There is a typo on the second line of the martians definition (spurious comma
and space).
Michael
> On Apr 14, 2024, at 11:09, Karel Lucas <cahlu...@planet.nl> wrote:
>
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help is
> appreciated. So let's start simple and then proceed step by step. I want to
> continue with ping so that I can test the connection to the internet. This
> works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS servers
> on the internet. The PF ruleset needs to be adjusted for this, but it is
> still not clear to me how to do that. What else do I need to get ping to work
> correctly? To get started simply, I created a new pf.conf file, see below.
>
>
> /etc/pf.conf:
>
> ext_if = igc0 # The interface to the outside
> world
> int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
> localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> # Options:
> set block-policy return
>
> set skip on lo
>
> block log all # block stateless traffic
>
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
>
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
> pass out all
>
>
