On Mon, Nov 21, 2011 at 3:45 AM, John Tate <[email protected]> wrote:
> I am having troubles with this pf configuration, it seems when loaded
> nothing can access my server on the internal interface for the LAN, I
> cannot see why, and it's pretty much based off the very standard
> example in the OpenBSD faq.
assuming your internal net is connected to int_if: none of your rules
even mention your local network and you block by default, so yeah
if int_if isn't part of the int net, please rename the macro to avoid
confusion
>
> When I unload the configuration, I can access the DNS server on the
> firewall running this configuration. It seems to forward everything
> through to the Internet, but blocks DNS which makes it pretty useless.
> I've looked at it at least five times...
>
> [john@baal ~$ cat /etc/pf.conf
> int_if="xl0"
> ext_if="tun0"
>
> rothbard="10.0.0.10"
> baal="10.0.0.2"
> smass="10.0.0.1"
>
> tcp_services="{22}"
> icmp_types="echoreq"
>
> set block-policy return
> set loginterface $ext_if
> set skip on lo
>
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
you're not passing these packets
>
> block in log
> pass out quick
>
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) \
> B B B B port $tcp_services
i highly doubt you are setting up a public dns server intentionally.
if this is the case, make it clear that you are
> #After this goes forwarded ports... Probably just use ssh tunnels.
>
> pass in inet proto icmp all icmp-type $icmp_types
>
> What is wrong?
you need to read the docs on pf. your rules make no sense
>
> Also can you tell me how to do this so it only needs to load once, and
> not be loaded by a shell script after userland pppoe successfully
> connects?
>
> --
> www.johntate.org
