I'm having problems setting up openbsd as a firewall. I believe my pf.conf is the problem. I've read everything I could on pf. From my lan computers I can ping using an ip address but can't ping using a host address. I can't surf the internet. Below is my network setup:
Code:
internet
|
|
cable modem
|
|
---- dynamic wan ip (em0) ----
| |
| openbsd |
| |
----- 10.255.255.1 (em1) -----
|
|
wireless access point
10.255.255.2
|
|
--------------------
| |
| |
10.255.255.100 10.255.255.101
desktop netbook
Code:
# cat /etc/pf.conf
# macros
wan = "em0"
lan = "em1"
set block-policy return
set skip on lo0
match out on $wan from $lan:network nat-to ($wan)
pass in inet proto icmp all icmp-type { echoreq, unreach }
pass in on { $wan }
pass in on { $lan }
===============================================================================
# cat /etc/dhcpd.conf
# $OpenBSD: dhcpd.conf,v 1.2 2008/10/03 11:41:21 sthen Exp $
option domain-name "openbsd.ph.comcast.net";
option domain-name-servers 10.255.255.1;
subnet 10.255.255.0 netmask 255.255.255.0 {
option routers 10.255.255.1;
range 10.255.255.100 10.255.255.120;
}
===============================================================================
# cat /etc/dhclient.conf
# $OpenBSD: dhclient.conf,v 1.2 2011/04/04 11:14:52 krw Exp $
#
# DHCP Client Configuration
initial-interval 1;
send host-name "openbsd";
request subnet-mask, broadcast-address, routers, domain-name,
domain-name-servers, host-name;
===============================================================================
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# cat /etc/hostname.em0
dhcp
# cat /etc/hostname.em1
inet 10.255.255.1 255.255.255.0
===============================================================================
# ifconfig
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 4c:72:b9:20:a5:aa
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
inet 128.223.65.98 netmask 0xffffff00 broadcast 128.223.65.255
# ifconfig
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33192
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
em0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 4c:72:b9:20:a5:cc
priority: 0
groups: egress
media: Ethernet autoselect (1000baseT full-duplex,master)
status: active
inet6 fe80::4e72:b9ff:fe20:a5aa%em0 prefixlen 64 scopeid 0x1
inet 72.223.65.98 netmask 0xffffff00 broadcast 72.223.65.255
em1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 4c:72:b9:20:a5:dd
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 10.255.255.1 netmask 0xffffff00 broadcast 10.255.255.255
inet6 fe80::4e72:b9ff:fe20:a5ab%em1 prefixlen 64 scopeid 0x2
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33192
priority: 0
groups: pflog
===============================================================================
# netstat -rn -f inet
Routing tables
Internet:
Destination Gateway Flags Refs Use Mtu Prio Iface
default 72.223.65.1 UGS 0 61 - 8 em0
10.255.255/24 link#2 UC 3 0 - 4 em1
10.255.255.100 bc:5f:f4:65:c5:69 UHLc 0 207 - 4 em1
10.255.255.111 18:af:61:01:63:2d UHLc 0 25 - 4 em1
10.255.255.112 28:6a:ba:6d:16:3b UHLc 0 71 - 4 em1
72.223.65/24 link#1 UC 1 0 - 4 em0
72.223.65.1 00:1e:be:ff:0a:d0 UHLc 1 0 - 4 em0
72.223.65.98 127.0.0.1 UGS 0 0 33192 8 lo0
127/8 127.0.0.1 UGRS 0 0 33192 8 lo0
127.0.0.1 127.0.0.1 UH 2 77 33192 4 lo0
224/4 127.0.0.1 URS 0 0 33192 8 lo0
===============================================================================
# pfctl -vvsr
@0 match out on em0 inet from 10.255.255.0/24 to any nat-to (em0:1) round-robin
[ Evaluations: 211 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 2191 State Creations: 0 ]
@1 pass in inet proto icmp all icmp-type echoreq
[ Evaluations: 211 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 2191 State Creations: 0 ]
@2 pass in inet proto icmp all icmp-type unreach
[ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ]
[ Inserted: uid 0 pid 2191 State Creations: 0 ]
@3 pass in on em0 all flags S/SA
[ Evaluations: 150 Packets: 47 Bytes: 5104 States: 1 ]
[ Inserted: uid 0 pid 2191 State Creations: 43 ]
@4 pass in on em1 all flags S/SA
[ Evaluations: 150 Packets: 879 Bytes: 60717 States: 30 ]
[ Inserted: uid 0 pid 2191 State Creations: 105 ]
===============================================================================
# pfctl -s info
Status: Enabled for 0 days 00:02:43 Debug: err
State Table Total Rate
current entries 34
searches 1130 6.9/s
inserts 161 1.0/s
removals 127 0.8/s
Counters
match 224 1.4/s
bad-offset 0 0.0/s
fragment 0 0.0/s
short 0 0.0/s
normalize 0 0.0/s
memory 0 0.0/s
bad-timestamp 0 0.0/s
congestion 0 0.0/s
ip-option 2 0.0/s
proto-cksum 0 0.0/s
state-mismatch 0 0.0/s
state-insert 0 0.0/s
state-limit 0 0.0/s
src-limit 0 0.0/s
synproxy 0 0.0/s
translate 0 0.0/s
=================================================================================
27th April 2014
packet filtering problem
Similar Threads
Threaded Mode