[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN client cannot connect through OpenBSD router/firewall

On Tue, Jan 18, 2005 at 09:56:03AM -0600, Rick Barter wrote:
> Why would I not see the dropped packets in my log file (pflog0). 
  in this case i think you would.  i looked back at the original
  pf.conf you posted that the other fellow replied to and the
  'block all' didn't have the "$log_flg" in it (cute idea, btw)...
  is it possible that you weren't seeing them before, but added
  the $log_flg to this pf.conf after the problem?
  eg - with 'block $log_flg all', are you seeing any currently
  happening filtering problems show up in the log, or currently
  experiencing filtering problems which are not showing in the log?
  if problems w/o log evidence, there has to be another matching rule 
  (likely before one of your quicks) which doesn't log.  as long as
  pf is enabled, 'block $log_flg all' will apply to every interface that pf has
  jurisdiction over ( which is what... all of them? :P ).  as long as that
  is the first filter rule, you ensure that unless you have later
  matching rules which act upon a packet (either pass or block),
  each packet pf can see will both be logged and blocked.
> Should I be setting pflog0 as my loginterface instead of fxp0?
  nope, 'loginterface' is for the interface pf collects 
  operational statistics on ( eg pfctl -si ).  i believe
  the interface name and number, pflog0, are hardcoded.
  then pflogd(8) listens to pflog0 and redirects that
  down into /var/log/pflog ( by default ).
[ openbsd 3.6 GENERIC ( dec 11 ) // i386 ]