[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF rules loaded but not active

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: PF rules loaded but not active
From: Kim Onnel <karim_(_dot_)_adel_(_at_)_gmail_(_dot_)_com>
Date: Wed, 20 Apr 2005 12:24:38 +0200
Reply-to: Kim Onnel <karim_(_dot_)_adel_(_at_)_gmail_(_dot_)_com>

It seems PF reads the rules sequentially not like a tree, so if i put
the block rule up, it works,

i still cant ping this box from outside tho

On 4/20/05, Kim Onnel <karim_(_dot_)_adel_(_at_)_gmail_(_dot_)_com> wrote:
> I am running an openbsd server, that its sole purpose is that people
> will ssh to it and telne telnet/ping from there to a specific subnet.
> 
> so i made the following rules, however i have a problem,
> 
> if i load the rules using -f /etc/pf.conf, they load just fine, but if
> i enable pfctl, i am disconnected.
> 
> #Allow all loopback traffic
> pass quick on lo0 all
> 
> #Allow all ping, i can specfiy echo and echo reply
> pass out on xl0 proto icmp all
> 
> #Although i passed DNS below, i still allowed UDP, should i enable
> both, or just enabling #dns will do
> pass in on xl0 proto udp all
> 
> #Allow ssh from anywhere to the xl0 interface with the IP 10.2.0.196
> pass in on xl0 inet proto tcp from any to 10.2.0.196 port = ssh keep state
> 
> #Allow telnet out only to this specific subnet
> pass out on xl0 inet proto tcp from 10.2.0.196 to 172.31.0.0/16 port =
> telnet keep state
> 
> #Allow DNS queries udp and tcp to the dns server.
> pass out on xl0 inet proto {tcp, udp} from 10.2.0.196 port = domain to 10.2.0.30
> 
> #Deny explicilty the rest and log
> block return in log all
> 
> Where did i go wrong ?
> 
> -bash-3.00# ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33224
>         inet 127.0.0.1 netmask 0xff000000
>         inet6 ::1 prefixlen 128
>         inet6 fe80::1%lo0 prefixlen 64 scopeid 0x5
> xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
>         address: 00:b0:d0:e1:6c:63
>         media: Ethernet autoselect (100baseTX full-duplex)
>         status: active
>         inet 10.2.0.196 netmask 0xffffff00 broadcast 10.2.0.255
>         inet6 fe80::2b0:d0ff:fee1:6c63%xl0 prefixlen 64 scopeid 0x1
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33224
> pfsync0: flags=0<> mtu 2020
> enc0: flags=0<> mtu 1536
> 
> -bash-3.00# pfctl -F all
> rules cleared
> nat cleared
> 0 tables deleted.
> altq cleared
> 0 states cleared
> source tracking entries cleared
> pf: statistics cleared
> 
> -bash-3.00# pfctl -f /etc/pf.conf
> -bash-3.00#
> -bash-3.00#
> 
> -bash-3.00# pfctl -e
> pf enabled
> ( And i am disconnected from my ssh session)

References:
- PF rules loaded but not active
  - From: Kim Onnel

Prev by Date: PF rules loaded but not active
Next by Date: Re: sys in cvs
Previous by thread: PF rules loaded but not active
Next by thread: dual-booting osx/openbsd on mac mini
Index(es):
- Date
- Thread

Visit your host, monkey.org