On Tue, 14 Jul 2009 01:22:06 +0100 Peter Maxwell <pe...@allicient.co.uk> wrote:
> Can you post the output of: pfctl -s r
# pfctl -sr
scrub in all random-id fragment reassemble
block drop log (all) all
block drop in on sk0 inet proto icmp all icmp-type echoreq
block drop out log (all) quick on sk0 from any to <perm-ban>
block drop in log (all) quick on sk0 from <ssh-bruteforce> to any
pass in on sk0 inet proto tcp from any to 192.168.2.248 port = 57277 flags S/SA
keep state
pass in on sk0 inet proto udp from any to 192.168.2.248 port = 57277 keep state
pass out on sk0 inet proto udp from 192.168.2.248 port = 57277 to any keep state
pass out on sk0 inet proto tcp from 192.168.2.248 port = 57277 to any flags
S/SA keep state
pass in on sk0 inet proto udp from any to any port = http keep state
pass in on sk0 inet proto tcp from any to any port = http flags S/SA keep state
pass in on sk0 proto udp from any to any port = 2706 keep state
pass in on sk0 proto tcp from any to any port = 2706 flags S/SA keep state
pass quick proto tcp from any to any port = ssh flags S/SA keep state
(source-track rule, max-src-conn 10, max-src-conn-rate 1/3, overload
<ssh-bruteforce> flush global, src.track 3)
pass quick proto udp from any to any port = ssh keep state (source-track rule,
max-src-conn 10, max-src-conn-rate 1/3, overload <ssh-bruteforce> flush global,
src.track 3)
pass out on sk0 proto tcp all flags S/SA modulate state
pass out on sk0 proto udp all keep state
pass out on sk0 proto icmp all keep state
pass out on sk0 proto esp all keep state
pass in on vr0 inet from 192.168.2.0/24 to any flags S/SA keep state
pass out on vr0 inet from any to 192.168.2.0/24 flags S/SA keep state
pass in on vr1 inet from 192.168.0.0/24 to any flags S/SA keep state
pass out on vr1 inet from any to 192.168.0.0/24 flags S/SA keep state
Should i replace netmask to /16 in last four rules?
> What happens if you try things without pf loaded
> and with pf loaded but a pass all ruleset?
With pf loaded i can open almost anything but not ssh connection.
I can ping, browse shares and printers between lans.
Without pf loaded i can do all that and ssh.
Yesterday i changed default ssh port on remote box and it let me in
with the same pf rules loaded.
Now, I'm also suspicious about remote box, it is CentOS box with untouched
config files, maybe SELinux is preventing ssh login.
> Have you got gateway_enable set in your rc.conf (I think it shows as
> net.inet.ip.forwarding being set to 1 in your sysctl)?
sysctl -a | grep net.inet.ip.forwarding
net.inet.ip.forwarding: 1
> Can you post the results of the same tcpdump with a larger window size
> ( -s 1024 ) and/or a tcpdump on the network interface itself?
see attachment
>
>
>
>
>
>
> 2009/7/13 Michael K. Smith - Adhost <mksm...@adhost.com>:
> > Hello Aleksic:
> >>
> >> no nat on $extIF inet proto {tcp, udp} from $intIF:network to
> >> $intIF2:network
> >> no nat on $extIF inet proto {tcp, udp} from $intIF2:network to
> >> $intIF:network
> >>
> > If nothing else, these rules won't match because the traffic isn't
> > traversing the External Interface.
> >
> > no nat on $intIF2 inet proto {tcp, udp} from $intIF:network to
> > $intIF2:network
> > no nat on $intIF inet proto {tcp, udp} from $infIF2:network to
> > $intIF:network
> >
> > Regards,
> >
> > Mike
> > _______________________________________________
> > freebsd-pf@freebsd.org mailing list
> > http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> > To unsubscribe, send any mail to
> > "freebsd-pf-unsubscr...@freebsd.org"
> >
vr1
Description: Binary data
pflog0
Description: Binary data
_______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
