Re: PF blocking even if set to pass all
RW wrote: On Thu, 13 Dec 2007 21:17:09 +0100 Erik Norgaard <[EMAIL PROTECTED]> wrote: I think it is possible to set a default rule, which for security should be block, which means that any packet that falls through your rule set will be blocked. I'm not aware that there is, the FAQ suggests having block in all block out all at the top. Therefore, you should have "pass quick". With PF the last rule to be hit will be used, which means the default is normally applied at the beginning and then overridden. You don't need quick to avoid dropping off the bottom of the rules, unless you are trying to replicate an IPFW script in PF. You're right, I'm thinking of the feature from IP-Filter. Cheers, -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF blocking even if set to pass all
On Thu, 13 Dec 2007 21:17:09 +0100 Erik Norgaard <[EMAIL PROTECTED]> wrote: > I think it is possible to set a default rule, which for security > should be block, which means that any packet that falls through your > rule set will be blocked. I'm not aware that there is, the FAQ suggests having block in all block out all at the top. > Therefore, you should have "pass quick". With PF the last rule to be hit will be used, which means the default is normally applied at the beginning and then overridden. You don't need quick to avoid dropping off the bottom of the rules, unless you are trying to replicate an IPFW script in PF. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF blocking even if set to pass all
On Thu, Dec 13, 2007 at 09:19:03AM -0200, Alaor Barroso de Carvalho Neto wrote: > Hi guyz, like I've said in other topic, I'm building a BSD box that'll act > as a gateway between three private networks and the internet. I want that > each private network can ping to each other, and I can do that till I > activate my pf firewall. When I do pfctl -e it stop working. > > The output of pfctl -sr is: > pass in all > pass out all > > So I guess it would pass anything, why it isn't happening? > > Hugs, > Alaor You aren't doing any encapsulation or anything else unusual, are you? Note that unless you specificy a protocol, pass rules will only match tcp, udp, or icmp (or the v6 equivalents, I believe.) Erik ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF blocking even if set to pass all
Ghirai wrote: On Thu, 13 Dec 2007 09:19:03 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: Hi guyz, like I've said in other topic, I'm building a BSD box that'll act as a gateway between three private networks and the internet. I want that each private network can ping to each other, and I can do that till I activate my pf firewall. When I do pfctl -e it stop working. The output of pfctl -sr is: pass in all pass out all So I guess it would pass anything, why it isn't happening? Hugs, Alaor ___ You need to specify from/to what interface it should pass (if you have more than one NIC, which i assume you do, since the box is acting as a router). You do not need to specify interface, if no interface is specified the rule is applied to all interfaces. In fact you could have just pass all but you may prefer pass quick all keep state I think it is possible to set a default rule, which for security should be block, which means that any packet that falls through your rule set will be blocked. Therefore, you should have "pass quick". The official guide is really good: http://www.openbsd.org/faq/pf/index.html Try using snort or tcpdump on each interface to see where the packet goes missing. Say you ping from a host on the network attached to em0 to a host on the network attached to em1, sniff on each interface and see if the packet comes through. Cheers, Erik -- Erik Nørgaard Ph: +34.666334818 http://www.locolomo.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: PF blocking even if set to pass all
On Thu, 13 Dec 2007 09:19:03 -0200 "Alaor Barroso de Carvalho Neto" <[EMAIL PROTECTED]> wrote: > Hi guyz, like I've said in other topic, I'm building a BSD box that'll act > as a gateway between three private networks and the internet. I want that > each private network can ping to each other, and I can do that till I > activate my pf firewall. When I do pfctl -e it stop working. > > The output of pfctl -sr is: > pass in all > pass out all > > So I guess it would pass anything, why it isn't happening? > > Hugs, > Alaor > ___ You need to specify from/to what interface it should pass (if you have more than one NIC, which i assume you do, since the box is acting as a router). I suggest you read this tutorial/book: http://www.bsdly.net/~peter/pf.html It explains what you want to do in detail. -- Regards, Ghirai. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
