp=3D"5060, 10000:10500" # The vpn server vpn=3D"10.8.0.1" # Options # block-policy can be either drop or return set block-policy drop set optimization conservative set skip on lo0 # Normalization # normalize all incoming traffic. Set ttl 254: limits mapping of hosts behind # firewall. Set random-id to help same. # Set mss to ATM network frame size for easy splitting upstream. scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp fragment reassemble # NAT nat on $ext_if from $jailnet to any -> ($ext_if) static-port nat on $ext_if from $vpnnet to any -> ($ext_if) # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to jailed ssh servers # External redirect & reflect for internal hosts # Note, the -> $ip port $port is only required for port triggering. rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh1_tcp } tag jssh1 -> $jssh1 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh2_tcp } tag jssh2 -> $jssh2 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh3_tcp } tag jssh3 -> $jssh3 rdr on { $ext_if, $int_if } inet proto tcp to { ($ext_if), ($int_if) } port { $jssh4_tcp } tag jssh4 -> $jssh4 # Redirect traffic to the vpn server # External redirect rdr on { $ext_if, $int_if } inet proto { tcp, udp } to { ($ext_if), ($int_if) } port 1194 tag vpn -> $vpn # Redirect traffic to the asterisk server # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. # RTSP ports 10000 to 10500 rdr on $ext_if inet proto udp to any port { $asterisk_udp } tag asterisk_udp -> $asterisk rdr on $ext_if inet proto tcp to any port { $asterisk_tcp } tag asterisk_tcp -> $asterisk # Tables table persist file "/etc/pf/bruteforce" table persist file "/etc/pf/pf.drop.lasso.conf" table persist file "/etc/pf/fail2ban" table persist file "/etc/pf/martians" # The ZeuS blocklist of c&c servers table persist file "/etc/pf/ZeuS" # The malwaredomain ip block list table persist file "/etc/pf/malwaredomain" # Table of selected country IP addresses table persist file "/etc/pf/blocked_countries" # Table of apache mod_evasive blocks table persist file "/etc/pf/evasive" antispoof for { $ext_if, $int_if } # Start by blocking by default block all # Block anything in the blocked_countries table first block in quick from # Block nmap scans block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP # Explicitly block unroutable addresses block drop in quick on $ext_if from to any block drop out quick on $ext_if from any to # Explicitly block anything in the bruteforce table block in quick from # Explicitly block anything in the fail2ban table block in quick from # Explicitly block anything in the droplasso table block in quick from # Explicitly block anything in the ZeuS table block in quick from # Explicitly block anything in the malwaredomain table block in quick from # Block anything in the evasive table block in quick from # allow ping and host unreach pass inet proto icmp icmp-type $icmp_types keep state # Traceroute # allow out the default range for traceroute(8): # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) pass inet proto udp to port 33433:33626 # For IPv4 # Pass out only the desired ports from host and jails pass inet proto tcp from {self, $jailnet, $vpnnet} to any port $tcp_services $tcpstate pass inet proto udp from {self, $jailnet, $vpnnet} to port $udp_services $udpstate # Allow ssh connections in from the internet pass in inet proto tcp from any to ($ext_if) port ssh \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # Pass in ssh traffic to the jails # pass rules for nat redirect pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto tcp tagged jssh1 jssh2 jssh3 jssh4 \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) pass in on $int_if inet proto tcp tagged jssh1 jssh2 jssh3 jssh4 flags S/SA keep state # Pass traffic to the vpn pass in on $ext_if reply-to ( $ext_if $ext_gateway ) proto { tcp, udp } tagged vpn $udpstate pass in on $int_if inet proto { tcp, udp } tagged vpn $udpstate pass out on tun0 keep state #pass quick on tun0 all keep state # Pass in smtp, http, https, submission, imaps traffic from the internet pass in inet proto tcp to $ext_if port { 25, 80, 443, 587, 993 } \ flags S/SA keep state (max-src-conn 15, max-src-conn-rate 5/3, overload flush global) # pass traffic from the asterisk server pass inet proto tcp tagged asterisk_tcp keep state pass inet proto udp tagged asterisk_udp keep state On Wed, Apr 19, 2017 at 11:06 AM, David Mehler wrote: > Hi, > > Thanks. Still no go on the vpn.In answer to your questions: > > > pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > > > $tcp_services $tcpstate > > > pass inet proto udp from {self, $jailnet, $vpnnet} to port > > > $udp_services $udpstate > > > > > I've got only a selected list of ports that I want in or out, > everything else should be blocked. > > I tried commenting out the pass quick on tun0 all and replaced it with > set skip on tun0 no joy. > > I took out the second nat line on the vpnnet as of now I'm wanting to > keep the jailnet and the vpnnet ranges the same, though if this issue > doesn't soon resolve I might change that idea. > > > > pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > > > global) > > > pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > > What I wanted to achieve with this was nat reflection, external > connections to these hosts worked fine on the desired ports, but on > the host itself if I tried to do an ssh to one of my jails port 2220 > it failed, these rules corrected that. > > Right now I'll settle for working. > > Thanks. > Dave. > > On 4/19/17, Ultima wrote: > > After a full look, I suspect this being a problem entry. > > > >> # Pass out only the desired ports from host and jails > >> pass inet proto tcp from {self, $jailnet, $vpnnet} to any port > >> $tcp_services $tcpstate > >> pass inet proto udp from {self, $jailnet, $vpnnet} to port > >> $udp_services $udpstate > > > > Try commenting them and adding pass out all or pass inet proto { tcp, > udp } > > any and see if that works. > > > > > >> pass quick on tun0 all keep state > > This is another problem area, but probably not the cause. The quick is > > probably not handled as you are expecting. Pf reads the filtering rules > in > > priority from bottom to top bottom being highest priority to top being > > lowest priority. When quick is added, this is more or less reversed for > the > > rule and because its near the bottom it has a lower priority. In genera= l > > the "quick" directive can make pf very confusing and a ruleset harder t= o > > read so other than the top blocking entires with quick, I suggest never > > using it, or use it for all filters and make it simple the opposite way= . > > > > > >> jailnet =3D "10.0.0.0/8" > >> vpnnet=3D"10.8.0.0/8" > > One thing I noticed is that the subnet chosen is an /8 subnet. Because = of > > this, the entire 10.* address space applies to jailnet making all > jailnet + > > vpnnet entries redundant. This also allows all addresses to communicate= , > at > > least if pf isn't filtering them. Usually segmenting the subnet is > desired > > to limit communication between them. > > > >> pass quick on lo0 all > > Why not just skip on lo0? > > > > > >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > (max-src-conn 15, max-src-conn-rate 5/3, overload flush > > global) > >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > > Why does this nearly duplicate rules exist? > > > > > > Optimizing pf is fun, but one thing that is important to remember is th= e > > more rules added, the more cycles used per packet. This is typically no= t > > noticed on a small deployments but it can become huge issue if grown. > > > > On Tue, Apr 18, 2017 at 4:20 PM, David Mehler > > wrote: > > > >> Hello Ultima, > >> > >> Thank you for your reply. Thanks for the information, I'm liking the > >> new way the rules are looking. Unfortunately, still no go on the vpn. > >> Everything else is working, just not the vpn. > >> > >> Thanks. > >> Dave. > >> PS, here's my rules as they stand now. > >> > >> pf.conf: > >> # > >> # Required order: macros, options, normalization, queueing, > >> # translation, filtering. > >> # Note: translation rules are first match while filter rules are last > >> match. > >> > >> # Macros > >> ext_if=3D"vtnet0" > >> int_if =3D "lo1" > >> vpn_if =3D "tun0" > >> jailnet =3D "10.0.0.0/8" > >> vpnnet=3D"10.8.0.0/8" > >> icmp_types=3D"{echoreq, unreach}" > >> #IPV6 ICMP types: > >> # packet to big and echo request type ping > >> # Neighbor Discovery Protocol (NDP) (types 133-137): > >> # Router Solicitation (RS), Router Advertisement (RA) > >> # Neighbor Solicitation (NS), Neighbor Advertisement (NA) > >> # Route Redirection > >> icmp6_types=3D"{ 2, 128, 133, 134, 135, 136, 137 }" > >> #synstate=3D"flags S/SA synproxy state (max-src-conn 15, > >> max-src-conn-rate 5/3, overload flush global)" > >> tcpstate =3D"flags S/SA modulate state" > >> udpstate =3D"keep state" > >> voipports =3D "{5060, 5061, 10000:10500}" > >> > >> # allowed traffic > >> tcp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >> bootpc, http, imap, https, submission, imaps, 2703}" > >> udp_services=3D"{7, ftp-data, ftp, ssh, smtp, 43, domain, bootps, > >> bootpc, http, ntp, imap, https, submission, imaps, 3690, 6277, 24441, > >> 4500, 500, 50, 51}" > >> > >> # Name and IP of jails > >> webmail=3D"10.0.0.15" > >> # Name and IP of jailed ssh servers > >> jssh1=3D"10.0.0.15" > >> jssh2=3D"10.0.0.16" > >> jssh3=3D"10.0.0.17" > >> jssh4=3D"10.0.0.18" > >> # The Asterisk Server > >> asterisk=3D"10.0.0.17" > >> # The vpn server > >> vpn=3D"10.8.0.1" > >> > >> # Options > >> # block-policy can be either drop or return > >> set block-policy drop > >> set optimization conservative > >> set skip on tun0 > >> > >> # Normalization > >> # normalize all incoming traffic. Set ttl 254: limits mapping of hosts > >> behind > >> # firewall. Set random-id to help same. > >> # Set mss to ATM network frame size for easy splitting upstream. > >> scrub on $ext_if all random-id min-ttl 254 max-mss 1452 reassemble tcp > >> fragment reassemble > >> > >> # NAT > >> nat on $ext_if from $jailnet to any -> ($ext_if) static-port > >> nat on $ext_if from $vpnnet to any -> ($ext_if) static-port > >> > >> # Redirect any packets requesting ports 2220, 2221, 2222, or 2223 to > >> jailed ssh servers > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2220 -> $jssh1 port 2220 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2220 -> $jssh1 port 2220 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2221 -> $jssh2 port 2221 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2221 -> $jssh2 port 2221 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2222 -> $jssh3 port 2222 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2222 -> $jssh3 port 2222 > >> > >> # External redirect > >> rdr on $ext_if inet proto tcp to $ext_if port 2223 -> $jssh4 port 2223 > >> # reflect for internal hosts > >> rdr on $int_if inet proto tcp to $int_if port 2223 -> $jssh4 port 2223 > >> > >> # Redirect traffic to the vpn server > >> # External redirect > >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 1194 -> $vpn po= rt > >> 1194 > >> #rdr on $ext_if inet proto tcp from any to $ext_if port 1194 -> $vpn > port > >> 1194 > >> # reflect for internal hosts > >> rdr on $int_if inet proto { tcp, udp } to $int_if port 1194 -> $vpn po= rt > >> 1194 > >> #rdr on $int_if inet proto tcp from any to $int_if port 1194 -> $vpn > port > >> 1194 > >> > >> # Redirect traffic to the asterisk server > >> # SIP on UDP and tcp port 5060, tcp 5061 for secure signaling. > >> rdr on $ext_if inet proto { tcp, udp } to $ext_if port 5060 -> > >> $asterisk port 5060 > >> #rdr on $ext_if inet proto tcp from any to any port 5060 -> $asterisk > >> port > >> 5060 > >> rdr on $ext_if inet proto tcp to $ext_if port 5061 -> $asterisk port > 5061 > >> # RTSP ports 10000 to 10500 > >> rdr on $ext_if inet proto udp to $ext_if port 10000:10500 -> $asterisk > >> port 10000:10500 > >> > >> # Tables > >> table persist file "/etc/pf/bruteforce" > >> table persist file "/etc/pf/pf.drop.lasso.conf" > >> table persist file "/etc/pf/fail2ban" > >> table persist file "/etc/pf/martians" > >> # The ZeuS blocklist of c&c servers > >> table persist file "/etc/pf/ZeuS" > >> # The malwaredomain ip block list > >> table persist file "/etc/pf/malwaredomain" > >> # Table of selected country IP addresses > >> table persist file "/etc/pf/blocked_countries" > >> # Table of apache mod_evasive blocks > >> table persist file "/etc/pf/evasive" > >> > >> # for the spamd greylist/blacklist service > >> # (not related to spamassassin's spamd daemon) > >> #table persist > >> #table persist > >> > >> antispoof for $ext_if > >> antispoof for $int_if > >> > >> # Start by blocking by default > >> block all > >> > >> # Block anything in the blocked_countries table first > >> block in quick from > >> > >> # Block nmap scans > >> block in quick on $ext_if inet proto tcp from any to any flags FUP/FUP > >> > >> # Explicitly block unroutable addresses > >> block drop in quick on $ext_if from to any > >> block drop out quick on $ext_if from any to > >> > >> # Explicitly block anything in the bruteforce table > >> block in quick from > >> > >> # Explicitly block anything in the fail2ban table > >> block in quick from > >> > >> # Explicitly block anything in the droplasso table > >> block in quick from > >> > >> # Explicitly block anything in the ZeuS table > >> block in quick from > >> > >> # Explicitly block anything in the malwaredomain table > >> block in quick from > >> > >> # Block anything in the evasive table > >> block in quick from > >> > >> # pass everything on the loopback interface > >> pass quick on lo0 all > >> > >> # allow ping and host unreach > >> pass inet proto icmp icmp-type $icmp_types keep state > >> > >> # Traceroute > >> # allow out the default range for traceroute(8): > >> # =E2=80=9Dbase+nhops*nqueries-1=E2=80=9D (33434+64*3-1) > >> pass inet proto udp to port 33433:33626 # For IPv4 > >> > >> # Pass out only the desired ports from host and jails > >> pass inet proto tcp from { self, $jailnet } to any port $tcp_services > >> $tcpstate > >> pass inet proto udp from { self, $jailnet } to port $udp_services > >> $udpstate > >> > >> # Allow ssh connections in from the internet > >> pass in inet proto tcp to $ext_if port ssh flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> # Pass in ssh traffic to the jails > >> # pass rules for nat redirect > >> pass in inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh1 port 2220 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh2 port 2221 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh3 port 2222 flags S/SA keep state > >> > >> pass in inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> pass inet proto tcp to $jssh4 port 2223 flags S/SA keep state > >> > >> # Pass traffic to the vpn > >> pass in inet proto { tcp, udp } to $vpn port 1194 $udpstate > >> #pass in inet proto tcp from any to $vpn port 1194 $udpstate > >> pass inet proto { tcp, udp } to $vpn port 1194 $udpstate > >> #pass inet proto tcp from any to $vpn port 1194 $udpstate > >> > >> # Pass in http traffic from the internet > >> pass in inet proto tcp to $ext_if port 80 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in https traffic from the internet > >> pass in inet proto tcp to $ext_if port 443 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in smtp traffic from the internet > >> pass in inet proto tcp to $ext_if port 25 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in submission traffic from the internet > >> pass in inet proto tcp to $ext_if port 587 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # Pass in imaps traffic from the internet > >> pass in inet proto tcp to $ext_if port 993 flags S/SA keep state > >> (max-src-conn 15, max-src-conn-rate 5/3, overload flush > >> global) > >> > >> # pass traffic from the asterisk server > >> pass inet proto { tcp, udp } to $asterisk port $voipports keep state > >> > >> > >> On 4/18/17, Ultima wrote: > >> > I didn't have time to read and look through this entire post, but I > >> think I > >> > know the issue you're running into and this suggestion should push y= ou > >> > in > >> > the right direction. > >> > > >> > this rule for example, > >> > > >> > rdr on $ext_if inet proto udp from any to any port 1194 -> $vpn port > >> > 1194 > >> > rdr on $ext_if inet proto tcp from any to any port 1194 -> $vpn port > >> > 1194 > >> > # reflect for internal hosts > >> > rdr on $int_if inet proto udp from any to any port 1194 -> $vpn port > >> > 1194 > >> > rdr on $int_if inet proto tcp from any to any port 1194 -> $vpn port > >> > 1194 > >> > > >> > This is probably not giving you the results you desire. Basically > >> > because > >> > no from or to ip is specified ALL and I quite literally mean ALL > >> > packets > >> > using port 1194 are being sent to $vpn port 1194. Usually you want t= o > >> make > >> > it something like, > >> > > >> > rdr on $ext_if inet proto udp from any to $ext_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > rdr on $int_if inet proto udp from any to $int_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > > >> > Now the traffic will be passed only when the packet is going to the > >> > host, > >> > not all traffic on a specific port. Another thing you may want to do > is > >> > combined many of these rules you have. > >> > > >> > rdr on $ext_if inet proto { tcp, udp } to $ext_ip port 1194 -> $vpn > >> > port > >> > 1194 > >> > > >> > Also note the above, because we are specifying any for from, we can > >> remove > >> > the form rule entirely and make it shorter. > >> > > >> > Hope this helps > >> > > >> > Ultima > >> > > >> > > >