DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 9th October 2017
Prevet Prevet is offline
New User
 
Join Date: Oct 2017
Posts: 9
Default Need help getting started with PF

I just have a desktop computer, but can't get PF to do anything other than block everything.

I tried this from the FAQ and it blocks all traffic:

http://www.openbsd.org/faq/pf/filter.html

doas pfctl -ef /etc/pf.conf.X2

Code:
    block all

    # Pass TCP traffic in to the web server running on the OpenBSD machine.
    pass in on egress proto tcp from any to egress port www
These are the original rules and they work fine when I load them:
doas pfctl -ef /etc/pf.conf
Code:
set skip on lo

block return    # block stateless traffic
pass            # establish keep-state

# By default, do not permit remote connections to X11
block return in on ! lo0 proto tcp to port 6000:6010
This is my ifconfig
Code:
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
        index 3 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x3
        inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        lladdr f0:79:59:dd:c4:a3
        index 1 priority 0 llprio 3
        groups: egress
        media: Ethernet autoselect (10baseT full-duplex,rxpause,txpause)
        status: active
        inet 192.168.11.5 netmask 0xffffff00 broadcast 192.168.11.255
enc0: flags=0<>
        index 2 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33144
        index 4 priority 0 llprio 3
        groups: pflog
Reply With Quote
  #2   (View Single Post)  
Old 9th October 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default

Hello, and welcome!

Let's diagnose your problem by looking at the rule set you copied and pasted from the FAQ:
Code:
block all
pass in on egress proto tcp from any to egress port www
  • The first rule blocks all traffic.
  • The second rule passes traffic to a web server listening for incoming traffic on this computer.
  • No other traffic is permitted to pass.
You aren't running a web server.

PF is a wonderful tool. It really is. But in order to successfully use it, you need to have an understanding of how communications over computer networks is conducted, and how the applications you want to use -- such as browsing the web -- actually communicate. If you don't have this knowledge, then PF won't be a useful too. Blindly copying and pasting, then hoping for success, will be a frustrating experience.

Peter Hansteen, the author of The Book of PF, always starts his tutorial sessions by having his audience stand and recite the following Pledge of the Network Admin.
Code:
This is my network.

It is mine
or technically my employer’s,
it is my responsibility
and I care for it with all my heart

There are many other networks a lot like mine,

 but none are just like it. 

I solemnly swear

that I will not mindlessly paste from HOWTOs.
Along with his terrific book -- and his tutorial sessions he offers at BSD user group meetings -- Peter offers a free, online tutorial located here: https://home.nuug.no/~peter/pf/

If you'd like to learn more about networking than you may know today, I recommend Networking for Systems Administrators by Michael W. Lucas.

(I own both books.)
Reply With Quote
  #3   (View Single Post)  
Old 9th October 2017
Prevet Prevet is offline
New User
 
Join Date: Oct 2017
Posts: 9
Default

Thanks jggimi, I thought that www was passing to a web browser. I will take a look at those books.

BTW first rule I got to match something.

Quote:
block all
pass in on egress from any to egress
Reply With Quote
  #4   (View Single Post)  
Old 9th October 2017
jggimi's Avatar
jggimi jggimi is online now
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 5,937
Default



That will only pass traffic that is inbound. It won't pass any traffic generated on your workstation.

Generally, be careful with direction (in out) and interface selection (on). They have uses, but it is easy to make mistakes. For example, you are using "on egress." The egress group is defined as the NIC/NICs currently operating a default route. Which is fine, but until that route is established, there won't be any NIC in the egress group, and the rule will never match any traffic.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Help getting Jail started... bforest FreeBSD General 20 9th December 2014 02:43 AM
Trying to get started translating OpenBSD Documentaion qmemo OpenBSD General 6 12th July 2009 12:50 PM
Pf Nat getting started ?? neurosis FreeBSD Security 11 16th November 2008 08:58 PM
Apache : httpd could not be started lalebarde General software and network 13 13th November 2008 11:51 PM
Getting started with DTrace tanked FreeBSD General 2 25th June 2008 09:21 AM


All times are GMT. The time now is 07:19 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick