View Single Post
Old 25th October 2008
roundkat roundkat is offline
Shell Scout
Join Date: May 2008
Posts: 115

Scott is really a pf wizard..
his understanding of pf is orders of magnitude over mine...

I had to back off the Example.. I am not accustomed to blocking
inbound and outbound on *both* interfaces...

Oh.. Scott, I found out why the VIOP had issues...
I forgot to let dns out.. just an oversight as I was testing..

I got to the point of all my services working..
Mailserver receiving (not sending)
Webserver working
DNS /NTP working..

After much trial and error I could not get the rule order figured it out.
so decided to shelve that ruleset for now.. will come back to it later..

I did do a re-write clean up of my current ruleset to make it easier to read..

Once I sanitize it a little I will post back..

My goal is to end up with an optimized ruleset using what I have..

I have made a few changes.. and just got off the phone with my
mate in the UK while I was downloading an ISO and running bittorent..
I did get some latency but not sure if it had to do with my ruleset..

Most folks will tell you not to "blindly" cut and paste pf rules.. but you have
to start somewhere..
Take a look to see what is actually happening with the ruleset ..

As Jiggimi states
Step 0: Make sure all pass and block rules log their actions.

Step 1. Make sure net.inet.ip.forwarding=1.

Step 2. Use "# tcpdump -neti pflog0" to see what rule # is blocking

Step 3. Use "# pfctl -vvsr" to see match the number to the rule"

Lather. Rinse. Repeat.
This is what I am using to see what is going on with my current rules to
try and optimize them..

Scott, thanks for your input..

All posts sent on ReCycled Electrons...

Last edited by roundkat; 26th October 2008 at 01:28 AM. Reason: correction
Reply With Quote