I posted this in the BSD group as well but hoping someone here can help with this. If you can, many thanks!!
Running OpenBSD 3.7 and PF.
I am having trouble creating a rule to allow connections to a Citrix server through my pf firewall. I see multiple matches to my rules but I can never establish a connection with the Citrix server. If I bypass the pf firewall I can connect. When I sniff my external if or my pflog0 interface I do not see anything being blocked or reset - the connection never gets established.
I am using the new Citrix client which tries 3 times to connect on tcp 2598 then tries the tcp 1494 port. This Citrix server is using 1494.
Anyone have any ideas what I am doing wrong? Here is my config (you'll see some rules that are commented out that I have tried but without success): ext_if="xl0" int_if="fxp0" lan_net = "192.168.11.0/24" nattwo = "192.168.11.50" citrix = "xxx.xxx.xxx.xxx"
scrub in
nat on $ext_if from !($ext_if) -> ($ext_if:0) rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021 #rdr on $ext_if proto tcp from any to any port 1494 -> $nattwo #rdr on $ext_if proto tcp from any to any port 2598 -> $nattwo #rdr on $ext_if from $citrix -> $nattwo
block in log all pass out log keep state
pass quick log on { lo $int_if } #antispoof quick for { lo $int_if }
pass in log on $ext_if proto tcp to ($ext_if) port ssh keep state #pass in log on $ext_if proto tcp to ($ext_if) port 1494 keep state #pass in on $ext_if proto tcp to ($ext_if) port > 49151 user proxy keep state #pass in log on $ext_if proto tcp to ($ext_if) port smtp keep state #pass out log on $ext_if proto tcp from ($ext_if) to port smtp keep state #pass out on $ext_if proto tcp all modulate state flags S/SA #pass out on $ext_if proto { udp, icmp } all keep state pass in on $int_if from $lan_net to any pass out log on $int_if from any to $lan_net pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state #pass in on $ext_if proto tcp to ($ext_if) port 1494 keep state #pass in log on $ext_if from $citrix to any #pass out log on $ext_if from $citrix to any