Re: help with pf

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: <misc@...>

Date: Friday, January 25, 2008 - 8:39 pm

Just passing through while looking for something else, but can help:

Aaron proficuous.com> writes:

> my pf.conf:

quoted text

> ...
> pass in on fxp3 inet proto tcp from $lan_net port { ssh www ntp https smtp

imap imaps domain } to any

quoted text

> ...
> pass in on fxp3 inet proto udp from $lan_net port { domain ntp } to any

These lines are the problem - they are filtering on the source port being ssh,
www, etc rather than the destination port. You need:

pass in on fxp3 inet proto tcp from $lan_net to any port { sss www (etc) }
pass in on fxp3 inet proto udp from $lan_net to any port { domain ntp }

> I am sure this is some configuration error right in front of my face,

quoted text

> but for the life of me i'm not seeing it. Any help would be appreciated.

No problem - I'm sure that even the gurus have had moments like this :-)

Kevin

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: help with pf, Kevin, (Fri Jan 25, 8:39 pm)


linux-kernel:
Sunil Naidu	Re: Linux 2.6.20-rc6
Alan Cox	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Chris Snook	Re: init's children list is long and slows reaping children.
Greg Kroah-Hartman	[PATCH 001/196] Chinese: Add the known_regression URI to the HOWTO
git:

openbsd-misc:

linux-netdev:
Jarek Poplawski	[PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
David Miller	[GIT]: Networking
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Eric W. Biederman	Re: [PATCH 10/11] avoid kobject name conflict with different namespaces