[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ruleset Problem



On Monday, Jun 2, 2003, at 09:48 US/Pacific, Amir Seyavash Mesry wrote:

Here is my pf.conf, the keepstate on the icmp doesn't seem to be working, it
won't pass the packets out. Ie
I am on host 10.0.0.51, I ping 10.0.4.1(routing table entry is present for
this net) and it won't ping it, but if I ping 10.0.0.1(fxp1) then it will
allow the packet and let it return. I think it is something really simple
that I am overlooking but I can't figure it out. Any help is appreciated.

# nat rules for both lan segments
nat on $eth0 from $lan1 to any -> $eth0
nat on $eth0 from $lan2 to any -> $eth0

#block all in-out
block in log all
block out log all

You don't have any "pass out" rules for $eth2, so the packet is never reaching 10.0.4.1 (assuming it's on $eth2; you didn't say).

#allow nat for both lan segments only if lan segments initiate request.
pass out on $eth0 inet proto tcp from $lan1 to any modulate state
pass out on $eth0 inet proto udp from $lan1 to any keep state
pass out on $eth0 inet proto icmp from $lan1 to any icmp-type 8 code 0 keep state
pass out on $eth0 inet proto tcp from $lan2 to any modulate state
pass out on $eth0 inet proto udp from $lan2 to any keep state
pass out on $eth0 inet proto icmp from $lan2 to any icmp-type 8 code 0 keep state

As a side note, these rules should never apply, as nat has already taken effect by the time you get to filter out on $eth0.