bad ruleset - pf not keeping state for some bridged connections?
Ask Bjørn Hansen
ask at develooper.com
Wed Sep 6 20:17:55 PDT 2006
Hi everyone,
I am having a bit of trouble with my pf ruleset that I can't figure out.
My ISP gives me a few static IPs, so I have a Soekris box running as
a bridging firewall running 6.0-RELEASE-p4.
It does NAT for my RFC1918 net and does the bridging firewall for my
public IPs.
I've posted my pf.conf here:
http://tmp.askask.com/2006/09/pf.conf
The bridge is setup with
net.link.bridge.pfil_bridge=0
net.link.bridge.pfil_member=1
Some months ago I must have changed something that makes incoming ssh
connections not (always) work.
If I ssh from an outside client to 64.81.84.17 the connection is
established and the traffic from 64.81.84.17 to the outside IP makes
it (the sshd banner), but after that the packets from the client
doesn't make it through the BSD box. I can see with tcpdump that
they come in on sis0, but there's nothing on sis1.
Any ideas?
Also, any suggestions for general cleanup and optimizations of the
rulesets are welcome. The box is also doing ipsec to another 10/8
network, but I'm honestly not sure if it's even being filtered (?!)
- ask
--
http://www.askbjoernhansen.com/
More information about the freebsd-pf
mailing list