Can you also send your routing table on both the firewall and the client on your internal network?
netstat -r -f inet specifically, is the client's default route 10.0.0.0? If you can, it would be best to experiment with statically defined IPs at first. On 10/5/07, a.padilla <[EMAIL PROTECTED]> wrote: > > ifconfig: > > lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224 > groups: lo > inet6 ::1 prefixlen 128 > inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5 > inet 127.0.0.1 netmask 0xff000000 > rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:18:4d:ea:33:0a > groups: egress > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::218:4dff:feea:330a%rl0 prefixlen 64 scopeid 0x1 > inet 192.168.0.111 netmask 0xffffff00 broadcast 192.168.0.255 > dc0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:14:bf:53:1e:fe > media: Ethernet autoselect (100baseTX full-duplex) > status: active > inet6 fe80::214:bfff:fe53:1efe%dc0 prefixlen 64 scopeid 0x2 > inet 10.0.0.0 netmask 0xff000000 broadcast 255.255.255.0 > pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224 > enc0: flags=0<> mtu 1536 > > pfctl > > TRANSLATION RULES: > nat on rl0 inet from 10.0.0.0/8 to any -> (rl0) round-robin > > FILTER RULES: > pass quick all flags S/SA keep state > No queue in use > > STATES: > all udp 239.255.255.250:1900 <- 192.168.0.1:1900 NO_TRAFFIC:SINGLE > all udp 192.168.0.111:1026 <- 24.64.244.238:33603 > NO_TRAFFIC:SINGLE > all udp 192.168.0.111:1027 <- 24.64.244.238:33603 > NO_TRAFFIC:SINGLE > all udp 192.168.0.111:1028 <- 24.64.244.238:33603 > NO_TRAFFIC:SINGLE > > INFO: > Status: Enabled for 0 days 00:25:29 Debug: Urgent > > State Table Total Rate > current entries 4 > searches 19533 12.8/s > inserts 126 0.1/s > removals 122 0.1/s > Counters > match 13620 8.9/s > bad-offset 0 0.0/s > fragment 0 0.0/s > short 0 0.0/s > normalize 0 0.0/s > memory 0 0.0/s > bad-timestamp 0 0.0/s > congestion 0 0.0/s > ip-option 0 0.0/s > proto-cksum 15 0.0/s > state-mismatch 0 0.0/s > state-insert 0 0.0/s > state-limit 0 0.0/s > src-limit 0 0.0/s > synproxy 0 0.0/s > > TIMEOUTS: > tcp.first 120s > tcp.opening 30s > tcp.established 86400s > tcp.closing 900s > tcp.finwait 45s > tcp.closed 90s > tcp.tsdiff 30s > udp.first 60s > udp.single 30s > udp.multiple 60s > icmp.first 20s > icmp.error 10s > other.first 60s > other.single 30s > other.multiple 60s > frag 30s > interval 10s > adaptive.start 6000 states > adaptive.end 12000 states > src.track 0s > > LIMITS: > states hard limit 10000 > src-nodes hard limit 10000 > frags hard limit 5000 > tables hard limit 1000 > table-entries hard limit 200000 > > TABLES: > > OS FINGERPRINTS: > 696 fingerprints loaded > > I feel exposed.... ;) > > On Oct 5, 2007, at 2:30 PM, Chad M Stewart wrote: > > > Ok, so it is something more basic than filtering. What is the > > output of the following > > > > ifconfig -A > > > > pfctl -s all > > > > sysctl -a|grep forward > > > > > > How are the obsd box and the client connected, from a networking > > perspective? Wired? Hub/Switch? direct with cross over cable? > > > > > > -Chad > > > > On Oct 5, 2007, at 2:21 PM, a.padilla wrote: > > > >> I commented out "pass out keep state" and added, after the nat rule, > >> pass quick all. Still nothing. > >> > >> I cant even ping from the server the private IP which the client > >> has.... > >> > >> I know the client is connected to the server, it shows up on > >> dhcpd.leases. Do you think its my dhcpd server that's wrong? > > -- Joe
