On 20 Apr 2015 at 0:11, Ton Muller wrote:
> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>
> SK0 is the internal interface.
> RE0 is the WAN interface
>
> i kept my pf.conf as simple posible to get it start
> ######## START CONFIG ##########
> #
> int_if = "sk0"
> ext_if = "re0"
>
> tcp_services="{ 22,53,113 }"
> icmp_types="echoreq"
>
> # options
> # increase default state limit from 10'000 states on busy systems
> #set limit states 100000
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> #
> # filter rules
> block in log
> pass out quick
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) port $tcp_services
> #
> pass in inet proto icmp all icmp-type $icmp_types
> pass in on $int_if
>
> ######### end config ##########
>
> this is my resolv.conf
> # Generated by re0 dhclient
> search xs4non.nl
> nameserver 192.168.1.240
> lookup file bind
>
> RE0 ip 192.168.1.240
> SK0 ip 192.168.0.240
>
> mygate 192.168.1.240
>
> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
> from the DHCP server from modem, that works (192.168.1.1) and mygate
> would not be used.
>
> here comes the isue.
> what ever combination i do, forced or not.
> i can ping a host, and i get NO result back.
> ping i its IP adres, i get a result back.
> so my question is, what am i doing wrong here.
>
> i never changed my basic configs so i knowed that i would work.
> but for some reasen this time i get a masive headache from it.
>
> anyone ideas?
>
> Tony.
>
>
Here are some ideas that may (or may not) resolve your issues.
Hopefully, they will at least get you started in the right direction:
1) Since you are using the 'egress' interface group name rather than
the explicitly defined $ext_if macro variable, make sure that it is
defined and for the correct interface. I know it works well when
/etc/mygate is correctly defined, but never had the need to test with
dhclient controlled interfaces.
2) You seem to want to allow DNS (port 53) traffic inbound, but are you
aware that most DNS communication is over UDP? TCP DNS is used mostly,
if not only, for zone transfers.
3) Similarly, for ICMP (used by ping) you are allowing in only the
query subtype and not the reply (icmp-type echorep).
Good luck!
