# PF firewall was working then was not



## jmattax (Jul 7, 2012)

I had a PF firewall set up which had been running fine for a few months then it started having partial failures after a storm was in the area. This was most obvious when accessing websites where most of them worked, but some didn't. I isolated a case that didn't work through the firewall (en.wikipedia.org) and did some checking. The FreeBSD computer could access it just fine using links, and computers that were at my house outside the firewall could also access it just fine, but computers could not access it reliably through the firewall. I also tested both network cards by sending about 5GB of data over them using scp and the md5 sums matched on both sides of the transfer. After all of that I'm out of ideas and was wondering if anyone had any other thoughts?

Currently my /et/pf.conf is


```
# physical/logical interfaces
iif="re0"
oif="xl0"


##    ACTUAL RULES START HERE ##
# pass everything on the loopback device
set skip on lo0


# enable the nat translation
#match out on xl0 from 10.11.10.0/24 to any nat-to 192.168.0.200
nat on $oif from $iif:network -> $oif

pass quick log (all to pflog1) all
```
since I ended up choosing to strip out anything that could be interfereing.

my /etc/rc.conf contains

```
# -- sysinstall generated deltas -- # Sat Jan  1 17:11:07 2011
# Created: Sat Jan  1 17:11:07 2011
# Enable network daemons for user convenience.
# Please make all changes to this file, not to /etc/defaults/rc.conf.
# This file now contains just the overrides from /etc/defaults/rc.conf.

#	local console settings
blanktime="300"
saver="green"

#	basic network setup
hostname="stilgar.users.clanspum.net"
ifconfig_re0="inet 10.11.10.1  netmask 255.255.255.0"
ifconfig_xl0="inet 192.168.0.200 netmask 255.255.255.0"
defaultrouter="192.168.0.1"

sshd_enable="YES"

#	set up cron
cron_flags="-j 15"
cron_dst="YES"


#	I use ssmtp so disable sendmail entirely
NO_SENDMAIL="true"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

#	know where ports related scripts are
local_startup="/usr/local/etc/rc.d"

#	added for zfs support
zfs_enable="YES"

#	do what we can to save power
powerd_enable="YES"
powerd_flags="-a adaptive -n adaptive"

#	turn on the ups daemon
apcupsd_enable="YES"
#	this is key since the UPS isn't a smartUPS
apcupsd_flags=""


#	enable PF and gateway
gateway_enable="YES"
pf_enable="YES"

#handle ftp
#ftpproxy_enable="YES"
#ftpproxy_flags=""

#	enable logging
pflog_enable="YES"
pflog_logfile="/var/log/pflog"


#	added for DHCP server support
#dhcpd_flags="-q"                            # command option(s)

dhcpd_enable="YES"                          # dhcpd enabled?
dhcpd_conf="/usr/local/etc/dhcpd.conf"      # configuration file
dhcpd_ifaces="re0"                          # ethernet interface(s)
dhcpd_withumask="022"                       # file creation mask
#	because dhcpd was installed with paranoia
dhcpd_chuser_enable="YES"                   # runs w/o privileges?
dhcpd_withuser="dhcpd"                      # user name to run as
dhcpd_withgroup="dhcpd"                     # group name to run as
dhcpd_chroot_enable="YES"                   # runs chrooted?
dhcpd_devfs_enable="YES"                  # use devfs if available?
dhcpd_rootdir="/var/db/dhcpd"               # directory to run in
```

Also, just in case anyone is interested I took `# tcpdump -w file.tcpdump "tcp and port 80"` of the successful connection and then on each side of my firewall. They are in the attached file,


----------

