View Single Post
  #1   (View Single Post)  
Old 27th April 2014
bsdsource bsdsource is offline
Port Guard
 
Join Date: Apr 2014
Posts: 34
Default packet filtering problem

I'm having problems setting up openbsd as a firewall. I believe my pf.conf is the problem. I've read everything I could on pf. From my lan computers I can ping using an ip address but can't ping using a host address. I can't surf the internet. Below is my network setup:

Code:
             internet
                |
                |
           cable modem
                |
                |
  ----  dynamic wan ip (em0) ----
 |                               |
 |          openbsd              |
 |                               |
  ----- 10.255.255.1 (em1) -----
                |
                |
       wireless access point
           10.255.255.2
                |
                |
       --------------------
      |                    |
      |                    |
 10.255.255.100     10.255.255.101
   desktop              netbook

Code:
# cat /etc/pf.conf

# macros
wan = "em0"
lan = "em1"

set block-policy return
set skip on lo0

match out on $wan from $lan:network nat-to ($wan)

pass in inet proto icmp all icmp-type { echoreq, unreach }
pass in on { $wan }
pass in on { $lan }

===============================================================================

# cat /etc/dhcpd.conf
#       $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $

option  domain-name "openbsd.ph.comcast.net";
option  domain-name-servers 10.255.255.1;

subnet 10.255.255.0 netmask 255.255.255.0 {
        option routers 10.255.255.1;
        range 10.255.255.100 10.255.255.120;
}

===============================================================================

# cat /etc/dhclient.conf
# $OpenBSD: dhclient.conf,v 1.2 2011/04/04 11:14:52 krw Exp $
#
# DHCP Client Configuration

initial-interval 1;
send host-name "openbsd";
request subnet-mask, broadcast-address, routers, domain-name,
        domain-name-servers, host-name;

===============================================================================


# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1

# cat /etc/hostname.em0
dhcp

# cat /etc/hostname.em1
inet 10.255.255.1 255.255.255.0

===============================================================================

# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:aa
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
        inet 128.223.65.98 netmask 0xffffff00 broadcast 128.223.65.255
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
        priority: 0
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:cc
        priority: 0
        groups: egress
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
        inet 72.223.65.98 netmask 0xffffff00 broadcast 72.223.65.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr 4c:72:b9:20:a5:dd
        priority: 0
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 10.255.255.1 netmask 0xffffff00 broadcast 10.255.255.255
        inet6 fe80::4e72:b9ff:fe20:a5ab%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<>
        priority: 0
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
        priority: 0
        groups: pflog

===============================================================================


# netstat -rn -f inet
Routing tables

Internet:
Destination        Gateway            Flags   Refs      Use   Mtu  Prio Iface
default            72.223.65.1        UGS        0       61     -     8 em0
10.255.255/24      link#2             UC         3        0     -     4 em1
10.255.255.100     bc:5f:f4:65:c5:69  UHLc       0      207     -     4 em1
10.255.255.111     18:af:61:01:63:2d  UHLc       0       25     -     4 em1
10.255.255.112     28:6a:ba:6d:16:3b  UHLc       0       71     -     4 em1
72.223.65/24       link#1             UC         1        0     -     4 em0
72.223.65.1        00:1e:be:ff:0a:d0  UHLc       1        0     -     4 em0
72.223.65.98       127.0.0.1          UGS        0        0 33192     8 lo0
127/8              127.0.0.1          UGRS       0        0 33192     8 lo0
127.0.0.1          127.0.0.1          UH         2       77 33192     4 lo0
224/4              127.0.0.1          URS        0        0 33192     8 lo0

===============================================================================

# pfctl -vvsr
@0 match out on em0 inet from 10.255.255.0/24 to any nat-to (em0:1) round-robin
  [ Evaluations: 211       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@1 pass in inet proto icmp all icmp-type echoreq
  [ Evaluations: 211       Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@2 pass in inet proto icmp all icmp-type unreach
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 2191 State Creations: 0     ]
@3 pass in on em0 all flags S/SA
  [ Evaluations: 150       Packets: 47        Bytes: 5104        States: 1     ]
  [ Inserted: uid 0 pid 2191 State Creations: 43    ]
@4 pass in on em1 all flags S/SA
  [ Evaluations: 150       Packets: 879       Bytes: 60717       States: 30    ]
  [ Inserted: uid 0 pid 2191 State Creations: 105   ]

===============================================================================

# pfctl -s info
Status: Enabled for 0 days 00:02:43              Debug: err

State Table                          Total             Rate
  current entries                       34
  searches                            1130            6.9/s
  inserts                              161            1.0/s
  removals                             127            0.8/s
Counters
  match                                224            1.4/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              2            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  translate                              0            0.0/s

=================================================================================
Reply With Quote