Need some help with PF rule letting two machines access each other

Pat Maddox pergesu at
Fri Jun 9 20:54:03 UTC 2006

On 6/9/06, Erik Norgaard <norgaard at> wrote:
> Pat Maddox wrote:
> > runs a server on port 1234
> > should connect to this
> >
> > Both of them have PF rulesets that block off most traffic, keeping
> > open the publically available ports I need open.  In this case though,
> > any traffic over this port should only be between these two machines.
> > I've tried to set this up, but I keep getting operation not permitted,
> > connection refused, and connection reset by peer errors.  Thanks for
> > any info.
> It's quite difficult to tell which rule catches your packets without the
> ruleset. Try this:
> 1) Add "log" to all block rules
> 2) Check you have keep state in pass rules
> 3) Check you have quick in your pass rules
> If you have a default block policy, then you should generally have quick
> in pass rules or you might have packets marked for passing being caught
> later by a block rule.
> I generally prefer having the default policy at top without quick, and
> then set quick on rules taking an explicit action.
> Cheers, Erik

Okay, I got it working.  On the client, the rule is
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $SERVER port
7721 keep state

and on the server, it's just the opposite
pass in quick on $EXT_IF inet proto tcp from $CLIENT to $EXT_IF port
7721 keep state

The only difference between that rule and the one I had earlier
includes a "flags S/SA" directive on each.  Of course now I just tried
adding the flags and it works...I'm guessing because the state was
already made.

If I add "flags S/SA" is there any reason that'd cause problems.  It
seems to work fine right now, but didn't earlier - though perhaps I
had a typo or something.


More information about the freebsd-questions mailing list