Hello Karel,
if you want to start simply, then I would recommend to remove all marcos
from your pf.conf which are not referenced. You can add them later if
needed. As already state by others, there is a syntax error in marco
martians. If there are syntax errors in pf.conf, the rules are not
loaded at all.
Also correct the syntax errors in the rules "Letting ping through". The
key word "on" without interfacename, -group or keyword any looks
incorrect. Give it a parameter or remove it.
After changing pf.conf, first check it with
> pfctl -nf /etc/pf.conf
before loading it. If no errors occur, simply update the ruleset in the
kernel with
> pftl -f /etc/pf.conf
and test your changes. Keep in mind that reloading the ruleset does not
affect the states of allready estblished connections.
Please check your current running configuration with
> pfctl -sr
It prints out all currently active rules. If something behaves too
wired, it can help to proof that the ruleset in /etc/pf.conf is the same
as we assume to be active in the kernel. Because of the syntax errors I
would guest that this is not true in your case.
Try get IPv4 running first. If that goal is reached you have more
experience and can go further adding IPv6, which is different in case of
ICMP. If you don't have a static IPv6 address configuration, then the
rules in your pf.conf are far too restrictive to get an autonconfigured
IPv6 address, managed (DHCP6) or not (SLAAC).
Jens
Am 14.04.2024 um 17:09 schrieb Karel Lucas:
Hi all,
Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: ping -c 10 www.apple.com. As others haveo you get rid of the first syntax
error yourstated, I have a problem
with using DNS servers on the internet. The PF ruleset needs to be
adjusted for this, but it is still not clear to me how to do that. What
else do I need to get ping to work correctly? To get started simply, I
created a new pf.conf file, see below.
/etc/pf.conf:
ext_if = igc0 # The interface to the
outside world
int_if = "{ igc1, igc2 }" # The interfaces to the private
hosts
localnet = "192.168.2.0/24" # Hosts on the screened LAN
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
block log all # block stateless traffic
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
