pf not working properly even with only "pass in all" and "pass out all" rules
i have two rules in my pf.conf file, "pass in all" and "pass out all"
i was having issues with getting pf working to begin with, so i went with
starting from nothing and working on up.
i have an ultrasparc ultra1 200e, with an added 4-port fast ethernet sbus
card, running "3.4 GENERIC#85 sparc64"
i have my access server on one and my workstation on two separate ports that
are different networks.
i can ping the access server from my workstation and my OBSD box, however, i
can't telnet to the access server from my workstation. i can telnet to the
access server through the OBSD box.
my pf.conf is as follows:
Code:
###################################
# $OpenBSD: pf.conf 11/9/2003
###################################
#####################################
### macros
#####################################
### IP addresses
ext_ip = "10.10.110.2" # external interface ip
address
int_ip = "192.168.110.253" # internal interface ip
address
pub_ip = "172.16.210.1" # public servers interface
ip address
pvt_ip = "192.168.210.1" # private servers interface
ip address
pod_ip = "172.16.110.1" # cisco router pod interface
ip address
### physical interfaces
int_if = "hme0" # internal interface
pvt_srv_if = "hme1" # private server interface
pub_svr_if = "hme2" # public server interface
cisco_pod_if = "hme3" # router lab interface
ext_if = "hme4" # external interface
all_if = "{ hme0, hme1, hme2, hme3, hme4}" # all interfaces
### networks
int_net = "192.168.110.240/28" # internal LAN
ext_net = "10.10.110.0/30" # external LAN
pvt_net = "192.168.210.0/30" # private server network
pub_net = "172.16.210.0/30" # public server network
pod_net = "172.16.110.0/30" # cisco router pod network
### servers
web_server = "172.16.210.2" # webserver
PDC = "192.168.210.2" # primary domain server
router = "10.10.110.1" # router
access_server = "172.16.110.2" # cisco pod access server
print_server = "192.168.100.251" # print server
proxy_server = " 192.168.100.248" # proxy server
### internal network hosts
venus = "192.168.110.242" # ami's system
saturn = "192.168.110.243" # my system
mercury = "192.168.110.249" # laptop
uranus = "192.168.110.248" # backup server
neptune = "192.168.110.253" # OpenBSD
hosts = "{" $venus $saturn $mercury $uranus "}"
### Private addresses
spoof_ips= "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# private addresses
### Services
www = "{ 80, 443}" # http/https
##################################################################
### Options: tune the behavior of pf
##################################################################
### Sets the interface for which PF should gather statistics such as bytes
in/out and packets passed/blocked
### Optimize PF for one of the following network environments
### packet is silently dropped
# default options
#set require-order yes
#set optimization normal
#set block-policy drop
#set fingerprints "/etc/pf.os"
set loginterface hme4
##########################
###Packet Filtering Table
##########################
### Clean up fragmented packets and abnormal packets
scrub in all fragment reassemble
### redirect/nat rules
nat on $ext_if from any to any -> $ext_ip
###
### traffic rules ###
###
pass in all
pass out all
Are you sure that it's packet filter fault ? If you try to disable PF, are you able to telnet to the box ?
The machines are on different networks, the problem might be a gateway issue too... check the default gateway...
now if you're going from the LAN to the WAN do you need to have a separate pass in rule on hme0, and then a corresponding pass out rule on hme4? or... does the "keep state" allow you to only have a pass in statement involving hme0, where the OBSD box will have the intelligence to know that the outbound traffic will be sent out of hme4 and return on hme and then be sent to hme0, which will then take it to a workstation?
example of what i mean...do you have to have,
pass in on $int_if proto tcp from $hosts to $ext_ip modulate state
pass out on $ext_if proto tcp from $hosts to $ext_ip modulate state
or can you work with only:
pass in on $int_if proto tcp from $hosts to $ext_ip modulate state
I don't know if I understood your question...
If your default rule is to block everything, then you have to specify exactly what you want to access ( or what you want to access you ! )... so, if your default rule is to block all, then you have to specify that you want to allow traffic in and out... otherwise, you don't need any of them, all traffic will be allowed...
Let me try to explain the "keep state" and see if it fits on your solution...
You have SSHd ( for example ), running on the server A and you want all clients to be able to use it... you only need to specify one rule, the "in" rule, and the filter will be able to detect that the connection that goes out, belongs to the same connection that was started before... you have to specify on the server that you want to allow port 22 in, keeping state... instead of specifing that you want to allow connection in and out on that port...
If it doesn't look simple, it's because english is not my first language, because it is simple... :-)
Hi 2 all,
i have had AIX 7.2
:/# /usr/IBMAHS/bin/apachectl -v
Server version: Apache/2.4.12 (Unix)
Server built: May 25 2015 04:58:27
:/#:/# /usr/IBMAHS/bin/apachectl -M
Loaded Modules:
core_module (static)
so_module (static)
http_module (static)
mpm_worker_module (static)
... (3 Replies)
Hello.
System : opensuse leap 42.3
I have a bash script that build a text file.
I would like the last command doing :
print_cmd -o page-left=43 -o page-right=22 -o page-top=28 -o page-bottom=43 -o font=LatinModernMono12:regular:9 some_file.txt
where :
print_cmd ::= some printing... (1 Reply)
How to use "mailx" command to do e-mail reading the input file containing email address, where column 1 has name and column 2 containing “To” e-mail address
and column 3 contains “cc” e-mail address to include with same email.
Sample input file, email.txt
Below is an sample code where... (2 Replies)
Friends,
Need someone's help in helping me with the below requirement for a script:
> For a list of servers(over 100+), I need to login into each of them(cannot configure password-less ssh) & grab few configuration details <
I know, this is possible through expect programming in a simple... (14 Replies)
Friends,
Need someone's help in helping me with the below requirement for a script:
> For a list of servers(over 100+), I need to login into each of them(cannot configure password-less ssh) & grab few configuration details <
I know, this is possible through expect programming in a simple... (2 Replies)
The system don't boot.
on the screen appears following:
press enter to maintenance (or type CTRL-D to continue)...I checked with format command.
... the slices "0-root","1-swap","2-backup" exist.
...the slises "3-var","6-usr" -unassigned. :( (16 Replies)
Hi,
I have line in input file as below:
3G_CENTRAL;INDONESIA_(M)_TELKOMSEL;SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL
My expected output for line in the file must be :
"1-Radon1-cMOC_deg"|"LDIndex"|"3G_CENTRAL|INDONESIA_(M)_TELKOMSEL"|LAST|"SPECIAL_WORLD_GRP_7_FA_2_TELKOMSEL"
Can someone... (7 Replies)
Hi Friends,
Can any of you explain me about the below line of code?
mn_code=`env|grep "..mn"|awk -F"=" '{print $2}'`
Im not able to understand, what exactly it is doing :confused:
Any help would be useful for me.
Lokesha (4 Replies)
12-24-2003
pf not working properly even with only "pass in all" and "pass out all" rules
