DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 12th March 2009
bsdnewbie999 bsdnewbie999 is offline
Package Pilot
 
Join Date: May 2008
Posts: 145
Thanked 0 Times in 0 Posts
Default PF firewall

Currently, I cannot surf the web from my firewall. I don know why because i thought i already pass in the port www. Please help
Here are my sample of rules

Code:
# Macros
int_if="vic0"

#scrub
scrub in all

# Filtering rules
pass in on $int_if proto tcp from any to $int_if port www
pass out on $int_if proto tcp from $int_if to any port www
block in log quick on $int_if proto tcp from any to any port ssh flags S/SA

 
#Antispoof
antispoof log for $int_if inet

#Unicast reverse path forwarding
block in log quick from urpf-failed label uRPF

#Passive operating system fingerprinting
pass in log on $int_if from any os OpenBSD keep state
block in log on $int_if from any os "Windows 2000"
block in log on $int_if from any os "Windows XP"
block in log on $int_if from any os "Windows XP SP1"
block in log on $int_if from any os "Windows XP SP2"
block in log on $int_if from any os "Windows xP SP3"
block in log on $int_if from any os "Windows 98"
block in log on $int_if from any os "Windows NT"
block in log on $int_if from any os "Linux 2.4 ts"
block in log on $int_if from any os unknown

# return
block return

#Block ICMP redirect packets
block in log quick on $int_if inet proto icmp from any to $int_if 
block in log quick on $int_if inet proto icmp from any to $int_if icmp-type redir

#Block SMTP(simple mail transfer protocol)
block in log quick on $int_if inet proto tcp from any to $int_if port smtp

#pass out UDP and ICMP
pass out on $int_if inet proto udp all keep state
pass out on $int_if inet proto icmp from $int_if to any keep state

#Block everything
block return-rst in log quick on $int_if inet proto tcp from any to $int_if 
block return-icmp in log quick on $int_if inet proto udp from any to $int_if
block in quick on $int_if all
Reply With Quote
  #2   (View Single Post)  
Old 12th March 2009
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,707
Thanked 214 Times in 189 Posts
Default

As I stated in http://www.daemonforums.org/showthre...2948#post21892, unless quick is used, the last matching rule applies.

I notice you have "block return" in the middle of your ruleset. This will match all packets. Your prior "pass" rule does not apply.
Reply With Quote
  #3   (View Single Post)  
Old 27th April 2009
alekid's Avatar
alekid alekid is offline
Real Name: Alekid
Alekid
 
Join Date: Nov 2008
Posts: 2
Thanked 0 Times in 0 Posts
Default

in /etc/sysctl.conf | net.inet.ip.forwarding=1
-check your /etc/resovl.conf
#resolv.conf
lookup file bind
nameserver 127.0.0.1

more: http://www.openbsd.org/faq/pf/
__________________
http://www.openbsdsupport.com.ar/
The OpenBSD Support Argentina

Last edited by alekid; 28th April 2009 at 12:06 AM.
Reply With Quote
  #4   (View Single Post)  
Old 28th April 2009
geekswordsman geekswordsman is offline
Port Guard
 
Join Date: Apr 2009
Location: DC Area
Posts: 24
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by jggimi View Post
As I stated in http://www.daemonforums.org/showthre...2948#post21892, unless quick is used, the last matching rule applies.

I notice you have "block return" in the middle of your ruleset. This will match all packets. Your prior "pass" rule does not apply.
jggimi's right on the money. When PF receives a packet, it goes line by line looking for a rule to apply it to - but it doesn't stop just because it finds one. It keeps going and looks for any other rules that might apply, and finally makes a decision on what to do at the end of pf.conf. The only time that you can skip this from happening is the quick rule, ie
Code:
pass in quick on $int_if from any to $int_if port www
Personally, I always build my pf.conf file with the block rule at top - and usually with a nice simple
Code:
BLOCK IN LOG ALL
I can build my exceptions (say, my vonage VoIP line) after the fact, and if something isn't getting through that's supposed to be, I know it must be because I haven't setup a pass rule correctly.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Which are the best firewall software? aleunix Other BSD and UNIX/UNIX-like 21 31st December 2008 07:37 AM
Simple Firewall with PF jones FreeBSD General 3 7th November 2008 02:02 AM
Firewall routing Magoo FreeBSD General 9 4th November 2008 04:39 PM
firewall for 2 adsl milo974 OpenBSD General 2 13th October 2008 05:03 PM
Web GUI for firewall ? giga FreeBSD General 6 8th May 2008 05:10 AM


All times are GMT. The time now is 08:51 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick