I have tested just about everything I know to do. I have highlighted the difference between a config that works and one that doesnt.
1 TCPdump does not display any output (other then the dns blocking)
2 It works fine as long as I do not filter any ports.
This configuration works
/etc/pf.conf
Code:
EXT_IF = "xl0"
WIRELESS_IF = "athn0"
auth_web = "10.1.0.1"
table <authpf_users> persist
block drop log all
match out on $EXT_IF from $WIRELESS_IF:network nat-to ($EXT_IF)
pass out quick on $EXT_IF inet proto { tcp, udp } from $WIRELESS_IF:network
pass in on $WIRELESS_IF inet proto tcp from any to 10.2.0.1 port ssh
anchor "authpf/*"
/etc/authpf/authpf.rules
Code:
WIRELESS_IF = "athn0"
pass in quick on $WIRELESS_IF proto tcp from $user_ip to any
pass in quick on $WIRELESS_IF proto udp from $user_ip to any
----------------------------------------------------------------------------------------------------
This configuration does not work
/etc/pf.conf
Code:
EXT_IF = "xl0"
WIRELESS_IF = "athn0"
auth_web = "10.1.0.1"
table <authpf_users> persist
block drop log all
match out on $EXT_IF from $WIRELESS_IF:network nat-to ($EXT_IF)
pass out quick on $EXT_IF inet proto { tcp, udp } from $WIRELESS_IF:network
pass in on $WIRELESS_IF inet proto tcp from any to 10.2.0.1 port ssh
anchor "authpf/*"
/etc/authpf/authpf.rules
Code:
WIRELESS_IF = "athn0"
TCP_PORTS = "{ 53 80 443 ssh }"
UDP_PORTS = "{ 53 }
pass in quick on $WIRELESS_IF proto tcp from $user_ip to any port $TCP_PORTS
pass in quick on $WIRELESS_IF proto udp from $user_ip to any port $UDP_PORTS
EDIT:
Also
Code:
pfctl -f /etc/pf.conf
gives me
Code:
Pfctl:warning: namespace collision with <authpf_users> global table.
Which I am not able to google any resolution on. Im about ready to format the box and start again.