[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall



jared r r spiegel wrote:

yup. by seeing what was dropped.

i _always always always_ keep "block return log all" as the first real
rule in my pf.conf. whether or not you want to return or drop is of
course a matter of taste ( i do drop some things later in a more specific rule ), and whether or not you want to block all ifaces or
not is a matter of taste too...

Okay. So I have the following (not the whole pf.conf file):


#=================================
# Macros
#=================================
log_flg = "log"

#=================================
# Options
#=================================
set block-policy drop
set loginterface $ext_if

#=================================
# Filter Rules
#=================================

block $log_flg all

pass $log_flg quick on lo0 all

antispoof $log_flg quick for $ext_if
antispoof $log_flg quick for $dmz_if
antispoof $log_flg quick for $int_if

block drop in $log_flg quick on $ext_if from $priv_nets to any
block drop out $log_flg quick on $ext_if from any to $priv_nets

Why would I not see the dropped packets in my log file (pflog0). Should I be setting pflog0 as my loginterface instead of fxp0?

rvb