Date: Thu, 2 Apr 2009 23:28:32 +0300 From: Artis Caune <artis.caune@gmail.com> To: Sebastiaan van Erk <sebster@sebster.com> Cc: freebsd-pf@freebsd.org Subject: Re: state mismatch/connection issues Message-ID: <9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1@mail.gmail.com> In-Reply-To: <49C9F27F.3010505@sebster.com> References: <49C9F27F.3010505@sebster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
2009/3/25 Sebastiaan van Erk <sebster@sebster.com>:
> The problem I'm having is that I get intermittent connection
> refused/operation not permitted to another machine on the local network.
> When I do pfctl -s info I see *huge* numbers of state mismatches:
>
> The firewall rules are trivially simple, $ext_if has 2 ips and $int_if has
> one:
>
> interfaces = "{" $ext_if "," $int_if "}"
>
> scrub in all
> set skip on lo0
> antispoof for $interfaces inet
> block out log quick on $ext_if from !$ext_ip1 to any
> block in quick on $ext_if from any to 255.255.255.255
> block log all
>
> pass in quick inet proto icmp all icmp-type $icmp_types
>
> pass in quick on $int_if from $int_net to any
> pass out quick on $int_if from any to $int_net
>
> pass out on $ext_if proto tcp all
> pass out on $ext_if proto { udp, icmp } all
> pass in on $ext_if proto tcp from any to $ext_ip1 port $tcp_services1
> pass in on $ext_if proto tcp from any to $ext_ip2 port $tcp_services2
try without "block out log quick on $ext_if from !$ext_ip1 to any" rule.
btw, is your firewall forwarding traffic or doing nat?
Can you show pfctl -sr and ifconfig output?
--
regards,
Artis Caune
<----. CCNA | BSDA
<----|====================
<----' didii FreeBSD
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9e20d71e0904021328u5e871322k1523c2ce0bf9fdd1>