Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas <cahlu...@planet.nl>:
>
> Hi all,
>
> Ping only works partially. For example, this works: ping -c 10
> 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect
> this has to do with DNS servers, but I don't know where to start
> troubleshooting. Can someone help me?
If the below pf.conf it your total firewall config, then you are only
letting icmp through, and not DNS queries.
Perhaps you meant to use the "client_out" macro for a pass rule and forgot it?
> /etc/pf.conf:
>
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> block log all # block stateless traffic
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
--
May the most significant bit of your life be positive.
