pf.conf - port 53 unreachable

[dennisN86]

I'm having a config issue in pf.conf, but I'm not sure what it is. The connection from my latptop to my OpenBSD router established, but the traffic is not routed through port 53 which is unreachable.

Code:

tcpdump -ni bwfm0

192.168.0.13.34322 > 192.168.0.1.53: 31656+ A? ping.manjaro.org.(34) (DF)
192.168.0.1 > 192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable
192.168.0.13.34322 > 192.168.0.1.53: 26282+ AAAA? ping.manjaro.org.(34) (DF)
192.168.0.1 > 192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable
192.168.0.13.48079 > 192.168.0.1.53: 48877+ A? ping.manjaro.org.<dns.name>.(51) )
192.168.0.13.48079 > 192.168.0.1.53: 33521+ AAAA? ping.manjaro.org.<dns.name> (5)
192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable

Code:

cat /etc/hostname.bwfm0
media autoselect mode 11ac mediaopt hostap
nwid "wifi-name" wpakey "wifi-key"
inet 192.168.0.1 255.255.255.0 NONE group internal
#inet6 fe80::1/64
inet6 autoconf -soii -temporary
description "WIFI"

Code:

router# cat /etc/pf.conf                                                       
### Interfaces
if_wan      = "pppoe0"
#ip_wan      = "169.254.2.2" # em0 static-ip
if_lo       = "lo0"
if_lan      = "em1"
if_wifi     = "bwfm0"
if_dmz      = "em2"
if_internal = "{" $if_lan $if_wifi "}"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 \
                   ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \
                   2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }

set block-policy drop
set loginterface $if_wan
set skip on $if_lo

match in all scrub (no-df random-id max-mss 1440)
match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan)

block in from no-route
block in quick from urpf-failed
block in quick on $if_wan from <martians> to any
block return out quick on $if_wan from any to <martians>

block all
pass in on $if_wan inet proto icmp all icmp-type { echoreq }
pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \
        routeradv neighbrsol neighbradv }
pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \
        keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)
pass out proto { tcp udp } to port { 22 53 80 123 443 993 5222:5223 5228 3389 }
#pass out quick proto { tcp udp } from any to port 53
pass in on $if_internal
pass in quick from { $if_lan:network $if_wifi:network } to any
pass out on $if_wan inet from $if_internal to any nat-to ($if_wan)
pass quick proto { tcp udp } from $if_internal to $if_wan port 53

The commented pass out quick proto rule breaks the config when applied. Traffic is routed via pppoe0 connection on em0. From the router, I can ping, curl, wget through the modem but cannot get access the web through wifi-connected devices - ssh into the router from wifi is possible though. Anyone here to my rescue? Thanks in advance, Dennis

[frcc]

I have no idea, so just googled around and didn't find much except this and a couple on FreeBSD, it is interesting

https://kb.isc.org/docs/aa-00621

https://forums.freebsd.org/threads/h...port-53.11509/

[J65nko]

Replace

Code:

block all

with

Code:

block log all

This will make any blocked packets to be logged on thepflog0 interface.
To watch and read these blocked packets, run on the OpenBSD router:

Code:

 # tcpdump -eni pflog0
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG

Generate some DNS traffic and see what it shows ......

BTW To make it easier to debug and understand, I try to organize my rules by direction, interface, protocol by using section headers like this:

Code:

# ------------------- OUTGOING

# ---------- egress
# 
# --- tcp
pf rules           

# --- udp
pf rules           

# --- icmp
pf rules           

# ---------- vio1

# --- tcp
pf rules           

# --- udp
pf rules           

# --- icmp
pf rules           

# ------------------- INCOMING 

# ---------- egress
(repeat pf rules per protocol as under OUTGOING)

# ---------- vio1
(repeat pf rules per protocol as under OUTGOING)

[J65nko]

Keep in mind that DNS / domain traffic can UDP as well as TCP on port 53 and also port 853:

Code:

$ grep domain /etc/services
domain          53/tcp                          # Domain Name Server
domain          53/udp
domain-s        853/tcp                         # DNS query-response protocol run over TLS/DTLS
domain-s        853/udp                         # DNS query-response protocol run over TLS/DTLS

[jggimi]

Quote:

Originally Posted by dennisN86

Code:

#pass out quick proto { tcp udp } from any to port 53

The commented pass out quick proto rule breaks the config when applied.

That is because it has an incorrect syntax. UDP and TCP packets each use **two** port numbers: an originating port number (often random and a high number), and a destination port number, used by the listening service.

To correct the syntax error, define port 53 as the destination port number:

Code:

pass out quick proto { tcp udp } from any to any port 53

or more succinctly:

Code:

pass out quick proto { tcp udp } to any port 53

[dennisN86]

Changing the block statement to

Code:

block log all

brought this output

Code:

tcpdump: listening on pflog0, link-type PFLOG

20:10:32.922871 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11
20:10:33.185951 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request
20:10:34.186137 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request
20:10:35.186268 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request
20:10:36.186389 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request

Changing the pass out rule to

Code:

pass out quick proto { tcp udp } to any port { 53 }

Left me with same error of http/https services not being able to connect to port 53, as posted earlier.

@jggimi: How do I find out about this randomized destination port you were talking about?

[dennisN86]

The following rule set translates to the rules down beneath on applying by pfctl -vf /etc/pf.conf

Code:

router# cat /etc/pf.conf                                                       
### Interfaces
if_wan      = "pppoe0"
ip_wan      = "169.254.2.2" # em0 static-ip
if_lo       = "lo0"
if_lan      = "em1"
if_wifi     = "bwfm0"
if_dmz      = "em2"
if_internal = "{" $if_lan $if_wifi "}"

### Cidr-Ranges
prv_nets = "10.10.10.0/24, 192.168.0.0/24"
dmz_net  = "172.16.0.0/24"

#tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }"
#udp_services = "{ domain ntp }"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 \
                   ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \
                   2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }

set block-policy drop
set loginterface $if_wan
set skip on $if_lo

match in all scrub (no-df random-id max-mss 1440)
match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan)

#antispoof quick for { $if_wan $if_lan $if_wifi $if_dmz }

block in from no-route
block in quick from urpf-failed
block in quick on $if_wan from <martians> to any
block return out quick on $if_wan from any to <martians>

block log all
#block all
pass in on $if_wan inet proto icmp all icmp-type { echoreq }
pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \
        routeradv neighbrsol neighbradv }
pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \
        keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)
pass out proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 }
pass out quick proto { tcp udp } to any port { 53 853 }
#pass out quick inet
pass in on $if_internal
pass in quick from { $if_lan:network $if_wifi:network } to any
pass out on $if_wan inet from $if_internal to any nat-to ($if_wan)
#pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53
pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53
#pass in quick proto { tcp udp } from $if_internal to $ip_wan port 53
#pass in quick proto { tcp udp } from $if_internal to egress port 53

Code:

"/etc/pf.conf" 55L, 2160B written                   
router# pfctl -vf /etc/pf.conf 
if_wan = "pppoe0"
ip_wan = "169.254.2.2"
if_lo = "lo0"
if_lan = "em1"
if_wifi = "bwfm0"
if_dmz = "em2"
if_internal = "{ em1 bwfm0 }"
prv_nets = "10.10.10.0/24, 192.168.0.0/24"
dmz_net = "172.16.0.0/24"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.}
set block-policy drop
set loginterface pppoe0
set skip on { lo0 }
match in all scrub (no-df random-id max-mss 1440)
match out on pppoe0 inet from ! (pppoe0:network) to any nat-to (pppoe0) round-robin
block drop in from no-route to any
block drop in quick from urpf-failed to any
block drop in quick on pppoe0 from <martians> to any
block return out quick on pppoe0 from any to <martians>
block drop log all
pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type echoreq
pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type routeradv
pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbradv
pass in on pppoe0 inet proto icmp all icmp-type echoreq
pass in on pppoe0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-sr)
pass in on em1 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src-c)
pass in on bwfm0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src)
pass out proto tcp from any to any port = 22 flags S/SA
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto tcp from any to any port = 80 flags S/SA
pass out proto tcp from any to any port = 123 flags S/SA
pass out proto tcp from any to any port = 443 flags S/SA
pass out proto tcp from any to any port = 853 flags S/SA
pass out proto tcp from any to any port = 993 flags S/SA
pass out proto tcp from any to any port 5222:5223 flags S/SA
pass out proto tcp from any to any port = 5228 flags S/SA
pass out proto tcp from any to any port = 3389 flags S/SA
pass out proto udp from any to any port = 22
pass out proto udp from any to any port = 53
pass out proto udp from any to any port = 80
pass out proto udp from any to any port = 123
pass out proto udp from any to any port = 443
pass out proto udp from any to any port = 853

match in all scrub (no-df random-id max-mss 1440)
match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan)

#antispoof quick for { $if_wan $if_lan $if_wifi $if_dmz }

block in from no-route
block in quick from urpf-failed
block in quick on $if_wan from <martians> to any
block return out quick on $if_wan from any to <martians>

block log all
#block all
pass in on $if_wan inet proto icmp all icmp-type { echoreq }
pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \
        routeradv neighbrsol neighbradv }
pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \
        keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)
pass out proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3388
9 }
pass out quick proto { tcp udp } to any port { 53 853 }
#pass out quick inet
pass in on $if_internal
pass in quick from { $if_lan:network $if_wifi:network } to any
pass out on $if_wan inet from $if_internal to any nat-to ($if_wan)
#pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53
pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53
#pass in quick proto { tcp udp } from $if_internal to $ip_wan port 53
#pass in quick proto { tcp udp } from $if_internal to egress port 53

[jggimi]

Quote:

Originally Posted by dennisN86

@jggimi: How do I find out about this randomized destination port you were talking about?

• Every IP packet contains two IP addresses within it: a source IP address, where it came from, and a destination IP address, where it is going to.
• UDP and TCP packets are two types of IP packets. These packets also have, in addition, two port numbers: a source port number, and a destination port number.

The port number everyone thinks of when they think of a TCP or UDP service is the port number being "listened to" by a destination service, such as ports 80 and 443 for HTTP and HTTPS, or port 22 for SSH, and port 53 for DNS. But the source port number is part of the conversation, and it is the port number used by that service for any and all replies to the client of the service.

Wikipedia has a relatively short explanation within its Transmission Control Program (TCP) page:

Quote:

TCP and UDP use port numbers to identify sending and receiving application end-points on a host, often called Internet sockets. Each side of a TCP connection has an associated 16-bit unsigned port number (0-65535) reserved by the sending or receiving application. Arriving TCP packets are identified as belonging to a specific TCP connection by its sockets, that is, the combination of source host address, source port, destination host address, and destination port. This means that a server computer can provide several clients with several services simultaneously, as long as a client takes care of initiating any simultaneous connections to one destination port from different source ports.

Port numbers are categorized into three basic categories: well-known, registered, and dynamic/private. The well-known ports are assigned by the Internet Assigned Numbers Authority (IANA) and are typically used by system-level or root processes. Well-known applications running as servers and passively listening for connections typically use these ports. Some examples include: FTP (20 and 21), SSH (22), TELNET (23), SMTP (25), HTTP over SSL/TLS (443), and HTTP (80). Note, as of the latest standard, HTTP/3, QUIC is used as a transport instead of TCP. Registered ports are typically used by end user applications as ephemeral source ports when contacting servers, but they can also identify named services that have been registered by a third party. Dynamic/private ports can also be used by end user applications, but are less commonly so. Dynamic/private ports do not contain any meaning outside of any particular TCP connection.

[dennisN86]

Evaluating the rule 6 error from tcpdump -eni pflog0 points to rule

Code:

block drop log all

Code:

router# pfctl -s rules -vv                                                     
@0 match in all scrub (no-df random-id max-mss 1440)
  [ Evaluations: 32        Packets: 96        Bytes: 5992        States: 24    ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@1 match out on pppoe0 inet from ! (pppoe0:network:1) to any nat-to (pppoe0:1) round-robin
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@2 block drop in from no-route to any
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@3 block drop in quick from urpf-failed to any
  [ Evaluations: 26        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@4 block drop in quick on pppoe0 from <martians:22> to any
  [ Evaluations: 26        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@5 block return out quick on pppoe0 from any to <martians:22>
  [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@6 block drop log all
  [ Evaluations: 32        Packets: 8         Bytes: 717         States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@7 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type echoreq
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@8 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type routeradv
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@9 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbrsol
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@10 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbradv
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@11 pass in on pppoe0 inet proto icmp all icmp-type echoreq
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@12 pass in on pppoe0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, ma)
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@13 pass in on em1 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-s)
  [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@14 pass in on bwfm0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max)
  [ Evaluations: 24        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@15 pass out proto tcp from any to any port = 22 flags S/SA
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@16 pass out proto tcp from any to any port = 53 flags S/SA
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@17 pass out proto tcp from any to any port = 80 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@18 pass out proto tcp from any to any port = 123 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@19 pass out proto tcp from any to any port = 443 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@20 pass out proto tcp from any to any port = 853 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@21 pass out proto tcp from any to any port = 993 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@22 pass out proto tcp from any to any port 5222:5223 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@23 pass out proto tcp from any to any port = 5228 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@24 pass out proto tcp from any to any port = 3389 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@25 pass out proto udp from any to any port = 22
  [ Evaluations: 31        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@26 pass out proto udp from any to any port = 53
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@27 pass out proto udp from any to any port = 80
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@28 pass out proto udp from any to any port = 123
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@29 pass out proto udp from any to any port = 443
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@30 pass out proto udp from any to any port = 853
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@31 pass out proto udp from any to any port = 993
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@32 pass out proto udp from any to any port 5222:5223
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@33 pass out proto udp from any to any port = 5228
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@34 pass out proto udp from any to any port = 3389
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@35 pass out quick proto tcp from any to any port = 53 flags S/SA
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@36 pass out quick proto tcp from any to any port = 853 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@37 pass out quick proto udp from any to any port = 53
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@38 pass out quick proto udp from any to any port = 853
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@39 pass in on em1 all flags S/SA
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@40 pass in on bwfm0 all flags S/SA
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@41 pass in quick inet from 10.10.10.0/24 to any flags S/SA
  [ Evaluations: 32        Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@42 pass in quick inet from 192.168.0.0/24 to any flags S/SA
  [ Evaluations: 26        Packets: 96        Bytes: 5992        States: 24    ]
  [ Inserted: uid 0 pid 17444 State Creations: 24    ]
@43 pass out on pppoe0 inet from 10.10.10.1 to any flags S/SA nat-to (pppoe0:1) round-robin
  [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@44 pass out on pppoe0 inet from 192.168.0.1 to any flags S/SA nat-to (pppoe0:1) round-robin
  [ Evaluations: 6         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@45 pass in quick inet proto tcp from 10.10.10.1 to (pppoe0:1) port = 53 flags S/SA
  [ Evaluations: 8         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@46 pass in quick inet proto tcp from 192.168.0.1 to (pppoe0:1) port = 53 flags S/SA
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@47 pass in quick inet proto udp from 10.10.10.1 to (pppoe0:1) port = 53
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@48 pass in quick inet proto udp from 192.168.0.1 to (pppoe0:1) port = 53
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@49 pass in quick on em1 inet6 proto tcp from fe80::20d:b9ff:fe44:ec5d to (pppoe0:2) port = 53 flags SA
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@50 pass in quick on em1 inet6 proto udp from fe80::20d:b9ff:fe44:ec5d to (pppoe0:2) port = 53
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@51 pass in quick on bwfm0 inet6 proto tcp from fe80::461c:a8ff:fec2:5755 to (pppoe0:2) port = 53 flagA
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@52 pass in quick on bwfm0 inet6 proto udp from fe80::461c:a8ff:fec2:5755 to (pppoe0:2) port = 53
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@53 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 53 flags S/SA
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@54 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 80 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@55 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 443 flags S/SA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@56 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 53 flagsA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@57 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 80 flagsA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@58 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 443 flagA
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@59 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 53
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@60 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 80
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@61 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 443
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@62 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 53
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@63 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 80
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@64 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 443
  [ Evaluations: 0         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@65 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 53 flags S/SA
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@66 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 80 flags S/SA
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@67 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 443 flags S/SA
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@68 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 53
  [ Evaluations: 2         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@69 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 80
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]
@70 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 443
  [ Evaluations: 1         Packets: 0         Bytes: 0           States: 0     ]
  [ Inserted: uid 0 pid 17444 State Creations: 0     ]

Which pass in/out rule do I have to implement to overwrite the block statement?

[jggimi]

Rule 6 is the only rule with a "log" option, so only traffic that does not match any other rule will be logged by it. By itself, not necessarily very helpful -- it only shows the traffic that does not match any other rule -- either quick rules that came before, or any non-quick rules that follow after.


For more insight, add the "log" option to rules you are interested in seeing what traffic will or will not match them.

[dennisN86]

Adding the log statement to all rules gives me more output. When connecting my laptop via wifi, pflog0 points to rule 42

Code:

21:11:07.881607 rule 42/(match) pass in on bwfm0: 192.168.0.13.59685 > 192.168.0.1.53: 51244+[|domain])
21:11:07.882364 rule 42/(match) pass in on bwfm0: 192.168.0.13.45317 > 192.168.0.1.53: 8540+[|domain] )
21:11:07.886068 rule 42/(match) pass in on bwfm0: 192.168.0.13.45656 > 192.168.0.1.53: 48813+[|domain])
21:11:07.886204 rule 42/(match) pass in on bwfm0: 192.168.0.13.37106 > 192.168.0.1.53: 4047+[|domain] )
21:11:07.886592 rule 42/(match) pass in on bwfm0: 192.168.0.13.43425 > 192.168.0.1.53: 25317+[|domain])
21:11:07.890673 rule 42/(match) pass in on bwfm0: 192.168.0.13.57198 > 192.168.0.1.53: 31134+[|domain])
21:11:07.890932 rule 42/(match) pass in on bwfm0: 192.168.0.13.53853 > 192.168.0.1.53: 18144+[|domain])
21:11:07.891830 rule 42/(match) pass in on bwfm0: 192.168.0.13.40254 > 192.168.0.1.53: 399+[|domain] ()
21:11:07.892000 rule 42/(match) pass in on bwfm0: 192.168.0.13.53515 > 192.168.0.1.53: 11195+[|domain])
21:11:07.892755 rule 42/(match) pass in on bwfm0: 192.168.0.13.33806 > 192.168.0.1.53: 8540+[|domain] )
21:11:07.893983 rule 42/(match) pass in on bwfm0: 192.168.0.13.42802 > 192.168.0.1.53: 48084+[|domain])
21:11:07.894273 rule 42/(match) pass in on bwfm0: 192.168.0.13.37008 > 192.168.0.1.53: 4047+[|domain] )
21:11:07.895229 rule 42/(match) pass in on bwfm0: 192.168.0.13.40482 > 192.168.0.1.53: 25317+[|domain]

It points to a number of high ports and domain.

[jggimi]

The rule being matched (42) is showing traffic from source IP 192.168.0.13, destination IP 192.168.0.1. The source port numbers are high and ephemeral, the destination port number is consistently 53, for domain services.

This tells me that -- in this latest PF configuration you are using -- PF is passing domain traffic from the client system at 192.168.0.13 to a DNS server residing at 192.168.0.1.

[dennisN86]

Quote:

Originally Posted by jggimi

The rule being matched (42) is showing traffic from source IP 192.168.0.13, destination IP 192.168.0.1. The source port numbers are high and ephemeral, the destination port number is consistently 53, for domain services.

This tells me that -- in this latest PF configuration you are using -- PF is passing domain traffic from the client system at 192.168.0.13 to a DNS server residing at 192.168.0.1.

Code:

router# cat /etc/resolv.conf                                                   
nameserver 62.109.121.1 # resolvd: pppoe0
nameserver 62.109.121.2 # resolvd: pppoe0
# Generated by dhcpcd
# /etc/resolv.conf.head can replace this line
# /etc/resolv.conf.tail can replace this line

Thanks for interpreting the output. Since I do not run a DNS server myself on the router, the DNS nameservers listed in /etc/resolv.conf are generated by the pppoe0 interface. How do I implement a rule pointing to those servers, or am I mistaken thinking this way?

[dennisN86]

I turned off the option domain-name-server in /etc/dhcpd.conf, which might have caused the error.

Code:

tcpdump -ni bwfm0

22:34:38.479481 fe80::21c8:b7b0:947d:e31c > ff02::16: HBH multicast listener report v2, 2 group record]
22:34:38.873759 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp]
22:34:38.909427 192.168.0.13.5353 > 224.0.0.251.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp._tcp.loca)
22:34:39.830812 arp who-has 192.168.0.13 tell 192.168.0.13
22:34:40.155618 192.168.0.13.5353 > 224.0.0.251.5353: 0*- [0q] 4/0/0[|domain] (DF)
22:34:40.155626 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0*- [0q] 2/0/0[|domain] [flowlabel 0x6]
22:34:41.598489 fe80::21c8:b7b0:947d:e31c > ff02::2: icmp6: router solicitation  [flowlabel 0x35d12]
22:34:42.896167 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp]
22:34:42.933212 192.168.0.13.5353 > 224.0.0.251.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp._tcp.loca)

Code:

router# tcpdump -eni pflog0                                                    
tcpdump: WARNING: snaplen raised from 116 to 160
tcpdump: listening on pflog0, link-type PFLOG
22:35:57.575921 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11
22:36:01.815419 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11
22:36:02.059790 rule 6/(match) block in on pppoe0: 54.162.222.133.443 > 93.131.122.147.41227: FP 55920)
22:36:02.251407 rule 75/(match) pass in on pppoe0: 193.107.20.100.43934 > 93.131.122.147.53: 17767+ [1)
22:36:06.055025 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11
22:36:10.294749 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11
22:36:11.693417 rule 11/(match) pass in on pppoe0: 54.93.216.155 > 93.131.122.147: icmp: echo request )

Code:

router# cat /etc/pf.conf                                                       
### Interfaces
if_wan      = "pppoe0"
ip_wan      = "169.254.2.2" # em0 static-ip
if_lo       = "lo0"
if_lan      = "em1"
if_wifi     = "bwfm0"
if_dmz      = "em2"
if_internal = "{" $if_lan $if_wifi "}"

dns_nameserver = "1.1.1.1"

tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }"
udp_services = "{ domain ntp }"

table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 \
                   ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \
                   2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }

set block-policy drop
set loginterface $if_wan
set skip on $if_lo

match in all scrub (no-df random-id max-mss 1440)
match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan)

block in from no-route
block in quick from urpf-failed
block in quick on $if_wan from <martians> to any
block return out quick on $if_wan from any to <martians>

block log all
pass in log on $if_wan inet proto icmp all icmp-type { echoreq }
pass in log on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \
        routeradv neighbrsol neighbradv }
pass in log on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \
        keep state (max-src-conn 15, max-src-conn-rate 3/1, \
        overload <bruteforce> flush global)
pass out log proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 }
pass out log quick proto { tcp udp } to any port { 53 853 }
pass proto tcp from $if_internal to port $tcp_services
pass quick log proto { tcp udp } to port $udp_services
pass in log quick from { $if_lan:network $if_wifi:network } to any
pass out log on $if_wan inet from $if_internal to any nat-to ($if_wan)
pass in log quick proto { tcp udp } from $if_internal to ($if_wan) port 53
pass in log on $if_wan proto { tcp udp } from any to $if_wan port { 53 80 443 }
pass in quick log on $if_wan inet proto { tcp udp } from any to ($if_wan) port 53

Sadly, http/https outbound connecting from wifi can still not be established...

[jggimi]

From what I can tell by reading this thread, your WiFi network is connected via your Broadcom NIC at 192.168.0.1/24. We don't have your PPPoE configuration well described, but that should be provisioned to use a completely separate subnet, and you should have provisioned IP packet forwarding in your sysctl.conf(5) configuration file.

Provisioning of nameservers for the system at 192.168.0.13 would either be statically provisioned on that system, or be dynamically provided by a DHCP server supporting that subnet. If your OpenBSD system happens to be providing DHCP services -- from, for example, a dhcpd(8) daemon -- then configuration of one or more nameservers would be provisioned via the daemon's dhcpd.conf(5) configuration file, by provisioning "option domain-name-servers ip-address [, ip address ... ]" as described in the dhcp-options(5) man page.

[dennisN86]

Quote:

Originally Posted by jggimi

From what I can tell by reading this thread, your WiFi network is connected via your Broadcom NIC at 192.168.0.1/24. We don't have your PPPoE configuration well described, but that should be provisioned to use a completely separate subnet, and you should have provisioned IP packet forwarding in your sysctl.conf(5) configuration file.

Provisioning of nameservers for the system at 192.168.0.13 would either be statically provisioned on that system, or be dynamically provided by a DHCP server supporting that subnet. If your OpenBSD system happens to be providing DHCP services -- from, for example, a dhcpd(8) daemon -- then configuration of one or more nameservers would be provisioned via the daemon's dhcpd.conf(5) configuration file, by provisioning "option domain-name-servers ip-address [, ip address ... ]" as described in the dhcp-options(5) man page.

Sorry for not providing the pppoe0 configuration. I didn't think it matters here.

Code:

router# cat /etc/hostname.pppoe0                                               
inet 0.0.0.0 255.255.255.255 NONE mtu 1500 \
    pppoedev vlan7 authproto pap \
    authname 'XXXX' authkey 'XXXX' up 
dest 0.0.0.1
#inet6 eui64
inet6 autoconf -soii -temporary
!/sbin/route add default -ifp pppoe0 0.0.0.1
!/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8

Code:

router# cat /etc/hostname.vlan7                                                
vlan 7 vlandev em0 up

Code:

router# cat /etc/dhcpd.conf                                                    
allow booting;
allow bootp;

authoritative;

server-name "router";
option domain-name "somedomain";
#option domain-name-servers 1.1.1.1, 62.109.121.1, 62.109.121.2; 

subnet 10.10.10.0 netmask 255.255.255.0 {
        option routers 10.10.10.1;
        option domain-name-servers 10.10.10.1;
        option broadcast-address 10.10.10.255;
        next-server 10.10.10.1;
        server-identifier 10.10.10.1;
        option ntp-servers 10.10.10.1;
        range 10.10.10.10 10.10.10.254;

[...]

}

subnet 192.168.0.0 netmask 255.255.255.0 {
                option routers 192.168.0.1;
                #option domain-name-servers 192.168.0.1;
                option broadcast-address 192.168.0.255;
                next-server 192.168.0.1;
                server-identifier 192.168.0.1;
                option ntp-servers 192.168.0.1;
                range 192.168.0.12 192.168.0.254;

[...]

}

subnet 172.16.0.0 netmask 255.255.255.0 {
                option routers 172.16.0.1;
                option domain-name-servers 172.16.0.1;
                option broadcast-address 172.16.0.255;
                next-server 172.16.0.1;
                server-identifier 172.16.0.1;
                range 172.16.0.10 172.16.0.254;
[...]

}

Is there a recommended/best-practice of where to define the dns-nameserver?

[jggimi]

Your dhcpd.conf configuration for the 192.168.0.0/24 subnet has -- as you've just posted -- a commented out domain-name-server provision, pointing to the address that was logged in packets by PF.

Domain names are provisioned multiple ways. They can be provisioned statically, as I mentioned above, and dynamically, through a variety of services (DHCP, SLAAC, and others).

[dennisN86]

Organizing my pf.conf according to @J65nko's advice helped understanding the individual rules for out-/inbound traffic. The config is working now.

@ jiggimi: Thanks for pointing my nose to the output of the tcpdump regarding the dns server. Commenting out the option domain-name-servers made the difference.

For the sake of completeness, the now working pf.conf, which probably has plenty of room for improvement.

Code:

### Interfaces
if_wan      = "pppoe0"
ip_wan      = "169.254.2.2" # em0 static-ip
if_lo       = "lo0"
if_lan      = "em1"
if_wifi     = "bwfm0"
if_dmz      = "em2"
if_internal = "{" $if_lan $if_wifi "}"

### Nameservers
dns_nameserver = "1.1.1.1"

### Cidr-Ranges
prv_nets = "10.10.10.0/24, 192.168.0.0/24"
dmz_net  = "172.16.0.0/24"

### Tables
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
                   203.0.113.0/24 \
                   ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \
                   2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 }

### Security Rules
set block-policy drop
set loginterface $if_wan
set skip on $if_lo

match in all scrub (no-df random-id max-mss 1440)
 
block in from no-route
block in quick from urpf-failed

block in quick on $if_wan from <martians> to any
block return out quick on $if_wan from any to <martians>

##### Outgoing - Egress Rules

### $if_wan - pppoe0
block log all
match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan)
pass out quick on $if_wan

# TCP
pass out log proto tcp to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 }

# UDP
pass out log quick proto { tcp udp } to any port { 53 853 }

# ICMP


### Interfaces
pass out quick inet6 from { (self) (bwfm0:network) }
pass out quick inet6 from { (self) (em0:network) }
pass out quick inet6 from { (self) (em1:network) }
pass out quick inet6 from { (self) (em2:network) }

### $if_lan - em1 / $if_wifi - bwfm0 = $if_internal
#pass proto tcp from $if_internal to port $tcp_services
#pass quick log proto { tcp udp } to port $udp_services

### $if_dmz - em2


##### Incoming - Outbound Rules
pass in log quick from { $if_lan:network $if_wifi:network } to any


# TCP
pass in log on $if_wan proto { tcp udp } from any to $if_wan port { 53 80 443 }
pass in quick log on $if_wan inet proto { tcp udp } from any to ($if_wan) port 53

# UDP

# ICMP
pass in log on $if_wan inet proto icmp all icmp-type { echoreq }
pass in log on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \
        routeradv neighbrsol neighbradv }