Parvinder Bhasin wrote:
> My home network. Firewall is openbsd (4.3). DSL setup with PPPOE (in
> kernel):
>
> cat /etc/hostname.pppoe0
>
> inet 0.0.0.0 255.255.255.255 NONE \
> pppoedev dc0 authproto pap \
> authname '[EMAIL PROTECTED]' authkey 'password' up
> !/sbin/route add default
>
> #
>
>
> Here is my /etc/pf.conf for this network (HOME). Very simple blocking
> everything and allowing everything to go out from my internal network.
>
>
> # $OpenBSD: pf.conf,v 1.34 2007/02/24 19:30:59 millert Exp $
> #
> # See pf.conf(5) and /usr/share/pf for syntax and examples.
> # Remember to set net.inet.ip.forwarding=1 and/or
> net.inet6.ip6.forwarding=1
> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>
> ext_if="dc0"
> int_if="fxp0"
> loopback="lo0"
> pppoe_if="pppoe0"
>
> #table <spamd-white> persist
>
> set skip on lo
> set loginterface $ext_if
> set loginterface $int_if
> set loginterface $pppoe_if
> set loginterface $loopback
> scrub in all max-mss 1440
>
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
>
> # nat on $pppoe_if from 172.16.200.0/24 -> $pppoe_if
> nat on $pppoe_if from !($pppoe_if) to any -> ($pppoe_if)
> block in log on $pppoe_if
>
> pass out keep state
If you're able to connect to other stuff other than your webserver, than
this is probably not it. But I'd expect a rule like:
pass in $int_if
Have you tried no filtering at all to see if it works that way? What
about accessing your webserver directly from the firewall box?
> Here is my Lab network: setup on static DSL connection with 5 static
> IPs:
> I am using one for webserving: 75.44.224.2.
>
> my /etc/hostname.sk0 looks like:
>
> inet 75.44.229.1 255.255.255.248 NONE
> alias 75.44.229.2 255.255.255.248
>
> I also have a laptop behind this firewall on internal network. Used
> for browsing etc.
>
>
> ##### MACROS ####
> ext_if="sk0"
> int_if="gem0"
>
> external_ip="75.44.229.1"
> external_net="{75.44.229.17 75.44.229.18 75.44.229.19 75.44.229.20}"
>
> internal_ip="172.16.10.10"
>
>
> webserver_ip="75.44.224.2"
> webserver_int="172.16.10.11"
>
>
> #### OPTIONS #####
> set loginterface $ext_if
> set loginterface $int_if
> scrub in
>
> #### NAT/REDIRECTS ####
>
> nat on $ext_if from !($ext_if) to any -> ($ext_if:0)
>
> rdr pass on $ext_if proto tcp from any to $webserver_ext port 80 ->
> $webserver_int port 80
>
>
> ###### FILTERS #####
>
> block in log on $ext_if
>
> pass in on $ext_if proto tcp from any to $webserver_ext port 80 keep
> state
> pass out keep state
> #
>
>
> MY PROBLEM: Whenever I am on my home network and I try to reach
> webserver on my lab network, I don't get anything. Whenever I try to
> hit the webserver from my work network or several other networks, I
> can access the webserver fine. Its only from my home network, I
> cannot access the site on my webserver. Any other sites from the home
> network work totally fine.
>
> Can see what's wrong with my configs?
>
> For troubleshooting this issue, i captured traffic on my webserver and
> saw that requests from my home network DO ARRIVE at the webserver and
> the webserver duely sends that data back BUT that data never arrives
> on the home network.
>
> If I try to hit any website from my webserver, I can reach it fine.
>
> This is really weared, I would really appreciate any help. I have
> tried almost everything to get this going.
>
> Thanks
> /Parvinder Bhasin
