Re: a pf question maybe asked a 1000 times

2017-10-20 Thread michael
‎Shame on me ;-) Now I saw: "‎if neither are specified, the rule will match packets in both directions."   Originalnachricht   Von: Markus Rosjat Gesendet: Freitag, 20. Oktober 2017 15:32 An: misc@openbsd.org Betreff: Re: a pf question maybe asked a 1000 times Hi, as far as I

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi, as far as I understud the whole thing Am 20.10.2017 um 15:09 schrieb Michael Hekeler: pass on hvn0 inet proto icmp all icmp-type echoreq just to be curious: what is the effect of "on" in your rules "pass on ..." As to pf.conf(5) there are only "in" or "out" this should allow traffic

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread sven falempin
On Fri, Oct 20, 2017 at 9:09 AM, Michael Hekeler wrote: > > Glad to hear that you have solved the problem > > > > as you may notice I added the ping and the dns to the ruleset since > > this was blocked in the original set of rules. > > You can allow outgoind dns with one

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler
Glad to hear that you have solved the problem > as you may notice I added the ping and the dns to the ruleset since > this was blocked in the original set of rules. You can allow outgoind dns with one single rule: pass out on $ext_if inet proto { tcp, udp } from $ext_if \ to any port

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi Michael, as far as pfctl -sr goes a block return expands to block return all but since I got it working now here is the ruleset that does what it suppose to do :) ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass on $ext_if inet proto {tcp udp} to

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote: > ... > block return# block stateless traffic Hi Markus, here´s another hint: no matter if you want to drop silently or send a return for the dropped packet, you have to tell **on which packet the block action should react**

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi again, okay big time PEBKAC ... if you do the the -d you should at some point do the -e ... haha anyway always fun to brainstorm with you guys this list rocks !!! Am 20.10.2017 um 14:11 schrieb Markus Rosjat: Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi, yeah well the rules are loaded, I could flush befor do pfctl -f to make it all clean. I tried ssh m...@domain.tld from the machine with the ruleset. this works with the given rules but it shouldnt in my opinion. and yes there is no dns traffic allowed in the rules. Maybe its really

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote: > ... > what I notice is I can initiate a ssh connection from this machine. Just a question: how do you initiate the ssh connection? ssh host.example.com Then you realise that there is also dns out (53/tcp,udp)

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Niels Kobschaetzki
On 17/10/20 12:59, Markus Rosjat wrote: Hi there, I was wondering, after reading mr hansteens excelent book about pf and the man pages, if I got it all wrong :) so here is my example pf.conf ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass in on

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Michael Hekeler
On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote: > ... > what I notice is I can initiate a ssh connection from this machine. > So there are three possible answers to this: > - 1st with allowing ssh traffic in the first place ssh port will be >considered passable from both sites

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi, Am 20.10.2017 um 13:11 schrieb Bryan Harris: I don't know the answer but I'm curious. What does "pfctl -sr" command show? Can you do dns lookups? PS - my rules have the "pass out all" rule at the bottom. V/r, Bryan sure I can give the output: $ doas pfctl -sr doas (m...@my.own)

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Solène Rapenne
Je 2017-10-20 12:59, Markus Rosjat skribis: Hi there, I was wondering, after reading mr hansteens excelent book about pf and the man pages, if I got it all wrong :) so here is my example pf.conf ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass in on

Re: a pf question maybe asked a 1000 times

2017-10-20 Thread Bryan Harris
I don't know the answer but I'm curious. What does "pfctl -sr" command show? Can you do dns lookups? PS - my rules have the "pass out all" rule at the bottom. V/r, Bryan On Fri, Oct 20, 2017 at 6:59 AM, Markus Rosjat wrote: > Hi there, > > I was wondering, after reading mr

a pf question maybe asked a 1000 times

2017-10-20 Thread Markus Rosjat
Hi there, I was wondering, after reading mr hansteens excelent book about pf and the man pages, if I got it all wrong :) so here is my example pf.conf ext_if="hvn0" set skip on lo block return# block stateless traffic block inet6 pass in on $ext_if inet proto tcp from any to ($ext_if)