On Sat, Jun 25, 2016 at 09:28:16AM +0200, Pau Amaro-Seoane wrote:
> pf is disabled, yes...
>
> So, then I would have to remove the last line. I need to download and
> upload things, but do not want to allow any remote connection to the
> laptop. I guess this configuration fulfills my needs?
No. If you remove the rule that blocks all traffic, what will PF do?
1) Ignore lo0 traffic
2) Scrub all other traffic
Nothing else.
Let's look at your six-line rule set in detail:
a. Rules 1 and 2 set the macros $wifi and $wired, which are never used.
b. Rule 3 sets the option to respond to blocked TCP traffic with RST
and respond with ICMP UNREACHABLE to other blocked traffic.
c. Rule 4 instructs PF to ignore traffic on the loopback interface.
d. Rule 5 requests packet normalization
e. Rule 6 blocks all traffic, except on the ignored loopback interface,
and logs them through your pflog(4) interface.
Keep in mind, I can only answer questions based upon the information
you provide. Based solely on your laptop use-case description, here is
a very simple ruleset:
block
pass from self to any
a. Rule 1 blocks all traffic.
b. Rule 2 passes all traffic originating on the laptop, going anywhere.
How does PF manage inbound traffic with this?
Because passed traffic keeps state by default, response packets
will be passed. For stateless protocols like UDP or ICMP, state is
maintained via timers.
In my previous reply to you, I'd reminded you that in PF, the last
matching rule wins. When an inbound packet is part of an existing
state (TCP session, or within a response timeout window), the rule
set will not be tested and the packet will flow. When an inbound
packet is not part of any existing state, PF will test it against
the rule set and the first rule (block) will be the last one
which matches.
>
> Thanks!
>
> 2016-06-23 19:20 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
> > On 2016-06-23 10:29, Pau Amaro-Seoane wrote:
> >>
> >> Hi... with these pf rules
> >>
> >> wifi=iwn0
> >> wired=em0
> >> set block-policy return
> >> set skip on lo0
> >> match in all scrub
> >> block log all
> >>
> >> I can ping www.google.com without loss
> >> but no browser opens any URL... do you know what's going on?
> >>
> >> Thanks!
> >>
> >> Pau
> >> _______________________________________________
> >> Openbsd-newbies mailing list
> >> Openbsd-newbies@sfobug.theapt.org
> >> http://mailman.theapt.org/listinfo/openbsd-newbies
> >
> >
> > Hi, Pau. Last matching rule wins, and your last rule blocks all traffic.
> >
> > The only packets that will pass through PF are those that use the loopback
> > interface lo0. So either that is not your entire rule set, or PF is
> > disabled.
> >
> > Ping requires the passing of ICMP protocol ECHO packates, while address
> > resolution of www.google.com requires the passing of DNS protocol
> > packets via UDP port 53.
_______________________________________________
Openbsd-newbies mailing list
Openbsd-newbies@sfobug.theapt.org
http://mailman.theapt.org/listinfo/openbsd-newbies
