Re: No internet connection (firewall block)

Thu, 11 Apr 2024 01:35:03 -0700 

On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
> Hi all,
> 
> With the new firewall I am setting up I cannot connect to the internet. That
> starts with traceroute, so let's start there. Ping works fine. Below I have
> listed my pf.conf file.
> 
> 
> 
> /etc/pf.conf:
> 
> ext_if = igc0                 # Extern interface
> int_if = "{ igc1, igc2 }"     # Intern interfaces
> localnet = "192.168.2.0/24"
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
>                       446, cvspserver, 2628, 5999, 8000, 8080 }"
> Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
>                     10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
>                     0.0.0.0/8, 240.0.0.0/4 }"
> 
> set skip on lo
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
> 
> block log all                # block stateless traffic
> 
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
> 
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> 
> # Allow out the default range for traceroute(*):
> # "base+nhops*nqueries-1" (3434+64*3-1)
> pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> 
> pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
>         to port $udp_services
> pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> pass log on $ext_if inet proto tcp from $localnet to port $client_out
> pass log out proto tcp to port $tcp_services   # establish keep-stat
> pass log log proto udp to port $udp_services   # Establish keep-state
           
If I read this correctly, you are not allowing any "in" traffic, except
for the two "Letting ping through lines", which are just for ICMP, and
on the first two rules on the last part ("...$icmp_types"  and
"...$client_out").  I am assuming "log log" on the last rule is a typo,
and it is actually "log out".

Reply via email to