[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pass in quick on $int_if all necessary if $ext_if is down

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: pass in quick on $int_if all necessary if $ext_if is down
From: Han Boetes <han_(_at_)_mijncomputer_(_dot_)_nl>
Date: Fri, 19 Nov 2004 13:13:37 +0100
Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org

Moritz Grimm wrote:
> If I am guessing wrong, we need to see your pf.conf, or the
> output of pfctl -sr.

I suspect the pfctl -sr rules are a bit easier to parse quickly.
I weeded out a few irrelevant rules and replaced the real ifnames
with the vars int_if and ext_if:

scrub in on $ext_if all fragment reassemble
scrub in on $int_inf all no-df fragment reassemble
block return out log on $ext_if all queue std_out
block return in log on $ext_if all
pass in quick on $int_inf all
block return in quick on $ext_if from <reserved> to any
block return out quick on $ext_if from <reserved> to any
pass in quick on lo0 all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in on ! lo1 inet from 10.0.0.0/8 to any
block drop in on ! $int_inf inet from 172.16.11.0/24 to any
block drop in inet from 172.16.11.1 to any
block drop in on $int_inf inet6 from fe80::208:a1ff:fe3c:3479 to any
block drop in on ! $ext_if inet all
block drop in on $ext_if inet6 from fe80::2c0:26ff:fe18:2 to any
block drop in inet from 16.2.0.0 to any
block drop in quick on $ext_if from any os "SCO" to any
block drop in quick on $ext_if from any os "NMAP" to any
pass out on $ext_if inet proto icmp all icmp-type echoreq code 0 keep state queue std_out
pass in on $ext_if inet proto icmp all icmp-type echoreq code 0 keep state
pass out quick on $ext_if proto udp all keep state queue(std_out, ack_out)
pass in quick on $ext_if inet proto udp from <dhcp_servers> port = bootps to 255.255.255.255 port = bootpc
pass in quick on $ext_if inet proto tcp from <dhcp_servers> port = bootps to 255.255.255.255 port = bootpc
block return in log quick on $ext_if inet proto udp from ! <dhcp_servers> port = bootps to 255.255.255.255 port = bootpc
block return in log quick on $ext_if inet proto tcp from ! <dhcp_servers> port = bootps to 255.255.255.255 port = bootpc
pass out quick on $int_inf proto udp all
block drop in quick on $ext_if inet from any to ! ($ext_if)
pass in quick on $ext_if inet proto tcp from <friends> to ($ext_if) port = ssh flags S/SA keep state
pass out quick on $ext_if proto tcp from any to any port = ssh keep state queue(ssh_out, ssh_ack_out)
pass out quick on $ext_if proto tcp all keep state queue(std_out, ack_out)

The nat rule may be relevant as well:

nat on ne3 inet from 172.16.11.0/24 to any -> (ne3) round-robin

# Han

References:
- pass in quick on $int_if all necessary if $ext_if is down
  - From: Han Boetes

Prev by Date: Re: States
Next by Date: Re: OpenBSD 3.6 Ports on DVD
Previous by thread: pass in quick on $int_if all necessary if $ext_if is down
Next by thread: Re: pass in quick on $int_if all necessary if $ext_if is down
Index(es):
- Date
- Thread

Visit your host, monkey.org