[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Very Annoying problem... blocks everything...



Shawn,
Multi-interface packet filtering can be tricky.  Could you post your
rules?
Without that, all we can probably say is that you have a
misconfiguration somewhere.
IIRC, creating stateful inspection on one interface does not allow the
packets to go through other interfaces.  This is my first guess as to
your problem.
==ml
On Mon, Dec 16, 2002 at 03:03:53PM -0600, shawnm@iodamedia.net wrote:
> Ok, I'm new to OpenBSD and pf, but I'm quickly getting the hang of it.
> 
> Here's my setup:
> 
> AMD 2300 w/ 512mb DDR ram
> 512mb flash drive
> 5 10/100 network cards
> 
> I have 4 networks right now, one of them is the internet.  So let's call them, Inet, A, B,and C.
> 
> Network C is the network with all mail/web/dns/etc servers on it.
> 
> A and B are networks, I could really care less what traffic goes to them, and from them, going to/from the
> internet and each other.
> 
> I want networks A and B to be able to only access the mail servers on ports 25/110/80/443, dns servers on
> port 53, webservers on ports 80/443, and a couple of other servers via ftp.
> 
> Should be very simple, I setup some rules to allow all traffic from Inet going to A and B.  I then allowed
> all traffic from A and B going to Inet to pass through.
> I then setup some holes on C, to allow those ports to those servers that I want open.  I also allowed
> network C to access http/https/ftp/dns/mail outside of it's network.
> I have a "catch all" in the bottom of my script, to just block everything that doesn't fit into anything else.
> 
> I enable it.. what happens.. I loose connectivity to all the networks.  Nothing can see anything outside of
> their network.
> do a ping from the firewall, and you get:
> 
> ping: sendto: No route to host
> ping: wrote 192.168.3.250 64 chars, ret=-1
> 
> 
> Anyone have any ideas?
> 
> 
-- 
Michael Lucas		mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org
http://www.oreillynet.com/pub/q/Big_Scary_Daemons
           Absolute BSD:   http://www.AbsoluteBSD.com/