Hi,
With pfctl -vf I get this, se file attached. I have made three small
changes by now due to input from Mikael, see reciver.
1. I changed the second match, nat, rule to be from 192.168.137.0/24
instead of from !(egress:network). I also added a third match
rule to cover 192.169.138.0/24, that is DMZ.
2. I added (egress) instead of any in the last rule to narow down the
port forwarding to DMZ.
3. I added the antispoof line from the openBSD building
a router guide for all network adapters.
All these changes are included in the new printout from
pfctl -vf
Regards
Magnus
2017-10-21 19:15 GMT+02:00 edgar <ed...@pettijohn-web.com>:
> Try:
>
> # pfctl -vf /etc/pf.conf
>
> This will load the ruleset as well as print out what the rules translate to.
> It will also show errors if there are any.
>
> Post what the rules translate to. I think it will be easier to read.
>
>
> On Oct 21, 2017 at 8:19 AM, <Magnus Andersson> wrote:
>
> Hi,
> Thanks for answering and taking your time to my problem.
> A friend recommended me to ask the mailing list about my problem.
> I'm sorry if my question is too uninformed.
>
> After a little research I now
> know what you mean by dmesg, debug and systat. Here are my dmesg
> print out. I do not know how to debug the problem and I tried to print
> systat even if I do not know if that can help anyone to understand my
> problem. Systat looks like some sort of live printout function.
>
> The question regards just the rules in my pf.conf, are there an obvious
> misunderstandings there from my part to a more trained eye? Are for
> example the wrong adresses forbiden in the list och forbidden adresses
> in the beginning of the file or have I lost an inportant line of code?
>
> I tried to follow the guide on setting up a router from openBSD.org
> hompage. My openBSD version is 6.1.
>
> Regards
> Magnus Andrsson
>
> 2017-10-21 13:05 GMT+02:00 Karel Gardas :
>> Include also dmesg and try to debug this issue more with systat(1)
>> tool at least.
>>
>>>> Hi,
>>>> I think something must be wrong in my pf.conf file but I can't see
>>>> where.
>>>> I am using openBSD as a router with a LAN and a DMZ zone behind it.
>>>> What is wrong is not something sad and simple i think like a wrong
>>>> IP-address or something. The setup works in that i have internet i one
>>>> network and both internet and remote access in the DMZ zone. But the
>>>> setup is unreliable.
>
>
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16
198.18.0.0/15 198.51.100.0/24 203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on { lo0 }
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from 192.168.137.0/24 to any nat-to (egress:0)
round-robin
match out on egress inet from 192.168.138.0/24 to any nat-to (egress:0)
round-robin
block drop in quick on ! egress inet from 83.253.232.0/21 to any
block drop in quick inet from 83.253.234.195 to any
block drop in quick on ! em1 inet from 192.168.137.0/24 to any
block drop in quick inet from 192.168.137.1 to any
block drop in quick on ! em2 inet from 192.168.138.0/24 to any
block drop in quick inet from 192.168.138.1 to any
block drop in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block drop all
pass out quick inet all flags S/SA
pass in on em1 inet all flags S/SA
pass in on em2 inet all flags S/SA
block drop in on em1 inet from any to 192.168.138.1
block drop in on em2 inet from any to 192.168.137.1
pass in on egress inet proto tcp from any to (egress) port = 443 flags S/SA
rdr-to 192.168.138.13 port 32400
