Op 14-04-2024 om 21:57 schreef Jens Kaiser:
Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.
These have now been resolved, sse below.
Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
As far as I can see there are no errors in the ping rules. the key words
"on", "group" or "any" do not appear there. Moreover, I have copied
these rules, except the key words "log", exactly from Peter Hansteen's
book (The book of PF), just like the rules of the martians.
Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.
After correcting some errors, I reloaded pf.conf and found no errors.
Here I give the output of pfctl -sr:
match in all scrub (no-df max-mss 1440)
block return in all
block return in quick on igc0 inet from any to <__automatic_628bc734_1>
pass log inet proto icmp all icmp-type echoreq
pass log inet proto icmp all icmp-type echorep
pass log inet proto icmp all icmp-type unreach
pass log inet6 proto ipv6-icmp all icmp6-type echoreq
pass log inet6 proto ipv6-icmp all icmp6-type echorep
pass log inet6 proto ipv6-icmp all icmp6-type unreach
pass out all flags S/SA
/etc/pf.conf:
ext_if = igc0 # The interface to the outside
world
int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
# localnet = "192.168.2.0/24" # Hosts on the screened LAN
# tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
# udp_services = "{ domain, ntp }"
# email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, echorep, unreach }"
icmp6_types = "{ echoreq, echorep, unreach }"
# nameservers = "{ 195.121.1.34, 195.121.1.66 }"
# client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in all # block stateless traffic
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log inet proto icmp icmp-type $icmp_types
pass log inet6 proto icmp6 icmp6-type $icmp6_types
pass out all