Hi
cy@
Not shure if i get this right
#this allows enrypted ipsec traffic
pass in quick on $wan proto udp from 1.2.3.4 to any port = 500 keep state
pass in quick on $wan proto udp from 1.2.3.4 to any port = 4500 keep state
pass in quick on $wan proto esp from 1.2.3.4 to any keep state
# this allows clear traffic "into" the VPN
pass in log quick proto tcp from 192.168.178.20 to 10.111.7.0/24 port = 22 flags S/SAFR keep state
But why is the decrypted answer packet the blocked as shown in the log ?
pass out log all
All egress packets should be allowed and the state should be keeped. I don't get this.
What would be the benefits in putting the rules on the external interface ? Where would be the difference ?
Also how would this work on vpn as it does not have a interface ?
pass in log quick on $clients proto tcp from 10.111.9.0/24 to 192.168.178.10 port = 445 flags S/SAFR keep state
pass in log quick on $clients proto tcp from 10.111.9.0/24 to 192.168.178.2 port = 3389 flags S/SAFR keep state
What i now do is having pass in on the client interface and allowing to access a file server and a terminal server. How would you do this ?
So i want the clients to connect to the internet and the vpn. and like guests only to have access to the internet
# Guest
pass in log quick on $guest out-via $wan proto tcp from any to any flags S/SAFR keep state
pass in log quick on $guest out-via $wan proto udp from any to any keep state
pass in log quick on $guest out-via $wan proto icmp from any to any keep state
Thats why i use pass in and out via to ensure the packet uses the correct path. Or did i get something wrong here ?
Shouldn't these internal egress packets be allowed because of
pass out log all
What is also a bit strange.
I have a client with dhcp IP 10.111.9.119. The Client Interface on the Router is 10.111.9.254. Why can the Client access the router via ssh on 10.111.9.254. There is no pass rule allowing this an a
block in log all
rule that should prohibit this.
So what is the herarchy of the rules and why isn't this access blocked ?
Also do you have any idear why re0/netmasked gives
Luxury Hair Salon in San Francisco me the "24:25:ioctl(add/insert rule): bad interface index with dynamic dest. address" ?