1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

PF firewall was working then was not

Discussion in 'Firewalls' started by jmattax, Jul 7, 2012.

  1. jmattax

    jmattax New Member

    Messages:
    2
    Likes Received:
    0
    I had a PF firewall set up which had been running fine for a few months then it started having partial failures after a storm was in the area. This was most obvious when accessing websites where most of them worked, but some didn't. I isolated a case that didn't work through the firewall (en.wikipedia.org) and did some checking. The FreeBSD computer could access it just fine using links, and computers that were at my house outside the firewall could also access it just fine, but computers could not access it reliably through the firewall. I also tested both network cards by sending about 5GB of data over them using scp and the md5 sums matched on both sides of the transfer. After all of that I'm out of ideas and was wondering if anyone had any other thoughts?

    Currently my /et/pf.conf is

    Code:
    # physical/logical interfaces
    iif="re0"
    oif="xl0"
    
    
    ##    ACTUAL RULES START HERE ##
    # pass everything on the loopback device
    set skip on lo0
    
    
    # enable the nat translation
    #match out on xl0 from 10.11.10.0/24 to any nat-to 192.168.0.200
    nat on $oif from $iif:network -> $oif
    
    pass quick log (all to pflog1) all
    
    since I ended up choosing to strip out anything that could be interfereing.

    my /etc/rc.conf contains
    Code:
     
    # -- sysinstall generated deltas -- # Sat Jan  1 17:11:07 2011
    # Created: Sat Jan  1 17:11:07 2011
    # Enable network daemons for user convenience.
    # Please make all changes to this file, not to /etc/defaults/rc.conf.
    # This file now contains just the overrides from /etc/defaults/rc.conf.
    
    #	local console settings
    blanktime="300"
    saver="green"
    
    #	basic network setup
    hostname="stilgar.users.clanspum.net"
    ifconfig_re0="inet 10.11.10.1  netmask 255.255.255.0"
    ifconfig_xl0="inet 192.168.0.200 netmask 255.255.255.0"
    defaultrouter="192.168.0.1"
    
    sshd_enable="YES"
    
    #	set up cron
    cron_flags="-j 15"
    cron_dst="YES"
    
    
    #	I use ssmtp so disable sendmail entirely
    NO_SENDMAIL="true"
    sendmail_enable="NO"
    sendmail_submit_enable="NO"
    sendmail_outbound_enable="NO"
    sendmail_msp_queue_enable="NO"
    
    #	know where ports related scripts are
    local_startup="/usr/local/etc/rc.d"
    
    #	added for zfs support
    zfs_enable="YES"
    
    #	do what we can to save power
    powerd_enable="YES"
    powerd_flags="-a adaptive -n adaptive"
    
    #	turn on the ups daemon
    apcupsd_enable="YES"
    #	this is key since the UPS isn't a smartUPS
    apcupsd_flags=""
    
    
    #	enable PF and gateway
    gateway_enable="YES"
    pf_enable="YES"
    
    #handle ftp
    #ftpproxy_enable="YES"
    #ftpproxy_flags=""
    
    #	enable logging
    pflog_enable="YES"
    pflog_logfile="/var/log/pflog"
    
    
    #	added for DHCP server support
    #dhcpd_flags="-q"                            # command option(s)
    
    dhcpd_enable="YES"                          # dhcpd enabled?
    dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
    dhcpd_ifaces="re0"                          # ethernet interface(s)
    dhcpd_withumask="022"                       # file creation mask
    #	because dhcpd was installed with paranoia
    dhcpd_chuser_enable="YES"                   # runs w/o privileges?
    dhcpd_withuser="dhcpd"                      # user name to run as
    dhcpd_withgroup="dhcpd"                     # group name to run as
    dhcpd_chroot_enable="YES"                   # runs chrooted?
    dhcpd_devfs_enable="YES"                  # use devfs if available?
    dhcpd_rootdir="/var/db/dhcpd"               # directory to run in
    
    Also, just in case anyone is interested I took # tcpdump -w file.tcpdump "tcp and port 80" of the successful connection and then on each side of my firewall. They are in the attached file,
     

    Attached Files: