View Single Post
  #6   (View Single Post)  
Old 11th October 2013
J65nko J65nko is offline
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 3,798

As stated in pf.conf(5) pf uses a last matching rule wins strategy :

     For each packet processed by the packet filter, the filter rules are
     evaluated in sequential order, from first to last.  For block and pass,
     the last matching rule decides what action is taken; if no rule matches
     the packet, the default action is to pass the packet.  For match, rules
     are evaluated every time they match; the pass/block state of a packet
     remains unchanged.
To circumvent this strategy you have to use quick:
    quick   If a packet matches a rule which has the quick option set, this
            rule is considered the last matching rule, and evaluation of
            subsequent rules is skipped.
           The packet is matched.  This mechanism is used to provide fine
           grained filtering without altering the block/pass state of a
           packet.  match rules differ from block and pass rules in that
           parameters are set every time a packet matches the rule, not only
           on the last matching rule.  For the following parameters, this
           means that the parameter effectively becomes ``sticky'' until
           explicitly overridden:nat-to, binat-to, rdr-to, queue, rtable, and

With this in mind, and because I don't quite understand what you are trying to accomplish, the following effort to re-organize and clean up the rule set may thus not work at all :
DEBUG = log

# --- NAT
match out $DEBUG inet from ! $ext_if to any nat-to $ext_if
match out $DEBUG on $ext_if from $screen_pub_ip:0 to $localscreen nat-to $ext_if

pass   in $DEBUG on $ext_if:0 proto { tcp, udp } to $screen_pub_ip port { 81 82 3306 3312 } nat-to $localscreen
pass  out $DEBUG on $ext_if                      from $localscreen nat-to $screen_pub_ip
match out $DEBUG on $ext_if                      from $localscreen to any nat-to $screen_pub_ip
pass  in  $DEBUG  on $ext_if                     from $screen_pub_ip:0 nat-to $localscreen

# --- BINAT
pass    $DEBUG on $ext_if from $netfs             to any binat-to $sync_pub_ip
pass    $DEBUG on $ext_if from $localscreen       to any binat-to $screen_pub_ip

# --- RDR
pass  in $DEBUG on $ext_if proto { tcp, udp } from any to $sync_pub_ip     port { 873 ftp ftp-data 22 21 } rdr-to $netfs
match in $DEBUG on $ext_if proto { tcp, udp } from any to $screen_pub_ip:0 port { 81 82 3306 3312 52530 } rdr-to $localscreen

# --- Block RFC 1918 non publicly routable addresses 
block  in $DEBUG quick on $ext_if from <rfc1918> to any
block out $DEBUG quick on $ext_if from <rfc1918> to any

# ==================================================================================
########  Allow ICMP ping     ####Ping test to make sure we can get to host
pass in quick inet proto icmp from any to any icmp-type $icmp_types
### Note: it does work for $sync_pub_ip but not $screen_pub_ip ???   #  <- THIS IS A CLUE!?!
# ==================================================================================

match in $DEBUG on $ext_if to $screen_pub_ip
pass out $DEBUG on $ext_if from $int_if:network to any

# --- Default policy
block log all
# ---------------------------
You can see I defined a variable DEBUG that allows you to easily flip logging on or off.
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote