On Thu, Apr 11, 2024 at 07:45:18PM +0200, Karel Lucas wrote:
> The typos have been fixed, and PF's ruleset will be put under a magnifying
> glass.
This is a bit of a personal preference, but (assuming you trust any
traffic generated on the firewall itself), I find it helpful to
start the ruleset with a simple:
block log in
pass out
and then do the filtering what comes _in_ (either via $ext_if or
$int_ifs), by adding "pass in ... on ... " rules.
> Op 11-04-2024 om 10:34 schreef Zé Loff:
> > On Wed, Apr 10, 2024 at 11:53:47PM +0200, Karel Lucas wrote:
> > > Hi all,
> > >
> > > With the new firewall I am setting up I cannot connect to the internet.
> > > That
> > > starts with traceroute, so let's start there. Ping works fine. Below I
> > > have
> > > listed my pf.conf file.
> > >
> > >
> > >
> > > /etc/pf.conf:
> > >
> > > ext_if = igc0 # Extern interface
> > > int_if = "{ igc1, igc2 }" # Intern interfaces
> > > localnet = "192.168.2.0/24"
> > > tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> > > udp_services = "{ domain, ntp }"
> > > email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> > > icmp_types = "{ echoreq, unreach }"
> > > icmp6_types = "{ echoreq, unreach }"
> > > nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> > > client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> > > 446, cvspserver, 2628, 5999, 8000, 8080 }"
> > > Martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> > > 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> > > 0.0.0.0/8, 240.0.0.0/4 }"
> > >
> > > set skip on lo
> > > # By default, do not permit remote connections to X11
> > > block return in on ! lo0 proto tcp to port 6000:6010
> > >
> > > block log all # block stateless traffic
> > >
> > > block in quick on $ext_if from $martians to any
> > > block out quick on $ext_if from any to $martians
> > >
> > > # Letting ping through:
> > > pass log on inet proto icmp icmp-type $icmp_types
> > > pass log on inet6 proto icmp6 icmp6-type $icmp6_types
> > >
> > > # Allow out the default range for traceroute(*):
> > > # "base+nhops*nqueries-1" (3434+64*3-1)
> > > pass log out on egress inet proto udp to port 33433:33626 # for IPv4
> > > pass log out on egress inet6 proto udp to port 33433:33626 # for IPv6
> > >
> > > pass log quick on $ext_if inet proto {tcp, udp} from $localnet \
> > > to port $udp_services
> > > pass log on $ext_if inet proto icmp all icmp-type $icmp_types
> > > pass log on $ext_if inet proto tcp from $localnet to port $client_out
> > > pass log out proto tcp to port $tcp_services # establish keep-stat
> > > pass log log proto udp to port $udp_services # Establish keep-state
> > If I read this correctly, you are not allowing any "in" traffic, except
> > for the two "Letting ping through lines", which are just for ICMP, and
> > on the first two rules on the last part ("...$icmp_types" and
> > "...$client_out"). I am assuming "log log" on the last rule is a typo,
> > and it is actually "log out".
>
--
