Need help getting started with PF

[Prevet]

I just have a desktop computer, but can't get PF to do anything other than block everything.

I tried this from the FAQ and it blocks all traffic:

http://www.openbsd.org/faq/pf/filter.html

doas pfctl -ef /etc/pf.conf.X2

Code:

    block all

    # Pass TCP traffic in to the web server running on the OpenBSD machine.
    pass in on egress proto tcp from any to egress port www

These are the original rules and they work fine when I load them:
doas pfctl -ef /etc/pf.conf

Code:

set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010

This is my ifconfig

Code:

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 3 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr f0:79:59:dd:c4:a3
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (10baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.11.5 netmask 0xffffff00 broadcast 192.168.11.255
enc0: flags=0<>
        index 2 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
        index 4 priority 0 llprio 3
        groups: pflog

[jggimi]

Hello, and welcome!

Let's diagnose your problem by looking at the rule set you copied and pasted from the FAQ:

Code:

block all
pass in on egress proto tcp from any to egress port www

• The first rule blocks all traffic.
• The second rule passes traffic to a web server listening for incoming traffic on this computer.
• No other traffic is permitted to pass.

You aren't running a web server.

PF is a wonderful tool. It really is. But in order to successfully use it, you need to have an understanding of how communications over computer networks is conducted, and how the applications you want to use -- such as browsing the web -- actually communicate. If you don't have this knowledge, then PF won't be a useful too. Blindly copying and pasting, then hoping for success, will be a frustrating experience.

Peter Hansteen, the author of The Book of PF, always starts his tutorial sessions by having his audience stand and recite the following Pledge of the Network Admin.

Code:

This is my network.

It is mine
or technically my employer’s,
it is my responsibility
and I care for it with all my heart

There are many other networks a lot like mine,

 but none are just like it. 

I solemnly swear

that I will not mindlessly paste from HOWTOs.

Along with his terrific book -- and his tutorial sessions he offers at BSD user group meetings -- Peter offers a free, online tutorial located here: https://home.nuug.no/~peter/pf/

If you'd like to learn more about networking than you may know today, I recommend Networking for Systems Administrators by Michael W. Lucas.

(I own both books.)

[Prevet]

Thanks jggimi, I thought that www was passing to a web browser. I will take a look at those books.

BTW first rule I got to match something.

Quote:

block all
pass in on egress from any to egress

[jggimi]

That will only pass traffic that is inbound. It won't pass any traffic generated on your workstation.

Generally, be careful with direction (in out) and interface selection (on). They have uses, but it is easy to make mistakes. For example, you are using "on egress." The egress group is defined as the NIC/NICs currently operating a default route. Which is fine, but until that route is established, there won't be any NIC in the egress group, and the rule will never match any traffic.