Might be an MTU issue. Try tcpdumping an interface other than pflog0.
On Tue, May 20, 2008 at 10:15 AM, Jeff Ross <[EMAIL PROTECTED]> wrote:
> I had a more complex pf rule set but now I'm using a simple rule set based
> almost entirely on the one from the PF FAQ:
>
> ext_if="em0" # External Public Interface
> int_if="bge0" # Internal LAN Interface
> tcp_services = "{ 22, 113 }"
> udp_services = "{ domain, ntp }"
> icmp_types = "{ echoreq, unreach }"
> table <zombies> persist
> set block-policy return
> set loginterface $ext_if
> set skip on { lo, tun }
> scrub in no-df fragment reassemble
> nat on $ext_if from !($ext_if) -> ($ext_if:0)
> nat-anchor "ftp-proxy/*"
> rdr-anchor "ftp-proxy/*"
> rdr on $int_if proto tcp from any to any port ftp -> 127.0.0.1 port 8021
> block in log
> pass out log keep state
> anchor "ftp-proxy/*"
> antispoof log quick for { lo $int_if }
> block in log quick on $ext_if from <zombies> to any
> pass in log quick on $ext_if proto tcp from any to ($ext_if) port ssh \
> keep state (max-src-conn-rate 3/30, overload <zombies> flush global)
> pass in log on $ext_if inet proto tcp from any to ($ext_if) port \
> $tcp_services keep state
> pass in log on $ext_if inet proto udp from any to ($ext_if) port \
> $udp_services keep state
> pass in log inet proto icmp all icmp-type $icmp_types keep state
> pass in log quick on $int_if
>
>
> I added all of the log lines so I could hopefully see what's going awry.
>
> From the firewall itself, when I use lynx to try
>
> http://www.msn.com
>
> I get asked to accept about 5 cookies, which I accept and then a "HTTP
> request sent; waiting for response." and that's it.
>
> Watching pflog0 I see this:
>
> May 20 09:59:58.339833 rule 1/(match) pass out on em0: 192.168.0.2.23294 >
> 205.128.93.51.53:[|domain]
> May 20 09:59:58.548598 rule 1/(match) pass out on em0: 192.168.0.2.4281 >
> 207.68.173.76.80: [|tcp] (DF)
>
> I don't ever see a return packet, and nothing is ever blocked as seen from
> pflog0.
