Hi Josh:
Apologies for the long delay. This was about my pf.conf blocking all
traffic. You asked me to post the ifconfig and dmesg. Here you are
both. I will get into point 3 of your list in a moment (not months
this time!)
Thanks
DMESG:
=======
OpenBSD 6.0 (GENERIC.MP) #2319: Tue Jul 26 13:00:43 MDT 2016
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP
real mem = 8451125248 (8059MB)
avail mem = 8190525440 (7811MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xdae9c000 (68 entries)
bios0: vendor LENOVO version "8DET56WW (1.26 )" date 12/01/2011
bios0: LENOVO 42914BG
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP SLIC SSDT SSDT SSDT HPET APIC MCFG ECDT ASF!
TCPA SSDT SSDT DMAR UEFI UEFI UEFI
acpi0: wakeup devices LID_(S3) SLPB(S3) IGBE(S4) EXP4(S4) EXP7(S4)
EHC1(S3) EHC2(S3) HDEF(S4)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpihpet0 at acpi0: 14318179 Hz
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2791.35 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu0: 256KB 64b/line 8-way L2 cache
cpu0: smt 0, core 0, package 0
mtrr: Pentium Pro MTRR support, 10 var ranges, 88 fixed ranges
cpu0: apic clock running at 99MHz
cpu0: mwait min=64, max=64, C-substates=0.2.1.1.2, IBE
cpu1 at mainbus0: apid 1 (application processor)
cpu1: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
cpu1:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu1: 256KB 64b/line 8-way L2 cache
cpu1: smt 1, core 0, package 0
cpu2 at mainbus0: apid 2 (application processor)
cpu2: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
cpu2:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu2: 256KB 64b/line 8-way L2 cache
cpu2: smt 0, core 1, package 0
cpu3 at mainbus0: apid 3 (application processor)
cpu3: Intel(R) Core(TM) i7-2640M CPU @ 2.80GHz, 2790.94 MHz
cpu3:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,PCLMUL,DTES64,MWAIT,DS-CPL,VMX,SMX,EST,TM2,SSSE3,CX16,xTPR,PDCM,PCID,SSE4.1,SSE4.2,x2APIC,POPCNT,DEADLINE,AES,XSAVE,AVX,NXE,LONG,LAHF,PERF,ITSC,SENSOR,ARAT
cpu3: 256KB 64b/line 8-way L2 cache
cpu3: smt 1, core 1, package 0
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 20, 24 pins
acpimcfg0 at acpi0 addr 0xf8000000, bus 0-63
acpiec0 at acpi0
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus -1 (PEG_)
acpiprt2 at acpi0: bus 2 (EXP1)
acpiprt3 at acpi0: bus 3 (EXP2)
acpiprt4 at acpi0: bus 5 (EXP4)
acpiprt5 at acpi0: bus 13 (EXP5)
acpiprt6 at acpi0: bus 14 (EXP7)
acpicpu0 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu1 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu2 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpicpu3 at acpi0: C3(350@104 io@0x415), C1(1000@1 halt), PSS
acpipwrres0 at acpi0: PUBS, resource for EHC1, EHC2
acpitz0 at acpi0: critical temperature is 99 degC
acpibtn0 at acpi0: LID_
acpibtn1 at acpi0: SLPB
"PNP0303" at acpi0 not configured
"LEN0020" at acpi0 not configured
"SMO1200" at acpi0 not configured
acpibat0 at acpi0: BAT0 model "42T4940" serial 5421 type LION oem "SANYO"
acpiac0 at acpi0: AC unit online
acpithinkpad0 at acpi0
"PNP0C14" at acpi0 not configured
"PNP0C14" at acpi0 not configured
acpidock0 at acpi0: GDCK not docked (0)
acpivideo0 at acpi0: VID_
acpivout at acpivideo0 not configured
acpivideo1 at acpi0: VID_
cpu0: Enhanced SpeedStep 2791 MHz: speeds: 2801, 2800, 2600, 2400,
2200, 2000, 1800, 1600, 1400, 1200, 1000, 800 MHz
pci0 at mainbus0 bus 0
pchb0 at pci0 dev 0 function 0 "Intel Core 2G Host" rev 0x09
inteldrm0 at pci0 dev 2 function 0 "Intel HD Graphics 3000" rev 0x09
drm0 at inteldrm0
inteldrm0: msi
inteldrm0: 1366x768
wsdisplay0 at inteldrm0 mux 1: console (std, vt100 emulation)
wsdisplay0: screen 1-5 added (std, vt100 emulation)
"Intel 6 Series MEI" rev 0x04 at pci0 dev 22 function 0 not configured
puc0 at pci0 dev 22 function 3 "Intel 6 Series KT" rev 0x04: ports: 1 com
com4 at puc0 port 0 apic 2 int 19: ns16550a, 16 byte fifo
com4: probed fifo depth: 0 bytes
em0 at pci0 dev 25 function 0 "Intel 82579LM" rev 0x04: msi, address
f0:de:f1:d0:be:97
ehci0 at pci0 dev 26 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 16
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
azalia0 at pci0 dev 27 function 0 "Intel 6 Series HD Audio" rev 0x04: msi
azalia0: codecs: Conexant CX20590, Intel/0x2805, using Conexant CX20590
audio0 at azalia0
ppb0 at pci0 dev 28 function 0 "Intel 6 Series PCIE" rev 0xb4: msi
pci1 at ppb0 bus 2
ppb1 at pci0 dev 28 function 1 "Intel 6 Series PCIE" rev 0xb4: msi
pci2 at ppb1 bus 3
iwn0 at pci2 dev 0 function 0 "Intel Centrino Advanced-N 6205" rev
0x34: msi, MIMO 2T2R, MoW, address 10:0b:a9:74:df:54
ppb2 at pci0 dev 28 function 3 "Intel 6 Series PCIE" rev 0xb4: msi
pci3 at ppb2 bus 5
ppb3 at pci0 dev 28 function 4 "Intel 6 Series PCIE" rev 0xb4: msi
pci4 at ppb3 bus 13
sdhc0 at pci4 dev 0 function 0 "Ricoh 5U822 SD/MMC" rev 0x07: apic 2 int 16
sdhc0: SDHC 3.0, 50 MHz base clock
sdmmc0 at sdhc0: 4-bit, sd high-speed, mmc high-speed, dma
ppb4 at pci0 dev 28 function 6 "Intel 6 Series PCIE" rev 0xb4: msi
pci5 at ppb4 bus 14
xhci0 at pci5 dev 0 function 0 "NEC xHCI" rev 0x04: msi
usb1 at xhci0: USB revision 3.0
uhub1 at usb1 "NEC xHCI root hub" rev 3.00/1.00 addr 1
ehci1 at pci0 dev 29 function 0 "Intel 6 Series USB" rev 0x04: apic 2 int 23
usb2 at ehci1: USB revision 2.0
uhub2 at usb2 "Intel EHCI root hub" rev 2.00/1.00 addr 1
pcib0 at pci0 dev 31 function 0 "Intel QM67 LPC" rev 0x04
ahci0 at pci0 dev 31 function 2 "Intel 6 Series AHCI" rev 0x04: msi, AHCI 1.3
ahci0: port 0: 6.0Gb/s
scsibus1 at ahci0: 32 targets
sd0 at scsibus1 targ 0 lun 0: <ATA, C400-MTFDDAK256M, 05TD> SCSI3
0/direct fixed naa.500a0751033ff239
sd0: 244198MB, 512 bytes/sector, 500118192 sectors, thin
ichiic0 at pci0 dev 31 function 3 "Intel 6 Series SMBus" rev 0x04: apic 2 int 18
iic0 at ichiic0
spdmem0 at iic0 addr 0x50: 4GB DDR3 SDRAM PC3-8500 SO-DIMM
spdmem1 at iic0 addr 0x51: 4GB DDR3 SDRAM PC3-8500 SO-DIMM
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5 irq 1 irq 12
pckbd0 at pckbc0 (kbd slot)
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pms0 at pckbc0 (aux slot)
wsmouse0 at pms0 mux 0
wsmouse1 at pms0 mux 0
pms0: Synaptics clickpad, firmware 8.0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
aps0 at isa0 port 0x1600/31
uhub3 at uhub0 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
ugen0 at uhub3 port 3 "UPEK Biometric Coprocessor" rev 1.01/0.02 addr 3
uvideo0 at uhub3 port 6 configuration 1 interface 0 "Chicony
Electronics Co., Ltd. Integrated Camera" rev 2.00/8.54 addr 4
video0 at uvideo0
uhub4 at uhub2 port 1 "Intel Rate Matching Hub" rev 2.00/0.00 addr 2
umodem0 at uhub4 port 4 configuration 1 interface 1 "Lenovo F5521gw"
rev 2.00/0.00 addr 3
umodem0: data interface 2, has CM over data, has break
umodem0: status change notification available
ucom0 at umodem0
umodem1 at uhub4 port 4 configuration 1 interface 3 "Lenovo F5521gw"
rev 2.00/0.00 addr 3
umodem1: data interface 4, has CM over data, has break
umodem1: status change notification available
ucom1 at umodem1
umodem2 at uhub4 port 4 configuration 1 interface 9 "Lenovo F5521gw"
rev 2.00/0.00 addr 3
umodem2: data interface 10, has CM over data, has break
umodem2: status change notification available
ucom2 at umodem2
ugen1 at uhub4 port 4 configuration 1 "Lenovo F5521gw" rev 2.00/0.00 addr 3
vscsi0 at root
scsibus2 at vscsi0: 256 targets
softraid0 at root
scsibus3 at softraid0: 256 targets
root on sd0a (df31d27ca420f865.a) swap on sd0b dump on sd0b
sd1 at scsibus3 targ 1 lun 0: <OPENBSD, SR CRYPTO, 006> SCSI2 0/direct fixed
sd1: 222688MB, 512 bytes/sector, 456066736 sectors
IFCONFIG:
=========
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
em0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> mtu 1500
lladdr f0:de:f1:d0:be:97
index 1 priority 0 llprio 3
media: Ethernet autoselect (none)
status: no carrier
iwn0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 10:0b:a9:74:df:54
index 2 priority 4 llprio 3
groups: wlan egress
media: IEEE802.11 autoselect (HT-MCS7 mode 11n)
status: active
ieee80211: nwid "MY NETWORK" chan 1 bssid 34:31:c4:64:6f:09 -46dBm
wpakey <not displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers
tkip,ccmp wpagroupcipher tkip
inet 192.168.178.60 netmask 0xffffff00 broadcast 192.168.178.255
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
index 5 priority 0 llprio 3
groups: pflog
Pau
---
Group Leader of Theoretical Astrophysics
Max Planck Institute Gravitational Physics
Albert Einstein Institute http://astro-gr.org
2016-06-25 19:43 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
> On Sat, Jun 25, 2016 at 07:16:29PM +0200, Pau Amaro-Seoane wrote:
>> Dear Josh:
>>
>> Apologies for being vague.
>>
>> I mean that I have yours now:
>>
>> $ cat /etc/pf.conf
>> block
>> pass from self to any
>> #a. Rule 1 blocks all traffic.
>> #b. Rule 2 passes all traffic originating on the laptop, going anywhere.
>>
>> If I enable them with
>>
>> $ pfctl -e
>>
>> I can ping anything, but no browser will open anything
>>
>> If I run
>>
>> $ pfctl -d
>> pf disabled
>>
>> Then of course everything works just fine.
>>
>> Pau
>
> I am at a loss to explain your issue, then. I have just
> tested that exact 2-line ruleset here, and am able
> to connect to a nameserver for address resolution, connect
> to websites with a browser, and connect to an Email client
> with ssh in order to post this message.
>
> Please post additional information.
>
> 1. Post your dmesg(8).
>
> $ dmesg > /path/to/my.dmesg
>
> This will show us the exact version of the OS you are
> using, when it was built, and your network interfaces,
> among other information.
>
> 2. Post your ifconfig(8).
>
> $ ifconfig > /path/to/my.ifconfig
>
> This will show us how your network interfaces are
> configured. Feel free to redact any "real" Internet
> facing addresses, if your laptop is on the Internet
> rather than on a private network that routes to the
> Internet.
>
> 3. Optionally, collect information to determine if
> desired traffic is being blocked by PF.
>
> a. Add this new rule above the other two:
>
> match log
>
> This will log all pass and block rules as they
> match through your pflog(4) interface.
>
> b. Use tcpdump(8) to inspect pass/block rules as they
> are applied. The following example command will
> do this "live" while you attempt to use your network,
> output goes to the local terminal window and also to a file.
>
> # tcpdump -ni pflog0 | tee /path/to/my.tcpdump.log
>
>> 2016-06-25 18:35 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
>> > On Sat, Jun 25, 2016 at 06:18:18PM +0200, Pau Amaro-Seoane wrote:
>> >> thanks, Josh!
>> >>
>> >> Although with these rules I seem not to be able to send e-mails....
>> >
>> > Which rules? Mine or yours? Please remember I only have what you
>> > state in your Emails for a problem description.
>> >
>> > All I know is that you have a laptop running OpenBSD, and that
>> > when you use your "six rule" ruleset, all traffic would be blocked.
>> > If you use your "five rule" ruleset, no traffic would be blocked.
>> > If you use Stephen's recommended additional line, and build a
>> > "seven rule" ruleset that ends with his pass out rule, or, end
>> > with my pass from self to any rule, or you use my simple two
>> > rule exampe, with either the pass out or the pass from self to any
>> > rule, you should have a working ruleset for the use case you
>> > described.
>> >
>> >> ... For
>> >> instance, gmail complains about not being able to do so, and it also
>> >> says that I seem to have a very old browser, and should load a
>> >> simplistic html version of gmail. When I disable pf with pfctl -d, the
>> >> email is sent and gmail does not complain about anything. Maybe the
>> >> block is also blocking sites from delivering cookies?
>> >
>> > I can only guess that your normalization ("scrub") directive is the
>> > cause of this symptom.
>> >
>> >> 2016-06-25 15:39 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
>> >> > On Sat, Jun 25, 2016 at 09:28:16AM +0200, Pau Amaro-Seoane wrote:
>> >> >> pf is disabled, yes...
>> >> >>
>> >> >> So, then I would have to remove the last line. I need to download and
>> >> >> upload things, but do not want to allow any remote connection to the
>> >> >> laptop. I guess this configuration fulfills my needs?
>> >> >
>> >> > No. If you remove the rule that blocks all traffic, what will PF do?
>> >> >
>> >> > 1) Ignore lo0 traffic
>> >> > 2) Scrub all other traffic
>> >> >
>> >> > Nothing else.
>> >> >
>> >> > Let's look at your six-line rule set in detail:
>> >> >
>> >> > a. Rules 1 and 2 set the macros $wifi and $wired, which are never used.
>> >> > b. Rule 3 sets the option to respond to blocked TCP traffic with RST
>> >> > and respond with ICMP UNREACHABLE to other blocked traffic.
>> >> > c. Rule 4 instructs PF to ignore traffic on the loopback interface.
>> >> > d. Rule 5 requests packet normalization
>> >> > e. Rule 6 blocks all traffic, except on the ignored loopback interface,
>> >> > and logs them through your pflog(4) interface.
>> >> >
>> >> > Keep in mind, I can only answer questions based upon the information
>> >> > you provide. Based solely on your laptop use-case description, here is
>> >> > a very simple ruleset:
>> >> >
>> >> > block
>> >> > pass from self to any
>> >> >
>> >> > a. Rule 1 blocks all traffic.
>> >> > b. Rule 2 passes all traffic originating on the laptop, going anywhere.
>> >> >
>> >> > How does PF manage inbound traffic with this?
>> >> >
>> >> > Because passed traffic keeps state by default, response packets
>> >> > will be passed. For stateless protocols like UDP or ICMP, state is
>> >> > maintained via timers.
>> >> >
>> >> > In my previous reply to you, I'd reminded you that in PF, the last
>> >> > matching rule wins. When an inbound packet is part of an existing
>> >> > state (TCP session, or within a response timeout window), the rule
>> >> > set will not be tested and the packet will flow. When an inbound
>> >> > packet is not part of any existing state, PF will test it against
>> >> > the rule set and the first rule (block) will be the last one
>> >> > which matches.
>> >> >
>> >> >>
>> >> >> Thanks!
>> >> >>
>> >> >> 2016-06-23 19:20 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
>> >> >> > On 2016-06-23 10:29, Pau Amaro-Seoane wrote:
>> >> >> >>
>> >> >> >> Hi... with these pf rules
>> >> >> >>
>> >> >> >> wifi=iwn0
>> >> >> >> wired=em0
>> >> >> >> set block-policy return
>> >> >> >> set skip on lo0
>> >> >> >> match in all scrub
>> >> >> >> block log all
>> >> >> >>
>> >> >> >> I can ping www.google.com without loss
>> >> >> >> but no browser opens any URL... do you know what's going on?
>> >> >> >>
>> >> >> >> Thanks!
>> >> >> >>
>> >> >> >> Pau
>> >> >> >> _______________________________________________
>> >> >> >> Openbsd-newbies mailing list
>> >> >> >> Openbsd-newbies@sfobug.theapt.org
>> >> >> >> http://mailman.theapt.org/listinfo/openbsd-newbies
>> >> >> >
>> >> >> >
>> >> >> > Hi, Pau. Last matching rule wins, and your last rule blocks all
>> >> >> > traffic.
>> >> >> >
>> >> >> > The only packets that will pass through PF are those that use the
>> >> >> > loopback
>> >> >> > interface lo0. So either that is not your entire rule set, or PF is
>> >> >> > disabled.
>> >> >> >
>> >> >> > Ping requires the passing of ICMP protocol ECHO packates, while
>> >> >> > address
>> >> >> > resolution of www.google.com requires the passing of DNS protocol
>> >> >> > packets via UDP port 53.
_______________________________________________
Openbsd-newbies mailing list
Openbsd-newbies@sfobug.theapt.org
http://mailman.theapt.org/listinfo/openbsd-newbies
