On Fri, Nov 04, 2005 at 05:16:22PM +1100, Cameron Simpson wrote:
> [var/[EMAIL PROTECTED]> pfctl -s rules
> block return all
> pass quick proto tcp from any to any port = ssh flags S/SA keep state
> pass in quick proto icmp all keep state
^^
How are the packets supposed to get OUT of the firewall? You have to
think of the traffic crossing both interfaces.
> (I have also tried "pass quick proto icmp all" with no useful effect.)
With the simple ruleset above, or something more complicated?
This should work (as should the above without the direction)
> Also, I have seen elsewhere in list archives debug output showing what rules
> got applied. I have not found out how to produce such debugging myself.
Add the 'log' keyword to at least your block rule, and maybe your pass
rules as well. Then do:
# tcpdump -vvvpleni pflog0 -s 1518
> I'm loading up the rules like this:
>
> pfctl -F rules -v && pfctl -xm -f /etc/pf.conf -v && echo YES
Don't explicitly flush the ruleset like this, pf does that for you and
with such a command you're running without any ruleset at all for at
least a moment, more if your new ruleset is buggy and fails to load.
> What else can I do to further debug this?
tcpdump on the pflog interface is probably the most powerful tool; you
can also look at pfctl -si to see if packets are being dropped for some
other reason than ruleset evaluation, and perhaps do tcpdump on the
physical interfaces you think the traffic should be crossing, to see if
it's maybe actually coming out on the other side but being dropped
elsewhere on your network.
