Need some help with PF rule letting two machines access each
other
Pat Maddox
pergesu at gmail.com
Fri Jun 9 20:54:03 UTC 2006
On 6/9/06, Erik Norgaard <norgaard at locolomo.org> wrote:
> Pat Maddox wrote:
> > 12.34.56.78 runs a server on port 1234
> > 87.65.43.21 should connect to this
> >
> > Both of them have PF rulesets that block off most traffic, keeping
> > open the publically available ports I need open. In this case though,
> > any traffic over this port should only be between these two machines.
> > I've tried to set this up, but I keep getting operation not permitted,
> > connection refused, and connection reset by peer errors. Thanks for
> > any info.
>
> It's quite difficult to tell which rule catches your packets without the
> ruleset. Try this:
>
> 1) Add "log" to all block rules
> 2) Check you have keep state in pass rules
> 3) Check you have quick in your pass rules
>
> If you have a default block policy, then you should generally have quick
> in pass rules or you might have packets marked for passing being caught
> later by a block rule.
>
> I generally prefer having the default policy at top without quick, and
> then set quick on rules taking an explicit action.
>
> Cheers, Erik
>
>
Okay, I got it working. On the client, the rule is
pass out quick on $EXT_IF inet proto tcp from $EXT_IF to $SERVER port
7721 keep state
and on the server, it's just the opposite
pass in quick on $EXT_IF inet proto tcp from $CLIENT to $EXT_IF port
7721 keep state
The only difference between that rule and the one I had earlier
includes a "flags S/SA" directive on each. Of course now I just tried
adding the flags and it works...I'm guessing because the state was
already made.
If I add "flags S/SA" is there any reason that'd cause problems. It
seems to work fine right now, but didn't earlier - though perhaps I
had a typo or something.
Pat
More information about the freebsd-questions
mailing list