[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Strange behaviour with PF on FreeBSD 5.3-STABLE



On Friday 26 November 2004 14:58, Jonathan Weiss wrote:
> Hi folks,
>
>
> Since yesterday my PF firewall acts strange. I have not touched the ruleset
> and tried a new one only with pass-rules, but the problem is still there.
>
> I cannot "go" through the tunnel interface tun0 of ppp (I use DSL here in
> Germany). Even a "pass on tun0" will not change anything.
>
> #pfctl -s rules
> block return log-all all
> pass on tun0 all
> pass on ed0 all
> pass on vr0 all
>
>
> vr0 is the internal interface and ed0 the external. I am connected through
> ppp with my ISP. Within the internal network over vr0 (192.168.0.0/24) I
> can connect to a ssh-server on 192.168.0.196 for example, but ssh (or
> telnet or whatever) will not work to an external ip.
>
> If a drop the block rule and reload the ruleset, it works! I can connect to
> an external ssh-server.
>
> Does anyboy have an idea?
You are supposed to have a NAT rule somewhere. Please let us know the complete 
ruleset (including translation rules) and include match counters so that 
people can figure if a certain rule is matched at all (pfctl -vv -sn -sr).
Make sure that the NAT rule has dynamic address tracking (as I think you get a 
dynamic IP from you ISP). The rule should look something like:
 nat on tun0 from $internalnet to any -> (tun0)
Also note, that we have a pf related mailinglist on FreeBSD, called 
[email protected] You might want to subscribe and take the discussion 
there: http://lists.freebsd.org/mailman/listinfo/freebsd-pf
-- 
/"\  Best regards,                      | [email protected]
\ /  Max Laier                          | ICQ #67774661
 X   http://pf4freebsd.love2party.net/  | [email protected]
/ \  ASCII Ribbon Campaign              | Against HTML Mail and News

Attachment: pgp00199.pgp
Description: PGP signature