pf is dropping connections
Mark Cullen
mark.cullen at dsl.pipex.com
Sat Oct 23 11:27:43 PDT 2004
Yet more problems from me :) I just got a semi-basic ruleset for pf and
it seems to be dropping connections. For example: If I SSH into my
University and start typing say.. telnet <someplace> PuTTY will pop up a
nice little error message saying "software caused connection abort", or
something similar. I didn't have this problem with ipfw1 and natd.
Here's my rules. Maybe I got it a bit wrong somewhere? I copied most of
it from an online example thing.
-- /etc/pf.conf --
ext_if="fxp1"
int_if="fxp0"
# my adsl modem is 192.168.0.1 ....
priv_nets = "{ 127.0.0.0/8, 172.16.0.0/12, 10.0.0.0/8 }"
icmp_types = "echoreq"
tcp_services = "{ 80, 21, 20, 50000:50010 }"
udp_services = "{ 5029 }"
# set things
set block-policy return
set loginterface $ext_if
scrub in all
# NAT
nat on $ext_if from $int_if:network to any -> ($ext_if)
# block all traffic
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
# open ports to server
pass in on $ext_if inet proto tcp from any to ($ext_if) port
$tcp_services flags S/SA keep state
pass in on $ext_if inet proto udp from any to ($ext_if) port
$udp_services keep state
# allow traffic all inside network
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any
pass out on $int_if from any to $int_if:network
# allow network traffic to go out to the internet, keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp, icmp } all keep state
Is there anything there that might be causing it to drop connections?
--
Internet Explorer? Try FireFox at http://www.mozilla.org/products/firefox/
Outlook Express? Try ThunderBird at
http://www.mozilla.org/products/thunderbird/
More information about the Users
mailing list