OpenBSD5.3/PF Settings help request
Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2ème Année de Master Sécurité et Réseaux. Institut des Sciences et Techniques de Valenciennes Université de Valenciennes et du Hainaut-Cambrésis Téléphone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
On Wed, Sep 25 2013 at 40:16, Adelin Balou wrote: Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Hi, Did you enable IP forwarding in sysctl.conf? DNS has nothing to do with packets going through a firewall. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. Attachements are blocked on this list ;-) You can read the PF book http://home.nuug.no/~peter/pf/ to find good informations on PF. Regards, Claer
Re: OpenBSD5.3/PF Settings help request
On Wed, Sep 25, 2013 at 04:40:37PM +0200, Adelin Balou wrote: The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Have you enabled ip forwarding? $ grep net.inet.ip.forwarding /etc/sysctl.conf net.inet.ip.forwarding=1 Rergards Erling I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2??me Ann??e de Master S??curit?? et R??seaux. Institut des Sciences et Techniques de Valenciennes Universit?? de Valenciennes et du Hainaut-Cambr??sis T??l??phone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
On 25 September 2013 16:40, Adelin Balou adelin.ba...@etu.univ-valenciennes.fr wrote: Dear Sir/Madame, I am a student in pending Master's degree in Network and Security at University of Valenciennes (France), I am currently encountering problems while setting up a Firewall with Packet Filter on OpenBSD 5.3. I wall a PC with 3 network interfaces ( xl0 : connected to WAN , xl1 : connected to WLAN , xl2 : connected to LAN ). I need that this PC works like a firewall. I have installed OpenBSD and setting up rules in /etc/pf.conf (please to find attached to this mail my pf.conf file it is commented in French, if any questions just let me know). The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. Add the 'log' keyword to the rules you want to verify and run tcpdump on the pflog0 interface. When you're done, don't forget to remove the log keyword, or you might end up filling your disk with logs. Another way to see if it matches is to look at the counters for each rule when running pfctl -vvsr My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. I have contacted http://www.evolix.fr/ one of the OpenBSD support link http://www.openbsd.org/support.html in Marseille (France) they have read the file but they can't find the problem. I will be grateful if you could help me. Please find attached my pf.conf file. I am looking forward to reading from you as soon as possible. Kind regards, -- Adelin Balou Etudiant en 2ème Année de Master Sécurité et Réseaux. Institut des Sciences et Techniques de Valenciennes Université de Valenciennes et du Hainaut-Cambrésis Téléphone : +33 3 27 27 07 22 Mobile : +33 6 17 46 10 72 [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf]
Re: OpenBSD5.3/PF Settings help request
Hi, Adelin Balou adelin.ba...@etu.univ-valenciennes.fr writes: [...] Please find attached my pf.conf file. [...] [demime 1.01d removed an attachment of type application/octet-stream which had a name of pf.conf] No attachment allowed here. -- jca | PGP: 0x06A11494 / 61DB D9A0 00A4 67CF 2A90 8961 6191 8FBF 06A1 1494
Re: OpenBSD5.3/PF Settings help request
2013/9/25 Erling Westenvik erling.westen...@gmail.com On Wed, Sep 25, 2013 at 04:40:37PM +0200, Adelin Balou wrote: The problem is : The Firewall has Internet and hosts on WLAN and LAN can't connect to internet. I don't know if my NAT and Filtering rules are not matching. My /etc/resolv.conf has an ADSL internet Box address and DNS is working correctly. My xl0 interface has got IP from DHCP server from the ADSL Internet Box so no need to create a file /etc/mygate to specify the ADSL Internet Box default gateway. The command route show shows me my default gateway. Have you enabled ip forwarding? $ grep net.inet.ip.forwarding /etc/sysctl.conf net.inet.ip.forwarding=1 The output from: sysctl net.inet.ip.forwarding would almost be more interresting, since the above file is only valid if you have rebooted the box since last changing that line. I assume you already knew that of course, but for the archives... -- May the most significant bit of your life be positive.
