The best way to troubleshoot PF issues is to turn on logging and read
the log. This will show you exactly what rule is catching your
packets. Then you can debug easily from there. And also keep in mind
the magic way to troubleshoot PF:
"Think like PF. Be PF."
That is all.
Alex Stamatis wrote:
Hallo Misc !
I have a problem with the Pf.
I dont understand why but for some reason it wont let ports 80 - 15352 pass
even though I have set it up n the configuration. Its been done according to
the faq and pfctl -nf doesnt return any errors at all !!!
Also NAT in the internal network and all communications from the int:if to
the openbsd are fine !
I am pasting below the conf so you can tell me if you see something wrong.
Thank you for your time !
Best Regards
Alex
int_if = "rl0"
ext_if = "tun0"
core = "192.168.0.1"
giouli = "192.168.0.2"
lydia = "192.168.0.3"
icall = "192.168.0.4"
laptop = "192.168.0.69"
wifi = "192.168.0.227"
clients = "{" $core $giouli $lydia $icall $laptop $wifi "}"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set skip on lo0
scrub in all
nat on $ext_if from { 192.168.0.1 192.168.0.2 192.168.0.3 192.168.0.4
192.168.0.69 192.168.0.227 } to any -> ($ext_if)
rdr on $ext_if proto tcp from any to ($ext_if) port 5060 -> $core port 5060
rdr on $ext_if proto tcp from any to ($ext_if) port 5061 -> $core port 5061
rdr on $ext_if proto udp from any to ($ext_if) port 5060 -> $core port 5060
rdr on $ext_if proto udp from any to ($ext_if) port 5061 -> $core port 5061
block all
antispoof quick for $ext_if inet
pass in on $ext_if inet proto tcp from any to ($ext_if) port 15352 flags
S/SA keep state
pass in on $ext_if inet proto tcp from any to ($ext_if) port www flags S/SA
synproxy state
pass in on $ext_if proto udp from any to any port 5060 keep state
pass in on $ext_if proto udp from any to any port 5061 keep state
pass in on $ext_if proto tcp from any to any port 5060 keep state
pass in on $ext_if proto tcp from any to any port 5061 keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
