TheSG wrote:
I have been struggling with this issue for a few days now. I have a
Citrix server (customer site) that I cannot connect to through my
OpenBSD 3.7 pf firewall. I am able to reach this Citrix server if I go
direct (no firewall). I know the Citrix server is open to everyone on
the Internet. However, something is happening when my Windows client
passes through the OpenBSD pf firewall - I do not receive any packets
back from the Citrix server. I have tcpdump running on the outside and
inside of the firewall and I see the match rules that allow out from
the Inside interface then out the outside interface but I never see
any traffic back from the Citrix server.
My rules are simple. I have actually done a pass in log all keep state
& pass out log all keep state in my rules with nothing else (no block
or pass) and it still fails. I see the traffic go through the pf box
but never see anything from the Citrix server.
I do know this Citrix server is being firewalled by a Check Point NG
firewall. I do not believe they are running any IDS or anything else
that would block my connection attempts.
Has anyone got this to work? If so, what does the rule(s) look like?
Thanks.
copy of my rules (didn't include in previous message):
ext_if="xl0"
int_if="fxp0"
lan_net = "192.168.11.0/24"
nattwo = "192.168.11.50"
citrix = "xxx.xxxx.xxx.xxx"
#set block-policy return
set loginterface $ext_if
scrub in log
nat on $ext_if from !($ext_if) -> ($ext_if:0)
rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
# rdr on $ext_if proto udp from any to any port 1604 -> $nattwo
block all
block in log all
#pass in log all keep state
#pass out log all keep state
pass in quick log on { lo $int_if }
pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state
pass in log on $ext_if proto udp to ($ext_if) port 1494
pass out log on $int_if from any to $lan_net
pass out log on $ext_if proto tcp all modulate state flags S/SA
pass out log on $ext_if proto { udp, icmp } all keep state
