Hi,
On 05/12/11 13:08, Sebastien Maerker, Continum wrote:
> # SSH ssh
> pass in on $ext_if proto TCP from $management to $my_ip port 22 flags S/SA
> keep state
Since 4.1, it seems 'keep state' is enabled by default for any rule, and
'flags S/SA' is the default for packets that match 'proto tcp', so you
could probably remove those to clean up your ruleset a little bit.
> # DNS dns
> pass in on $ext_if proto { TCP, UDP } from any to $my_ip port 53 keep state
Come to think of it, you've put all the protocol names in upper case.
In all the PF example rulesets I've seen, they are written in lower
case. Does that matter?
> # LO lo0
> pass in on lo0 all
> pass out on lo0 all
You may want to use 'set skip on lo' at the top of your ruleset instead
of this. pass rules are probably less efficient, and they will
pointlessly keep state and such.
> # ICMP icmp allow useful net helper packets
> pass out on $ext_if inet proto ICMP all icmp-type { 0, 3, 11 } keep state
> pass out on $ext_if inet proto ICMP all icmp-type { 0, 3, 8, 11, 30 } keep
> state
You may have allowed more than you needed here. and some of it you have
even matched twice, but maybe all you need is:
pass in on $ext_if inet proto icmp all icmp-type echoreq code 0
pass out on $ext_if inet proto icmp all icmp-type echoreq code 0
Because of 'keep state' (on by default), the corresponding reply packet
will be passed in/out. Any ICMP packets related to passed TCP/UDP
connections match against their state too, so you shouldn't need to
allow the other ICMP types.
If your hosts only handle light network traffic right now, you could
change your 'block all' to a 'block all log' and watch what happens in
'tcpdump -nni pflog0', while you try to reproduce the problem with NSD.
Otherwise, take a look at the 'pfctl -vsr' packet and byte counters, to
see whether your 'pass out' rules are really matching.
Regards,
--
Steven Chamberlain
[email protected]
