Re: Ping blocked by firewall
This makes no difference.
Op 13-04-2024 om 22:06 schreef Peter J. Philipp:
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
What should I add then, considering my PF ruleset? To be honest, all of this
is very unclear to me at the moment, so any help is appreciated.
How about:
pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state
pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state
see if that will do it for you. You have a service called "domain" in your
rules but it's only a macro/alias and not active
Also if I remember it right (without looking) traceroute defaults to UDP mode
by default, with ports (32768 + 666) + (every "*" in every hop counting as 1)
so depending on how many hops outbound you want to traceroute you'll have to
open those udp ports outbound.
Of course you can be like windows and do traceroute -P1 to traceroute with
ICMP.
Remember, from your basic networking texts that each hop decrements (-1) the
time to live, or the hop count. When a router encounters an IP[46] packet
that would decrement to 0 it will not get forwarded and will reply an ICMP
time exceeded message aka timex reply.
Please familiarize yourself with tcpdump and for learning purposes wireshark
and really analyze the packet headers with RFC's 791, 792, 8200 found at
https://rfc-editor.org.
Best of Luck!
-pjp
Op 13-04-2024 om 02:39 schreef Alexis:
Karel Lucas writes:
Ping only works partially. For example, this works: ping -c 10
195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
suspect this has to do with DNS servers, but I don't know where to
start troubleshooting.
Indeed, you appear to have no rules allowing outgoing requests to DNS
servers for name resolution.
Alexis.
Re: Ping blocked by firewall
What should I add to get it working? Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
On Sat, Apr 13, 2024 at 09:32:48PM +0200, Karel Lucas wrote:
> What should I add then, considering my PF ruleset? To be honest, all of this
> is very unclear to me at the moment, so any help is appreciated.
How about:
pass out inet proto { tcp, udp } from any to any port { 53, 853 } keep state
pass out inet6 proto { tcp, udp } from any to any port { 53, 853 } keep state
see if that will do it for you. You have a service called "domain" in your
rules but it's only a macro/alias and not active
Also if I remember it right (without looking) traceroute defaults to UDP mode
by default, with ports (32768 + 666) + (every "*" in every hop counting as 1)
so depending on how many hops outbound you want to traceroute you'll have to
open those udp ports outbound.
Of course you can be like windows and do traceroute -P1 to traceroute with
ICMP.
Remember, from your basic networking texts that each hop decrements (-1) the
time to live, or the hop count. When a router encounters an IP[46] packet
that would decrement to 0 it will not get forwarded and will reply an ICMP
time exceeded message aka timex reply.
Please familiarize yourself with tcpdump and for learning purposes wireshark
and really analyze the packet headers with RFC's 791, 792, 8200 found at
https://rfc-editor.org.
Best of Luck!
-pjp
> Op 13-04-2024 om 02:39 schreef Alexis:
> >
> > Karel Lucas writes:
> >
> > > Ping only works partially. For example, this works: ping -c 10
> > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I
> > > suspect this has to do with DNS servers, but I don't know where to
> > > start troubleshooting.
> >
> > Indeed, you appear to have no rules allowing outgoing requests to DNS
> > servers for name resolution.
> >
> >
> > Alexis.
> >
>
--
my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
Re: Ping blocked by firewall
What should I add then, considering my PF ruleset? To be honest, all of this is very unclear to me at the moment, so any help is appreciated. Op 13-04-2024 om 02:39 schreef Alexis: Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
On Sat, Apr 13, 2024 at 06:18:46AM +0200, Janne Johansson wrote: > Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas : > > > > Hi all, > > > > Ping only works partially. For example, this works: ping -c 10 > > 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect > > this has to do with DNS servers, but I don't know where to start > > troubleshooting. Can someone help me? > > If the below pf.conf it your total firewall config, then you are only > letting icmp through, and not DNS queries. > Perhaps you meant to use the "client_out" macro for a pass rule and forgot it? As Janne hints at here, your pass criteria are too narrow to be practical for the needs you appear to have. Not an uncommon problem while learning to write rulesets. And of course I have written about that too - https://home.nuug.no/~peter/pf/en/basicgw.html#GWPITFALLS (That is in the piece that evolved into The Book of PF, and likely something similar appears somewhere in the book too) -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
Den fre 12 apr. 2024 kl 19:41 skrev Karel Lucas :
>
> Hi all,
>
> Ping only works partially. For example, this works: ping -c 10
> 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect
> this has to do with DNS servers, but I don't know where to start
> troubleshooting. Can someone help me?
If the below pf.conf it your total firewall config, then you are only
letting icmp through, and not DNS queries.
Perhaps you meant to use the "client_out" macro for a pass rule and forgot it?
> /etc/pf.conf:
>
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> block log all# block stateless traffic
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
--
May the most significant bit of your life be positive.
Re: Ping blocked by firewall
Karel Lucas writes: Ping only works partially. For example, this works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10 www.apple.com. I suspect this has to do with DNS servers, but I don't know where to start troubleshooting. Indeed, you appear to have no rules allowing outgoing requests to DNS servers for name resolution. Alexis.
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 11:01:18PM +0200, Peter N. M. Hansteen wrote: > Another gentle introduction can be found in the latest PF tutorial, > the slides for the AsiaBSDCon 2024 version can be found as > https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has > references to various useful resources. and I should add that the labs referenced there are almost certainly not available at the moment. They tend to be turned on specifically for the sessions and are generally only left running for a few days. - P -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
On Wed, Apr 10, 2024 at 04:41:58PM -0400, Steve Litt wrote: > I found out where to buy your book, and will buy it once I have the > "for dummies" level of knowledge. In the meantime, what other PF > references do you recommend? I know just enough PF to be dangerous, but > want to make my own BSD/PF firewall/router. The Book of PF was meant to be accessible to people with only basic networking knowledge, but anyway - I'd start with the official PF user guide at https://www.openbsd.org/faq/pf/index.html and look up the relevant man pages. Another gentle introduction can be found in the latest PF tutorial, the slides for the AsiaBSDCon 2024 version can be found as https://nxdomain.no/~peter/pf_asiabsdcon2024.pdf which in turn has references to various useful resources. And of course, this mailing list tends to be receptive to reasonably formulated questions. All the best, Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: >I moved the lines with the martians between the 'block log all' line and the >ping lines. Furthermore, I changed the macro 'martians' to a table: table > persist file "etc/martians". > >Messages during booting: >/etc/pf.conf:29: syntax error >/etc/pf.conf:29: macro 'martians' not defined >/etc/pf.conf:30: macro 'martians' not defined >/etc/pf.conf:38: syntax error >/etc/pf.conf:39: syntax error >/etc/pf.conf:46: syntax error > >Op 09-04-2024 om 11:13 schreef Otto Moerbeek: >> On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: >> >>> I defined the table as stated in your book (3rd edition, page 42). However, >>> that gives an error message. In the lines with that table: macro 'martians' >>> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and >>> 46, causing the pf lines not to be loaded. >> How abot showing what you did, showing the actual error messages so >> people here can actually help you? Just saying "it does not work" does >> not get you anywhere. >> >> -Otto >>> Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > Hi all, > > For the first time I tested my new firewall with ping, and it is blocked. > I > don't know what the reason is, you can find the information below. I have > a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test > the > upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter >
Re: Ping blocked by firewall
The errors were caused by the word 'log' in lines where it apparently did not belong. Those errors have now been resolved. In Peter Hansteen's book, the rules are clearly stated on page 91, and there is no 'match' in them. Op 09-04-2024 om 17:12 schreef l...@trungnguyen.me: Still dont know whats happening because we dont know what those line errors mean. When you changed the macros to tables, did you also update the rules to to match? On April 9, 2024 9:32:06 AM UTC, Karel Lucas wrote: I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
In /etc/pf.conf: table persist file "/etc/martians" In /etc/martians: 127.0.0.0/8 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 169.254.0.0/16 192.0.2.0/24 0.0.0.0/8 240.0.0.0/4 Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
The example I'm referring to is how to define a table (page 42), and I applied that to the martians example (page 91). Op 09-04-2024 om 16:06 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread.
Re: Ping blocked by firewall
On Apr 09 08:39, Karel Lucas wrote: > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. I upgraded from OpenBSD 7.4 to OpenBSD 7.5 with zero issues using this example https://www.openbsd.org/faq/pf/example1.html Have you considered using that as a baseline?
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. The martians example only appears on page 91, and if you had read that book or other PF references, you would have known full well that the syntax for defining and referencing macros differs from how you define and reference tables. Please actually read the advice offered by contributors to this thread. -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
I can assure you that I did not use capital letters in the macro names,
and used the '<' and '>'.
Op 09-04-2024 om 11:58 schreef Peter N. M. Hansteen:
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
I defined the table as stated in your book (3rd edition, page 42). However,
that gives an error message. In the lines with that table: macro 'martians'
not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
46, causing the pf lines not to be loaded.
macro names are case sensitive, to wit
peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8,
169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4 }"
martians:5: macro 'martians' not defined
martians:5: syntax error
for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.
Re: Ping blocked by firewall
I managed to get ping through. The error was the "log" words in the lines. But this is just the beginning. Now I have another problem with traceroute, as well as with all the normal internet traffic that has to go through it. In the traceroute rules I replaced "$ext_if" with "egress", but that makes very little difference. Creating a table for the martians doesn't work either. I have restored the old situation, so that it does not cause an error message.
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote:
> I defined the table as stated in your book (3rd edition, page 42). However,
> that gives an error message. In the lines with that table: macro 'martians'
> not defined. Moreover, I now also have a Syntax error in lines 38, 39 and
> 46, causing the pf lines not to be loaded.
macro names are case sensitive, to wit
peter@kapet:~$ cat martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
block from $martians
peter@skapet:~$ doas pfctl -vnf martians
Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, 0.0.0.0/8, 240.0.0.0/4
}"
martians:5: macro 'martians' not defined
martians:5: syntax error
for conversion to tables, keep in mind that references need the
surrounding '<' and '>'.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Ping blocked by firewall
I moved the lines with the martians between the 'block log all' line and the ping lines. Furthermore, I changed the macro 'martians' to a table: table persist file "etc/martians". Messages during booting: /etc/pf.conf:29: syntax error /etc/pf.conf:29: macro 'martians' not defined /etc/pf.conf:30: macro 'martians' not defined /etc/pf.conf:38: syntax error /etc/pf.conf:39: syntax error /etc/pf.conf:46: syntax error Op 09-04-2024 om 11:13 schreef Otto Moerbeek: On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 10:52:45AM +0200, Karel Lucas wrote: > I defined the table as stated in your book (3rd edition, page 42). However, > that gives an error message. In the lines with that table: macro 'martians' > not defined. Moreover, I now also have a Syntax error in lines 38, 39 and > 46, causing the pf lines not to be loaded. How abot showing what you did, showing the actual error messages so people here can actually help you? Just saying "it does not work" does not get you anywhere. -Otto > > Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: > > On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > > > Hi all, > > > > > > For the first time I tested my new firewall with ping, and it is blocked. > > > I > > > don't know what the reason is, you can find the information below. I have > > > a > > > network with only regular clients, so no servers. I'm still using OpenBSD > > > V7.4, and will upgrade once the firewall is up and running so I can test > > > the > > > upgrade process. > > Upgrading to 7.5 will not affect this particular problem I think. > > > > Still low on caffeine I spot two likely factors - your $localnet range > > overlaps > > with one of the ranges in $martians (which I anyway would recommend > > converting > > into a table), and your block referencing $martians comes after the pass > > rules > > that would have let icmp through. With no previous matching quick, last > > match > > applies. > > > > - Peter > > >
Re: Ping blocked by firewall
I defined the table as stated in your book (3rd edition, page 42). However, that gives an error message. In the lines with that table: macro 'martians' not defined. Moreover, I now also have a Syntax error in lines 38, 39 and 46, causing the pf lines not to be loaded. Op 09-04-2024 om 08:53 schreef Peter N. M. Hansteen: On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: Hi all, For the first time I tested my new firewall with ping, and it is blocked. I don't know what the reason is, you can find the information below. I have a network with only regular clients, so no servers. I'm still using OpenBSD V7.4, and will upgrade once the firewall is up and running so I can test the upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote:
> Hi all,
>
> For the first time I tested my new firewall with ping, and it is blocked. I
> don't know what the reason is, you can find the information below. I have a
> network with only regular clients, so no servers. I'm still using OpenBSD
> V7.4, and will upgrade once the firewall is up and running so I can test the
> upgrade process.
>
> /etc/pf.conf:
> ext_if = igc0 # Extern interface
> int_if = "{ igc1, igc2 }" # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> ?? ?? ?? ?? 446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> ?? ?? ?? 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> ?? ?? ?? 0.0.0.0/8, 240.0.0.0/4 }"
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> block log all?? ?? ?? ?? # block stateless traffic
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass log out on ext_if inet proto udp to port 33433:33626 # for IPv4
> pass log out on ext_if inet6 proto udp to port 33433:33626 # for IPv6
> pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> ?? ?? to port $udp_services
> pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> pass log on $ext_if inet proto tcp from $localnet to port $client_out
> block log in quick on $ext_if from $martians to any
> block log out quick on $ext_if from any to $martians
> pass log out proto tcp to port $tcp_services # establish keep-stat
> pass log log proto udp to port $udp_services # Establish keep-state
>
> /var/log/pflog:
> tcpdump: WARNING: snaplen raised from 116 to 160
> Apr 09 08:16:45.009497 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]
> apr 09 08:16:45.009500 :: > ff02::16: HBH multicast listener report v2, 2
> group record(S) [hlim 1]
Hi Karel,
Hope you're well! Here is what you should add to your IPv6 icmp_types:
pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass log on $ext_if inet6 proto ipv6-icmp all icmp6-type neighbradv
This allows the NDP protocol to converse (it's similar to the IPv4 ARP).
I didn't see you had the problem with only IPv6, but the way I tested it, the
IPv4 worked fine. It was IPv6 that had the missing neighbour solicititation
and advertising.
Best Regards,
-pjp
--
my associated domains: callpeter.tel|centroid.eu|dtschland.eu|mainrechner.de
Re: Ping blocked by firewall
On Tue, Apr 09, 2024 at 08:39:08AM +0200, Karel Lucas wrote: > Hi all, > > For the first time I tested my new firewall with ping, and it is blocked. I > don't know what the reason is, you can find the information below. I have a > network with only regular clients, so no servers. I'm still using OpenBSD > V7.4, and will upgrade once the firewall is up and running so I can test the > upgrade process. Upgrading to 7.5 will not affect this particular problem I think. Still low on caffeine I spot two likely factors - your $localnet range overlaps with one of the ranges in $martians (which I anyway would recommend converting into a table), and your block referencing $martians comes after the pass rules that would have let icmp through. With no previous matching quick, last match applies. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
