Re: Firewall Problems
Hi, Please keep this on the list. On Sat, Nov 18, 2023 at 06:35:35AM -0800, louise9...@gmail.com wrote: > Hi thank you, I will try to change my rules accordingly. Also some questions: > 1. I saw you talked about the block all rule. Does this cover traffic between > vlans/networks as I’m trying to isolate vlans/networks 6,10,20,30 as well as > my admin network which is em2 interface in this case. Unless you have explicitly excluded interfaces from filtering (set skip on $interface) "block drop log all" will drop packets that do not match any pass rules following. > 2. You also pointed out that ICMPv4 wasn’t getting through. In my case ICMPv6 > won’t get out either from my internal networks. Literally nothing from > internal networks gets out except icmpv4 to gateway, icmp from internal lan > to internal lan, icmp from internal lan to firewall itself. Other than that > there’s no DNS, HTTP, etc getting out. Would I need additional rules for > those explicitly or would I just need a pass out all rule that done a certain > way could work?(I have also tried this and it still doesn’t work)? Please take a look at the resources I pointed to. The tutorial slides will clear up most of if not all of those questions. And please keep any followups on the list. All the best, Peter PS: The PF tutorial slides: https://home.nuug.no/~peter/pftutorial/ -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
Hi John, I I have enabled forwarding in my sysctl.conf. Thank you, Lewis ingraham > On Nov 17, 2023, at 8:52 AM, Lewis Ingraham wrote: > > > Hello i am trying to configure OpenBSD as a firewall but I can't get it to > ping outside the firewall and subsequently unable to reach the internet with > devices behind the firewall. I tried changing my pf.conf to match the FAQ (as > best as i could) and still cant get it to work. I am currently trying to get > both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am > doing wrong? > > For reference I can do the following: > 1. Ping the firewall and connected devices from the inside LAN networks. > 2. Use the firewall itself to ping outside and reach internet(use things like > pkg_add , etc). > 3. Use devices in my LAN networks to successfully ping the gateway. > 4. For some reason my devices on the lan only get IPV4 addresses and not > IPV6 in addition. > > > > > > > > > > > > >
Re: Firewall Problems
On Fri, Nov 17, 2023 at 08:52:19AM -0800, Lewis Ingraham wrote:
> Hello i am trying to configure OpenBSD as a firewall but I can't get it to
> ping outside the firewall and subsequently unable to reach the internet
> with devices behind the firewall. I tried changing my pf.conf to match the
> FAQ (as best as i could) and still cant get it to work. I am currently
> trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell
> me what I am doing wrong?
You have a number of "block quick" that seem to be already covered by the
seeming default
block drop log all # block stateless traffic
but the only mention of ICMP (which is what ping uses) in your pf.conf is
pass in on egress inet6 proto icmp6 all icmp6-type { routeradv neighbrsol
neighbradv }
so IPv4 icmp will not be let through at all.
This is covered somewhat extensively in that book I wrote
(https://nostarch.com/pf3)
and you should be able to find the relevant examples in the oft-repeated
tutorial
at https://home.nuug.no/~peter/pftutorial/
- Peter
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: Firewall Problems
On 11/17/2023 9:52 AM, Lewis Ingraham wrote: Hello i am trying to configure OpenBSD as a firewall but I can't get it to ping outside the firewall and subsequently unable to reach the internet with devices behind the firewall. I tried changing my pf.conf to match the FAQ (as best as i could) and still cant get it to work. I am currently trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am doing wrong? For reference I can do the following: 1. Ping the firewall and connected devices from the inside LAN networks. 2. Use the firewall itself to ping outside and reach internet(use things like pkg_add , etc). 3. Use devices in my LAN networks to successfully ping the gateway. 4. For some reason my devices on the lan only get IPV4 addresses and not IPV6 in addition. did you enable forwarding? # sysctl -a | grep forwarding net.inet.ip.forwarding=1 net.inet.ip.mforwarding=0
Firewall Problems
Hello i am trying to configure OpenBSD as a firewall but I can't get it to ping outside the firewall and subsequently unable to reach the internet with devices behind the firewall. I tried changing my pf.conf to match the FAQ (as best as i could) and still cant get it to work. I am currently trying to get both IPV4 and IPV6 addresses to my devices. Can anyone tell me what I am doing wrong? For reference I can do the following: 1. Ping the firewall and connected devices from the inside LAN networks. 2. Use the firewall itself to ping outside and reach internet(use things like pkg_add , etc). 3. Use devices in my LAN networks to successfully ping the gateway. 4. For some reason my devices on the lan only get IPV4 addresses and not IPV6 in addition. sysctl.conf Description: Binary data dhcpcd.conf Description: Binary data pf.conf Description: Binary data hostname.vlan10 Description: Binary data rad.conf Description: Binary data hostname.vlan20 Description: Binary data hostname.vlan4 Description: Binary data hostname.vlan30 Description: Binary data hostname.vlan6 Description: Binary data hostname.em0 Description: Binary data hostname.em2 Description: Binary data dhcpd.conf Description: Binary data hostname.em1 Description: Binary data
