Okay, I did that but apparently I spoke too soon as a tcpdump reveals packets
are still being blocked. Here is an example from a tcpdump on the pflog0
interface:
Apr 11 14:57:43.943764 rule 1/(match) block in on tun0: 172.16.254.2 >
10.40.60.1: icmp: echo request (gre encap)
I guess I need to specifically allow GRE traffic?
Thanks,
Matt
On 04/11/11 23:34, Matt S wrote:
> Hello Everyone:
>
> I am using 4.8 RELEASE. Given the following pf.conf, would anyone be able to
> tell me why gre0 is not being skipped?
>
> set skip on lo
> set skip on gre0
> set skip on enc0
You need to combine them, or they override each other.
set skip on { lo0, gre0, enc0 }
/Alexander
>
> anchor "ftp-proxy/*"
>
> block in all
> pass out all
>
> antispoof for tun0
> table <bruteforce> persist
> table <trustednets> {10.40.60.0/24, 10.40.65.0/24}
>
> match out on tun0 from 10.40.60.0/24 to any nat-to (tun0)
>
>
> block log quick from <bruteforce>
> pass in quick proto tcp to port ftp rdr-to 127.0.0.1 port 8021
> pass in quick proto tcp from localhost to any port {http,https} rdr-to
>127.0.0.1
>
> port 3128
> pass inet proto icmp all icmp-type {echoreq, unreach}
> pass in on tun0 inet proto tcp from any to any port ssh keep state
>(max-src-conn
>
> 6, max-src-conn-rate 3/1, overload <bruteforce> flush global) rdr-to
10.40.60.1
> pass on em0 from {trustednets} to any
>
>
> In order for in-bound packets from 10.40.65.1 not to be dropped, I have to
> ping
>
> it 10.40.64.1 from 10.40.60.1 to set a state. Any help that you can provide
> would be appreciated.
>
> Thanks,
> Matt
