I am having trouble accessing anything which uses SSL behind my NAT,
though I can access the same services from the firewall itself. There
is nothing unusual in /var/log/messages, dmesg, etc. I don't know why
this is happening. The system has been running fine for months, and
nothing I am aware of has changed.
# cat /etc/pf.conf
#Firewall ruleset for KintaroABODE router.
int_if="fxp0"
wifi_if = "athn0"
tcp_services="{ 22, 113 }"
icmp_types="echoreq"
fekete="192.168.0.3"
fekete_tcp="{ 17001, 8333 }"
fekete_udp="{ 8333 }"
mises="192.168.0.4"
mises_tcp="{ 25565 }"
#options
set block-policy drop
set loginterface egress
set skip on lo
anchor "ftp-proxy/*"
pass in on $int_if inet proto tcp to any port ftp \
divert-to 127.0.0.1 port 8021
table <sshguard> persist
#match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#filter rules
block in log
pass out quick
antispoof quick for { lo $int_if $wifi_if }
pass in on egress inet proto tcp from any to (egress) \
port $tcp_services
block in quick on egress proto tcp from <sshguard> \
to any port ssh label "ssh bruteforce"
pass in on egress inet proto tcp from any to (egress) port $fekete_tcp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $fekete_udp
rdr-to $fekete
pass in on egress inet proto tcp from any to (egress) port $mises_tcp
rdr-to $mises
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
pass in on $wifi_if
If anyone could help and tell me where to start looking that would be
good. Some SSL services appear to work fine, such as gmail which I'm
using to send this.
--
www.johntate.org
