Thread: Pf.conf issues
View Single Post
  #2   (View Single Post)  
Old 3rd January 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,423

I can't make sense of this configuration file, by itself. Nor, honestly, could I make any from your previous thread where you posted a confusing pf.conf and an intermediate shell script from your builder program.

What I can tell looking at this alone, due to a lack of any additional information:

  • You have two NICs configured, em0 and em1.
  • You are attempting to use both bi-directional NAT (binat-to) and standard NAT (nat-to) at the same time.
  • You have a default block design
  • You have a series of block in rules which are defined as "quick" -- preventing any later pass rules from being evaluated. I cannot tell if that is intentional, but all traffic originating from any of those subnets will always be blocked, no matter how many subsequent pass rules are defined.
Some other things to note:
  • You are still using "lo" rather than "lo0". Please see my comments about "lo" in your previous thread.
  • You are blocking inbound X traffic -- but by default on OpenBSD, X listens on loopback only. See /usr/X11/xdm/{Xservers,Xaccess}. X is not normally used on a dedicated firewall anyway.
All I know of your environment is from your other thread:

  • You are currently testing in a virtual machine
  • You intend to have a dual firewall configuration.
Everything else I could add is conjecture. Questions come to mind:

  • I'm confused about a commented rule mentioning 192.168/16 -- if that is a valid subnet, then I do not understand how a 192.168.7 address could be internal, and a 192.168.1 address could be external. Both addresses are on the same subnet.
  • Your only standard NAT traffic must originate on the "inner" web server at Any other traffic from your "inner" network will not be translated. Was this intentional?
  • BINAT and NAT rules for are both included, as mentioned above, but only the NAT rule will apply.
  • You set a variable for but then refer to the address anyway.
I recommend you post the following information, since when you submit questions you leave a great deal out:

  1. Your intended functionality -- what are you actually trying to do here?
  2. Your network topology -- what are the addresses of em0 and em1? The netmasks? (This is critical, especially if 192.168 addresses use a netmask of -- that would show a broken topology.)
Reply With Quote