The kernel has an implicit default first rule, which is "pass flags any no state" and this applies to any packets which are not overridden in pf.conf.
It's probably best to start your pf.conf with an explicit "block" as the first line (which will block packets by default unless they match an existing state), and then work from there; either add an explicit "pass" after that, or just pass the relevant traffic. The rules in the default pf.conf have been changed along these lines for -current / 5.3. On 2013/03/05 15:08, Jason Mader wrote: > >Synopsis: pf.conf(5) rules: antispoof & pass in lo0 > >Category: system > >Environment: > System : OpenBSD 5.2 > Details : OpenBSD 5.2 (GENERIC) #278: Wed Aug 1 10:04:16 MDT 2012 > > dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC > > Architecture: OpenBSD.i386 > Machine : i386 > > vge0 at pci1 dev 0 function 0 "VIA VT612x" rev 0x82: apic 4 int 0, > address 00:1f:f2:07:12:01 > ipgphy0 at vge0 phy 22: IP1001 10/100/1000 PHY, rev. 0 > >Description: > pf.conf rule: > antispoof for egress inet > produces: > block drop in on ! egress inet from 128.164.219.0/25 to any > block drop in inet from 128.164.219.9 to any set ( prio 0 ) > On the host, No route to host after the first response, > # ping 128.164.219.9 > PING 128.164.219.9 (128.164.219.9): 56 data bytes > 64 bytes from 128.164.219.9: icmp_seq=0 ttl=255 time=0.094 ms > ping: sendto: No route to host > ping: wrote 128.164.219.9 64 chars, ret=-1 > > Remove the rule, ping works fine. > > If it matters, the egress is, > > vge0: flags=28843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,NOINET6> mtu 1500 > lladdr 00:1f:f2:07:12:01 > description: Vlan 70 > priority: 0 > groups: egress > media: Ethernet autoselect (1000baseT full-duplex,master) > status: active > inet 128.164.219.9 netmask 0xffffff80 broadcast 128.164.219.127 > > The same thing happens on lo0, not with antispoof but with pass in, > > pf.conf rule: > pass in quick on lo0 all > produces: > pass in quick on lo0 all flags S/SA > On the host, > # ping localhost > PING localhost.seas.gwu.edu (127.0.0.1): 56 data bytes > 64 bytes from 127.0.0.1: icmp_seq=0 ttl=255 time=0.082 ms > ping: sendto: No route to host > ping: wrote localhost.seas.gwu.edu 64 chars, ret=-1 > > Remove the rule, ping works fine.
