Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: OpenBSD pf problems
Operating Systems BSD OpenBSD pf problems Post 302575170 by John Tate on Sunday 20th of November 2011 08:45:17 PM
Old 11-20-2011
OpenBSD pf problems
I am having troubles with this pf configuration, it seems when loaded nothing can access my server on the internal interface for the LAN, I cannot see why, and it's pretty much based off the very standard example in the OpenBSD faq.

When I unload the configuration, I can access the DNS server on the firewall running this configuration. It seems to forward everything through to the Internet, but blocks DNS which makes it pretty useless. I've looked at it at least five times...

Code:
[john@baal ~$ cat /etc/pf.conf
int_if="xl0"
ext_if="tun0"

rothbard="10.0.0.10"
baal="10.0.0.2"
smass="10.0.0.1"

tcp_services="{22}"
icmp_types="echoreq"

set block-policy return
set loginterface $ext_if
set skip on lo

match out on egress inet from !(egress:network) to any nat-to (egress:0)

block in log
pass out quick

antispoof quick for { lo $int_if }

pass in on egress inet proto tcp from any to (egress) \
        port $tcp_services
#After this goes forwarded ports... Probably just use ssh tunnels.

pass in inet proto icmp all icmp-type $icmp_types

What is wrong?

Bonus points if you can tell me how to do this so it only needs to load once, and not be loaded by a shell script after userland pppoe successfully connects.
 

10 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

please help with openbsd 2.9

Please help. I have downloaded the openbsd 2.9 snapshot from ftp.openbsd.org. the following files were downloaded from the snapshot dir. ( the whole dir. was downloaded ) base29,bsd,bsd.rd,cdrom29.fs,cksum,comp29,etc29,all three floppy images,game29,index,install.ata,install.chs... (11 Replies)
Discussion started by: Blunt_Killer
11 Replies

2. UNIX for Dummies Questions & Answers

OpenBSD: ports

Hi there.. I'm new to openbsd, and I recently tried the ports-system.. I downloaded the ports-tree from ftp, and unpacked it in /usr/ports Then I typed 'make search key=centericq' I got some info about it.. but it wasn't the latest version.. the version I use at my gentoo linux box, is... (6 Replies)
Discussion started by: Maestin
6 Replies

3. UNIX for Dummies Questions & Answers

OpenBSD as router?

Hi Right now, my computer is connected directly to the internet.. but I recently got another one, and now I want to use this to share my internet connection to the other one. The new one has openbsd installed.. How should I do? I also need to forward connections on some ports to my old... (4 Replies)
Discussion started by: Maestin
4 Replies

4. Filesystems, Disks and Memory

Maxtor vs. OpenBSD

Can't setup OpenBSD 3.4 with Maxtor Diamond Plus 9 80Gb ATA/133 HDD... Install process stops at hardware initialize, before installing... :confused: Any Comments... Thanks (2 Replies)
Discussion started by: bsdave
2 Replies

5. BSD

Snort on openbsd

Im trying to gather some info to set up snort on openbsd 3.2, has anyone out there managed to get it up and running ? My initial attempts seem to be quite below par (4 Replies)
Discussion started by: malcontent
4 Replies

6. UNIX for Dummies Questions & Answers

OpenBSD Ftp permissions problems - help!!

Hello, Ok I have a couple of little problems that I can't for the life of me work out how to solve. I wasn't involved in setting the server up, I've just "inherited" the support for it. I've done my best to be a good little newbie, researched articles, tried things out and managed to only get... (1 Reply)
Discussion started by: Andy68man
1 Replies

7. BSD

OpenBSD and wireless

I've just installed OpenBSD on my laptop (IBM Thinkpad T42) and since this is my first time with wireless networking in OpenBSD I'm a bit lost. What I would like to do is connect to a wireless network using WEP or WPA. Where do I place the key and essid? (3 Replies)
Discussion started by: Timmy66
3 Replies

8. BSD

Trying to get into OpenBSD

I am an eight year Linux user and after getting into an argument with someone about OpenBSD overiding my theory that OS security is 50% OS and 50% admin skill, I decided to try OpenBSD for myself. I've tried BSDs before and haven't been able to get into them for day to dy use, but I am going to... (7 Replies)
Discussion started by: deckard
7 Replies

9. BSD

openbsd-pf

hello , I wondered if anyone could assist me in writing a simple packet filter firewall on my OpenBSD v4.5. All I intend doing is to have two firewalling machine on a separate network : 192.168.1.1 ext_if = xl0 (dhcp) // Internet interface int_if=xl1 // Internatl interface ... (0 Replies)
Discussion started by: mattjam
0 Replies

10. UNIX for Dummies Questions & Answers

Qemu Problems: OpenBSD(host) Kali Linux(guest)

As the title suggests I ran into a little problem trying to create a virtual machine of Kali Linux usign Qemu inside OpenBSD. I edited the example Kali Linux gave on their website here to the following for BSD: qemu-system-i386 -hda ./kali.qcow2 -boot d -cdrom ./kali-linux-1.0.5-i386.iso -m... (0 Replies)
Discussion started by: Azrael
0 Replies

LEARN ABOUT OSX

tc-mirred

Mirror/redirect action in tc(8) 				       Linux					   Mirror/redirect action in tc(8)

NAME

       mirred - mirror/redirect action

SYNOPSIS

       tc ... action mirred DIRECTION ACTION [ index INDEX ] dev DEVICENAME

       DIRECTION := { ingress | egress }

       ACTION := { mirror | redirect }

DESCRIPTION

       The  mirred  action  allows  packet  mirroring  (copying)  or redirecting (stealing) the packet it receives. Mirroring is what is sometimes
       referred to as Switch Port Analyzer (SPAN) and is commonly used to analyze and/or debug flows.

OPTIONS

       ingress
       egress Specify the direction in which the packet shall appear on the destination interface.

       mirror
       redirect
	      Define whether the packet should be copied (mirror) or moved (redirect) to the destination interface.

       index INDEX
	      Assign a unique ID to this action instead of letting the kernel choose one automatically.  INDEX is a 32bit unsigned integer greater
	      than zero.

       dev DEVICENAME
	      Specify the network interface to redirect or mirror to.

EXAMPLES

       Limit ingress bandwidth on eth0 to 1mbit/s, redirect exceeding traffic to lo for debugging purposes:

	      # tc qdisc add dev eth0 handle ffff: ingress
	      # tc filter add dev eth0 parent ffff: u32 
		   match u32 0 0 
		   action police rate 1mbit burst 100k conform-exceed pipe 
		   action mirred egress redirect dev lo

       Mirror all incoming ICMP packets on eth0 to a dummy interface for examination with e.g. tcpdump:

	      # ip link add dummy0 type dummy
	      # ip link set dummy0 up
	      # tc qdisc add dev eth0 handle ffff: ingress
	      # tc filter add dev eth0 parent ffff: protocol ip 
		   u32 match ip protocol 1 0xff 
		   action mirred egress mirror dev dummy0

       Using an ifb interface, it is possible to send ingress traffic through an instance of sfq:

	      # modprobe ifb
	      # ip link set ifb0 up
	      # tc qdisc add dev ifb0 root sfq
	      # tc qdisc add dev eth0 handle ffff: ingress
	      # tc filter add dev eth0 parent ffff: u32 
		   match u32 0 0 
		   action mirred egress redirect dev ifb0

SEE ALSO

       tc(8), tc-u32(8)

iproute2							    11 Jan 2015 				   Mirror/redirect action in tc(8)
All times are GMT -4. The time now is 08:25 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy