On 01/17/2013 11:27 AM, Vadim Zhukov wrote:
At first, find where the flow gets stopped: enable debug logging on
resolver and add "match log (matches) to port 53" rule as first one in
your firewall. Then probably you'll see the problem yourself.
Oh, and please, if you get "no packets seen" problems, print all of
your firewall rules. Always. Don't pretend that you know better - if
it was so, why would you asking ever?
Incoming packets still coming, but I see only my request to provider's DNS.
Should I see reply from my server to request from Internet?
Jan 17 13:31:44.480883 rule 4/(match) match in on em1:
178.45.248.150.43780 > my.IP.53: 687[|domain]
Jan 17 13:33:25.076188 rule 4/(match) match in on em1:
212.14.176.40.33699 > my.IP.53: 61511[|domain] (DF)
Jan 17 13:33:25.080570 rule 4/(match) match in on em1:
212.14.176.40.19055 > my.ip.53: 3658[|domain]
Jan 17 13:33:26.216774 rule 4/(match) match out on em1: my.ip.9342 >
194.106.219.12.53: 10130+% [1au][|domain]
Jan 17 13:33:26.721533 rule 4/(match) match out on em1: my.ip.42595 >
194.106.219.10.53: 21720+% [1au][|domain]
###pf.conf###
# $OpenBSD: pf.conf,v 1.50 2011/04/28 00:19:42 mikeb Exp $
# See pf.conf(5) for syntx and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.
ext_if = "em1"
wifi_if = "rum0"
int_if = "em0"
portstuff = "{ smtps, 5190, submission, pop3, pop3s, imap, imaps, www,
https, 1863, 1935, 3389, 5222, 5900, 8200 }"
portstuffwww = "{ smtps, 445, 5190, submission, pop3, pop3s, imap,
imaps, www, https, 1863, 1935, 3389, 5222, 9100 }"
table <firewall> const { self }
table <tlv_lan> { 192.168.2.0/24 }
table <tlv_wifi> { 192.168.22.0/24 }
table <tlk_lan> { 192.168.5.0/24 }
table <tlk_wifi> { 192.168.55.0/24 }
table <tlv_gw> { x.x.x.x }
table <admin> { 192.168.5.1, 192.168.5.61 }
table <dns> { 194.106.219.10, 194.106.219.12 }
table <tlv_vpn> { 192.168.88.0/24 }
table <tlk_vpn> { 192.168.99.0/24 }
table <pptp_vpn> { 192.168.66.0/24 }
#table <adminvpn> { 192.168.14.115, 192.168.14.113 }
table <rm> { 192.168.5.250 }
table <tlv_rm> { 192.168.2.250 }
table <mysql> { 192.168.5.248 }
table <tlv_mysql> { 192.168.2.248 }
table <tlk_scm> { 192.168.5.251 }
table <tw> { 192.168.2.247 }
table <lic> { 192.168.5.246 }
table <ogo> { 192.168.5.36 }
table <macintosh> { 192.168.5.73 }
table <scm> { 192.168.5.251 }
table <tlv_scm> { 192.168.2.251 }
table <psu> { 192.168.5.17, 192.168.5.50 }
table <tlk_qnap> { 192.168.5.200 }
table <tlv_qnap> { 192.168.2.200 }
table <proxmox> { 192.168.5.201 }
table <bugzilla> { 192.168.2.206 }
table <agcoclient> { 192.168.5.15, 192.168.5.32, 192.168.5.34, \
192.168.5.35, 192.168.5.41, 192.168.5.42, 192.168.5.49,
192.168.5.72 }
table <agco> {x.x.x.x }
table <private> { 0.0.0.0/8, 10.0.0.0/8, 14.0.0.0/8, \
127.0.0.0/8, 128.0.0.0/16, 169.254.0.0/16, \
172.16.0.0/12, 191.255.0.0/16, 192.0.2.0/24, \
192.168.0.0/16, 240.0.0.0/4, 255.255.255.0/24 }
table <bruteforce> persist
#table <advertisement> file "/etc/advertisement"
table <spamd-white> persist
table <spamd> persist
#table <spamd-bypass> file "/etc/mail/spamd.bypass"
#table <spamd-black> file "/etc/mail/spamd.black"
set skip on { lo, enc0 }
set loginterface em1
set timeout { frag 20, tcp.established 3600 }
set block-policy return
antispoof quick for { em1 }
match in all scrub (no-df)
anchor "ftp-proxy/*"
match log on $ext_if inet proto udp to port 53
#nat
match out on $ext_if inet proto tcp from { <tlk_lan>, <tlk_wifi>,
<pptp_vpn> } to any nat-to em1
match out on $ext_if inet proto udp from { <tlk_lan>, <tlk_wifi> } to
<agco> nat-to em1
match out on $ext_if inet from <admin> to any nat-to em1
#rdr
match in on $ext_if inet proto tcp from any to em1 port { www, https }
rdr-to <rm>
match in on $ext_if inet proto tcp from any to em1 port 3690 rdr-to
<scm> port www
match in on $ext_if inet proto tcp from any to em1 port 16881 rdr-to
192.168.5.1
match in on $ext_if inet proto udp from any to em1 port 27015 rdr-to
192.168.5.244
match in on $ext_if inet proto tcp from any to em1 port 8080 rdr-to
192.168.5.244 port www
#block in quick on $int_if from any to <advertisement>
block quick proto tcp flags /S
block quick proto tcp flags A/A
block in quick on $ext_if from { <bruteforce>, <private>, <spamd-black>
} to any
block out quick on $ext_if from any to <private>
#block in quick on $int_if inet proto tcp from { !<twmail>, !<twtest> }
to any port smtp
block all
#in
pass in on $ext_if inet proto tcp from any to em1 port 22555
pass in on $ext_if proto esp from <tlv_gw> to em1
pass in on $ext_if proto gre from any to em1
pass in on $ext_if inet proto tcp from any to em1 port pptp modulate state
pass in on $ext_if inet proto udp from any to em1 port 1194
pass in on $ext_if inet proto tcp from any to <rm> port { www, https }
synproxy state
pass in on $ext_if inet proto tcp from any to <scm> port www synproxy state
pass in on $ext_if inet proto tcp from any to 192.168.5.1 port 16881
pass in on $ext_if inet proto udp from any to 192.168.5.244 port 27015
pass in on $ext_if inet proto tcp from any to 192.168.5.244 port 80
synproxy state
pass in on $ext_if inet proto { tcp, udp } from any to em1 port domain
#pass in on $ext_if inet proto tcp from any to em1 port ftp
pass in quick on { tun1, tun2, tun3 } all
pass in quick on $wifi_if inet proto udp from any to <firewall> port bootps
pass in quick on $int_if inet proto udp from any to <firewall> port bootps
pass in on $wifi_if inet proto icmp
pass in on $int_if inet proto icmp
pass in quick on $int_if inet from <admin> to any
pass in on $int_if inet proto tcp from <tlk_lan> to any port ssh
pass in on $int_if inet proto tcp from <tlk_lan> to $int_if port 22555
pass in on $wifi_if inet proto tcp from <tlk_wifi> to $wifi_if port 22555
pass in on $wifi_if inet proto { udp, tcp } from <tlk_wifi> to $wifi_if
port { ntp, domain }
pass in on $int_if inet proto { udp, tcp } from <tlk_lan> to $int_if
port { ntp, domain }
pass in quick on $int_if inet proto udp from any to any port tftp
pass in on $wifi_if inet proto tcp from <tlk_wifi> to any port $portstuffwww
pass in on $int_if inet proto tcp from <tlk_lan> to any port $portstuff
pass in on $wifi_if inet proto tcp from <tlk_wifi> to port ftp divert-to
127.0.0.1 port 8021
pass in on $int_if inet proto tcp from <tlk_lan> to port ftp divert-to
127.0.0.1 port 8021
pass in quick on $int_if inet proto tcp from <tlk_wifi> to { <tw>,
<bugzilla>, <tlv_scm>, <tlv_rm> } port www
pass in quick on $int_if inet proto tcp from <tlk_lan> to { <tw>,
<bugzilla>, <tlv_mysql>, <tlv_scm>, <tlv_rm> } port www
pass in quick on $int_if inet proto tcp from <tlk_lan> to 87.106.211.205
port www
#pass in quick on $int_if inet proto tcp from 192.168.5.1 to any port
www divert-to 127.0.0.1 port 8080
#pass in quick on $wifi_if inet proto tcp from <tlk_wifi> to any port
www divert-to 127.0.0.1 port 8080
#pass in quick on $int_if inet proto tcp from <tlk_lan> to any port www
divert-to 127.0.0.1 port 8080
pass in on $int_if inet proto tcp from { <rm>, <tw>, 192.168.5.245 } to
any port { smtp, submission, www, https }
pass in on $int_if inet proto tcp from <tlk_qnap> to <tlv_qnap>
pass in on $int_if inet proto tcp from <tlk_lan> to <tlv_qnap> port 445
pass in on $int_if inet proto tcp from <psu> to any port 1194
pass in on $int_if inet proto udp from <tlk_lan> to <agco>
pass in on $wifi_if inet proto udp from <tlk_wifi> to <agco>
pass in on $int_if inet proto tcp from { <tlk_qnap>, <proxmox> } to em0
port 3551
pass in on tun0 inet proto { tcp, udp } from <tlk_vpn> to { <tlv_lan>,
<tlv_wifi>, <tlk_lan>, <tlk_wifi> }
#out
pass out on $ext_if proto esp from em1 to <tlv_gw>
pass out on $ext_if proto gre from em1 to any
#pass out on $ext_if inet proto udp from em1 to <dns> port domain
pass out on $ext_if inet proto udp from em1 to any
pass out on $ext_if inet proto tcp from em1 to any port { ftp, ssh,
smtp, 1194, 444, 22555, >49151 }
pass out on $ext_if inet proto tcp from em1 to any port $portstuff
pass out on $ext_if inet proto udp from any to <agco>
#pass out quick on $int_if inet proto udp from any to any port tftp
pass out quick on $wifi_if inet proto udp from <firewall> to any port bootpc
pass out quick on $int_if inet proto udp from <firewall> to any port bootpc
pass out on $int_if inet proto icmp
pass out on $wifi_if inet proto icmp
pass out on $int_if inet proto tcp from { <tlk_wifi>, <tlk_vpn>,
<tlv_lan>, <tlv_wifi> } to <tlk_lan> port { 3389, 9100, www, https }
pass out on $wifi_if inet proto tcp from { <tlk_lan>, <tlk_vpn>,
<tlv_lan>, <tlv_wifi> } to <tlk_wifi> port { 3389, 5900 }
pass out on $wifi_if inet proto tcp from <admin> to <tlk_wifi> port ssh
pass out on $int_if inet proto tcp from any to <rm> port { www, https }
pass out on $int_if inet proto tcp from any to <scm> port { www, 3690 }
pass out on $int_if inet proto tcp from any to <lic>
pass out on $int_if inet proto tcp from any to 192.168.5.1 port 16881
pass out on $int_if inet proto udp from any to 192.168.5.244 port 27015
pass out on $int_if inet proto tcp from any to 192.168.5.244 port www
pass out on $int_if inet proto tcp from any to <mysql> port mysql
pass out on $int_if inet proto tcp from { <tlv_lan>, <tlv_wifi>,
<tlk_vpn>, <tlv_vpn>, <pptp_vpn> } to { <tlk_scm>, 192.168.5.247 } port www
pass out on $int_if inet proto tcp from <tlk_vpn> to <macintosh> port 5900
pass out on $int_if inet proto tcp from { <tlv_qnap>, 192.168.66.102 }
to <tlk_qnap>
pass out on $int_if inet proto tcp from { <tlk_wifi>, <tlk_vpn>,
<tlv_lan>, <tlv_wifi>, <tlv_vpn> } to <tlk_qnap> port 445
#pass out on $int_if inet proto tcp from any to <tlk_qnap> port ftp user
proxy
pass out on $int_if inet proto tcp from any to <tlk_lan> port ssh
pass out on $int_if inet proto tcp from <firewall> to any port ssh
pass out on $int_if inet proto udp from <firewall> to <tlk_lan>
