Hello,
I'm currently connecting to the internet via a soekris box and kernel pppoe.
The soekris box runs:
OpenBSD 4.0-current (GENERIC) #1303: Wed Dec 20 19:13:07 MST 2006
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
I configured ntpd on the soekris box to sync the time, but the traffic is
blocked and I do not understand why.
Here is the log of the blocked ntp traffic, (my external pppoe0 address is
158.64.137.18):
rule 3/(match) block out on pppoe0: 158.64.137.18.25043 > 217.20.119.125.123:
v4 client strat 0 poll 0 prec 0 [tos 0x10]
rule 3/(match) block out on pppoe0: 158.64.137.18.35174 > 213.133.123.125.123:
v4 client strat 0 poll 0 prec 0 [tos 0x10]
rule 3/(match) block out on pppoe0: 158.64.137.18.5537 > 212.112.228.242.123:
v4 client strat 0 poll 0 prec 0 [tos 0x10]
I have the following rule (the entire pf.conf is below):
pass out quick on $ext_if inet proto udp from ($ext_if) to any \
keep state
Shouldn't this rule allow the ntp traffic to pass through?
I would really appreciate some help to understand what is my problem.
Kind regards
Didier
Here is my pf.conf:
int_if="sis0"
ext_if="pppoe0"
wifi_if="sis1"
localnet="172.16.43.0/24"
wifinet="192.168.0.0/24"
icmp_types="echoreq"
# TABLES SECTION #
table <bad_hosts_ssh> persist
table <hostile> persist
table <wifi>
# OPTIONS SECTION #
set block-policy drop
set loginterface $ext_if
set skip on { lo0 }
# SCRUBBING SECTION #
scrub out on $ext_if max-mss 1440
# NAT SECTION #
nat-anchor "ftp-proxy/*"
nat on $ext_if from {$localnet,$wifinet} to any -> ($ext_if)
# REDIRECT #
rdr on $int_if proto tcp from !$ext_if to {!$localnet,$wifinet} port ftp \
-> 127.0.0.1 port 8021
rdr on $int_if proto tcp from $localnet to $int_if port ssh \
-> $int_if port 8022
rdr on $wifi_if proto tcp from $wifi_if:network to $wifi_if port ssh \
-> $wifi_if port 8022
rdr-anchor "ftp-proxy/*"
rdr-anchor "authpf/*"
rdr-anchor emule
rdr-anchor torrent
### LOCALHOST OK ####
block quick from <bad_hosts_ssh>
block quick from <hostile>
block quick inet6 all
block log (all) all
pass on $ext_if inet proto icmp icmp-type $icmp_types keep state
pass quick on $int_if all
### WIRELESS LAN ###
pass in quick on $wifi_if inet proto tcp from $wifi_if:network\
to $wifi_if port 8022 keep state
pass in on $wifi_if inet from <wifi> to any keep state
pass out on $wifi_if inet from $int_if:network to $wifi_if:network keep state
#### EXTERNAL INTERFACE ####
pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
modulate state
pass out quick on $ext_if inet proto udp from ($ext_if) to any \
keep state
pass out quick on $ext_if inet proto tcp from ($ext_if) to any \
port > 1023 user proxy modulate state label ftpproxy
pass in quick inet proto tcp from <friends> to $ext_if \
port ssh modulate state
pass in quick inet proto tcp from any to $ext_if \
port ssh modulate state (max-src-conn-rate 4/120, \
overload <bad_hosts_ssh> flush global)
anchor emule
anchor torrent
anchor "authpf/*"
anchor "ftp-proxy/*"
