|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
pf.conf - port 53 unreachable
I'm having a config issue in pf.conf, but I'm not sure what it is. The connection from my latptop to my OpenBSD router established, but the traffic is not routed through port 53 which is unreachable.
Code:
tcpdump -ni bwfm0 192.168.0.13.34322 > 192.168.0.1.53: 31656+ A? ping.manjaro.org.(34) (DF) 192.168.0.1 > 192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable 192.168.0.13.34322 > 192.168.0.1.53: 26282+ AAAA? ping.manjaro.org.(34) (DF) 192.168.0.1 > 192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable 192.168.0.13.48079 > 192.168.0.1.53: 48877+ A? ping.manjaro.org.<dns.name>.(51) ) 192.168.0.13.48079 > 192.168.0.1.53: 33521+ AAAA? ping.manjaro.org.<dns.name> (5) 192.168.0.13: icmp: 192.168.0.1 udp port 53 unreachable Code:
cat /etc/hostname.bwfm0 media autoselect mode 11ac mediaopt hostap nwid "wifi-name" wpakey "wifi-key" inet 192.168.0.1 255.255.255.0 NONE group internal #inet6 fe80::1/64 inet6 autoconf -soii -temporary description "WIFI" Code:
router# cat /etc/pf.conf ### Interfaces if_wan = "pppoe0" #ip_wan = "169.254.2.2" # em0 static-ip if_lo = "lo0" if_lan = "em1" if_wifi = "bwfm0" if_dmz = "em2" if_internal = "{" $if_lan $if_wifi "}" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 \ ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \ 2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 } set block-policy drop set loginterface $if_wan set skip on $if_lo match in all scrub (no-df random-id max-mss 1440) match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan) block in from no-route block in quick from urpf-failed block in quick on $if_wan from <martians> to any block return out quick on $if_wan from any to <martians> block all pass in on $if_wan inet proto icmp all icmp-type { echoreq } pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \ routeradv neighbrsol neighbradv } pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \ keep state (max-src-conn 15, max-src-conn-rate 3/1, \ overload <bruteforce> flush global) pass out proto { tcp udp } to port { 22 53 80 123 443 993 5222:5223 5228 3389 } #pass out quick proto { tcp udp } from any to port 53 pass in on $if_internal pass in quick from { $if_lan:network $if_wifi:network } to any pass out on $if_wan inet from $if_internal to any nat-to ($if_wan) pass quick proto { tcp udp } from $if_internal to $if_wan port 53 |
|
|||
I have no idea, so just googled around and didn't find much except this and a couple on FreeBSD, it is interesting
https://kb.isc.org/docs/aa-00621 https://forums.freebsd.org/threads/h...port-53.11509/ Last edited by frcc; 14th September 2022 at 11:59 AM. Reason: spelling |
|
|||
Replace
Code:
block all Code:
block log all To watch and read these blocked packets, run on the OpenBSD router: Code:
# tcpdump -eni pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG BTW To make it easier to debug and understand, I try to organize my rules by direction, interface, protocol by using section headers like this: Code:
# ------------------- OUTGOING # ---------- egress # # --- tcp pf rules # --- udp pf rules # --- icmp pf rules # ---------- vio1 # --- tcp pf rules # --- udp pf rules # --- icmp pf rules # ------------------- INCOMING # ---------- egress (repeat pf rules per protocol as under OUTGOING) # ---------- vio1 (repeat pf rules per protocol as under OUTGOING)
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Keep in mind that DNS / domain traffic can UDP as well as TCP on port 53 and also port 853:
Code:
$ grep domain /etc/services domain 53/tcp # Domain Name Server domain 53/udp domain-s 853/tcp # DNS query-response protocol run over TLS/DTLS domain-s 853/udp # DNS query-response protocol run over TLS/DTLS
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump |
|
|||
Changing the block statement to
Code:
block log all Code:
tcpdump: listening on pflog0, link-type PFLOG 20:10:32.922871 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11 20:10:33.185951 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request 20:10:34.186137 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request 20:10:35.186268 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request 20:10:36.186389 rule 6/(match) block out on pppoe0: 93.132.142.208 > 1.1.1.1: icmp: echo request Code:
pass out quick proto { tcp udp } to any port { 53 } @jggimi: How do I find out about this randomized destination port you were talking about? |
|
|||
The following rule set translates to the rules down beneath on applying by pfctl -vf /etc/pf.conf
Code:
router# cat /etc/pf.conf ### Interfaces if_wan = "pppoe0" ip_wan = "169.254.2.2" # em0 static-ip if_lo = "lo0" if_lan = "em1" if_wifi = "bwfm0" if_dmz = "em2" if_internal = "{" $if_lan $if_wifi "}" ### Cidr-Ranges prv_nets = "10.10.10.0/24, 192.168.0.0/24" dmz_net = "172.16.0.0/24" #tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }" #udp_services = "{ domain ntp }" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 \ ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \ 2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 } set block-policy drop set loginterface $if_wan set skip on $if_lo match in all scrub (no-df random-id max-mss 1440) match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan) #antispoof quick for { $if_wan $if_lan $if_wifi $if_dmz } block in from no-route block in quick from urpf-failed block in quick on $if_wan from <martians> to any block return out quick on $if_wan from any to <martians> block log all #block all pass in on $if_wan inet proto icmp all icmp-type { echoreq } pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \ routeradv neighbrsol neighbradv } pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \ keep state (max-src-conn 15, max-src-conn-rate 3/1, \ overload <bruteforce> flush global) pass out proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 } pass out quick proto { tcp udp } to any port { 53 853 } #pass out quick inet pass in on $if_internal pass in quick from { $if_lan:network $if_wifi:network } to any pass out on $if_wan inet from $if_internal to any nat-to ($if_wan) #pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53 pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53 #pass in quick proto { tcp udp } from $if_internal to $ip_wan port 53 #pass in quick proto { tcp udp } from $if_internal to egress port 53 Code:
"/etc/pf.conf" 55L, 2160B written router# pfctl -vf /etc/pf.conf if_wan = "pppoe0" ip_wan = "169.254.2.2" if_lo = "lo0" if_lan = "em1" if_wifi = "bwfm0" if_dmz = "em2" if_internal = "{ em1 bwfm0 }" prv_nets = "10.10.10.0/24, 192.168.0.0/24" dmz_net = "172.16.0.0/24" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 192.0.0.0/24 192.0.2.} set block-policy drop set loginterface pppoe0 set skip on { lo0 } match in all scrub (no-df random-id max-mss 1440) match out on pppoe0 inet from ! (pppoe0:network) to any nat-to (pppoe0) round-robin block drop in from no-route to any block drop in quick from urpf-failed to any block drop in quick on pppoe0 from <martians> to any block return out quick on pppoe0 from any to <martians> block drop log all pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type echoreq pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type routeradv pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbrsol pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbradv pass in on pppoe0 inet proto icmp all icmp-type echoreq pass in on pppoe0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-sr) pass in on em1 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src-c) pass in on bwfm0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-src) pass out proto tcp from any to any port = 22 flags S/SA pass out proto tcp from any to any port = 53 flags S/SA pass out proto tcp from any to any port = 80 flags S/SA pass out proto tcp from any to any port = 123 flags S/SA pass out proto tcp from any to any port = 443 flags S/SA pass out proto tcp from any to any port = 853 flags S/SA pass out proto tcp from any to any port = 993 flags S/SA pass out proto tcp from any to any port 5222:5223 flags S/SA pass out proto tcp from any to any port = 5228 flags S/SA pass out proto tcp from any to any port = 3389 flags S/SA pass out proto udp from any to any port = 22 pass out proto udp from any to any port = 53 pass out proto udp from any to any port = 80 pass out proto udp from any to any port = 123 pass out proto udp from any to any port = 443 pass out proto udp from any to any port = 853 match in all scrub (no-df random-id max-mss 1440) match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan) #antispoof quick for { $if_wan $if_lan $if_wifi $if_dmz } block in from no-route block in quick from urpf-failed block in quick on $if_wan from <martians> to any block return out quick on $if_wan from any to <martians> block log all #block all pass in on $if_wan inet proto icmp all icmp-type { echoreq } pass in on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \ routeradv neighbrsol neighbradv } pass in on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \ keep state (max-src-conn 15, max-src-conn-rate 3/1, \ overload <bruteforce> flush global) pass out proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3388 9 } pass out quick proto { tcp udp } to any port { 53 853 } #pass out quick inet pass in on $if_internal pass in quick from { $if_lan:network $if_wifi:network } to any pass out on $if_wan inet from $if_internal to any nat-to ($if_wan) #pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53 pass in quick proto { tcp udp } from $if_internal to ($if_wan) port 53 #pass in quick proto { tcp udp } from $if_internal to $ip_wan port 53 #pass in quick proto { tcp udp } from $if_internal to egress port 53 |
|
||||
Quote:
Wikipedia has a relatively short explanation within its Transmission Control Program (TCP) page: Quote:
|
|
|||
Evaluating the rule 6 error from tcpdump -eni pflog0 points to rule
Code:
block drop log all Code:
router# pfctl -s rules -vv @0 match in all scrub (no-df random-id max-mss 1440) [ Evaluations: 32 Packets: 96 Bytes: 5992 States: 24 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @1 match out on pppoe0 inet from ! (pppoe0:network:1) to any nat-to (pppoe0:1) round-robin [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @2 block drop in from no-route to any [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @3 block drop in quick from urpf-failed to any [ Evaluations: 26 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @4 block drop in quick on pppoe0 from <martians:22> to any [ Evaluations: 26 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @5 block return out quick on pppoe0 from any to <martians:22> [ Evaluations: 8 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @6 block drop log all [ Evaluations: 32 Packets: 8 Bytes: 717 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @7 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type echoreq [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @8 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type routeradv [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @9 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbrsol [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @10 pass in on pppoe0 inet6 proto ipv6-icmp all icmp6-type neighbradv [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @11 pass in on pppoe0 inet proto icmp all icmp-type echoreq [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @12 pass in on pppoe0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, ma) [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @13 pass in on em1 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max-s) [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @14 pass in on bwfm0 proto tcp from any to any port = 22 flags S/SA keep state (source-track rule, max) [ Evaluations: 24 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @15 pass out proto tcp from any to any port = 22 flags S/SA [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @16 pass out proto tcp from any to any port = 53 flags S/SA [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @17 pass out proto tcp from any to any port = 80 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @18 pass out proto tcp from any to any port = 123 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @19 pass out proto tcp from any to any port = 443 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @20 pass out proto tcp from any to any port = 853 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @21 pass out proto tcp from any to any port = 993 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @22 pass out proto tcp from any to any port 5222:5223 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @23 pass out proto tcp from any to any port = 5228 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @24 pass out proto tcp from any to any port = 3389 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @25 pass out proto udp from any to any port = 22 [ Evaluations: 31 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @26 pass out proto udp from any to any port = 53 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @27 pass out proto udp from any to any port = 80 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @28 pass out proto udp from any to any port = 123 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @29 pass out proto udp from any to any port = 443 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @30 pass out proto udp from any to any port = 853 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @31 pass out proto udp from any to any port = 993 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @32 pass out proto udp from any to any port 5222:5223 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @33 pass out proto udp from any to any port = 5228 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @34 pass out proto udp from any to any port = 3389 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @35 pass out quick proto tcp from any to any port = 53 flags S/SA [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @36 pass out quick proto tcp from any to any port = 853 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @37 pass out quick proto udp from any to any port = 53 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @38 pass out quick proto udp from any to any port = 853 [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @39 pass in on em1 all flags S/SA [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @40 pass in on bwfm0 all flags S/SA [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @41 pass in quick inet from 10.10.10.0/24 to any flags S/SA [ Evaluations: 32 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @42 pass in quick inet from 192.168.0.0/24 to any flags S/SA [ Evaluations: 26 Packets: 96 Bytes: 5992 States: 24 ] [ Inserted: uid 0 pid 17444 State Creations: 24 ] @43 pass out on pppoe0 inet from 10.10.10.1 to any flags S/SA nat-to (pppoe0:1) round-robin [ Evaluations: 8 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @44 pass out on pppoe0 inet from 192.168.0.1 to any flags S/SA nat-to (pppoe0:1) round-robin [ Evaluations: 6 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @45 pass in quick inet proto tcp from 10.10.10.1 to (pppoe0:1) port = 53 flags S/SA [ Evaluations: 8 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @46 pass in quick inet proto tcp from 192.168.0.1 to (pppoe0:1) port = 53 flags S/SA [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @47 pass in quick inet proto udp from 10.10.10.1 to (pppoe0:1) port = 53 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @48 pass in quick inet proto udp from 192.168.0.1 to (pppoe0:1) port = 53 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @49 pass in quick on em1 inet6 proto tcp from fe80::20d:b9ff:fe44:ec5d to (pppoe0:2) port = 53 flags SA [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @50 pass in quick on em1 inet6 proto udp from fe80::20d:b9ff:fe44:ec5d to (pppoe0:2) port = 53 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @51 pass in quick on bwfm0 inet6 proto tcp from fe80::461c:a8ff:fec2:5755 to (pppoe0:2) port = 53 flagA [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @52 pass in quick on bwfm0 inet6 proto udp from fe80::461c:a8ff:fec2:5755 to (pppoe0:2) port = 53 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @53 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 53 flags S/SA [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @54 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 80 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @55 pass in on pppoe0 inet6 proto tcp from any to fe80::20d:b9ff:fe44:ec5c port = 443 flags S/SA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @56 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 53 flagsA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @57 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 80 flagsA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @58 pass in on pppoe0 inet6 proto tcp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 443 flagA [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @59 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 53 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @60 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 80 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @61 pass in on pppoe0 inet6 proto udp from any to fe80::20d:b9ff:fe44:ec5c port = 443 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @62 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 53 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @63 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 80 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @64 pass in on pppoe0 inet6 proto udp from any to 2a01:c23:7200:cce:20d:b9ff:fe44:ec5c port = 443 [ Evaluations: 0 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @65 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 53 flags S/SA [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @66 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 80 flags S/SA [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @67 pass in on pppoe0 inet proto tcp from any to 78.48.11.152 port = 443 flags S/SA [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @68 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 53 [ Evaluations: 2 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @69 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 80 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] @70 pass in on pppoe0 inet proto udp from any to 78.48.11.152 port = 443 [ Evaluations: 1 Packets: 0 Bytes: 0 States: 0 ] [ Inserted: uid 0 pid 17444 State Creations: 0 ] |
|
||||
Rule 6 is the only rule with a "log" option, so only traffic that does not match any other rule will be logged by it. By itself, not necessarily very helpful -- it only shows the traffic that does not match any other rule -- either quick rules that came before, or any non-quick rules that follow after.
For more insight, add the "log" option to rules you are interested in seeing what traffic will or will not match them. |
|
|||
Adding the log statement to all rules gives me more output. When connecting my laptop via wifi, pflog0 points to rule 42
Code:
21:11:07.881607 rule 42/(match) pass in on bwfm0: 192.168.0.13.59685 > 192.168.0.1.53: 51244+[|domain]) 21:11:07.882364 rule 42/(match) pass in on bwfm0: 192.168.0.13.45317 > 192.168.0.1.53: 8540+[|domain] ) 21:11:07.886068 rule 42/(match) pass in on bwfm0: 192.168.0.13.45656 > 192.168.0.1.53: 48813+[|domain]) 21:11:07.886204 rule 42/(match) pass in on bwfm0: 192.168.0.13.37106 > 192.168.0.1.53: 4047+[|domain] ) 21:11:07.886592 rule 42/(match) pass in on bwfm0: 192.168.0.13.43425 > 192.168.0.1.53: 25317+[|domain]) 21:11:07.890673 rule 42/(match) pass in on bwfm0: 192.168.0.13.57198 > 192.168.0.1.53: 31134+[|domain]) 21:11:07.890932 rule 42/(match) pass in on bwfm0: 192.168.0.13.53853 > 192.168.0.1.53: 18144+[|domain]) 21:11:07.891830 rule 42/(match) pass in on bwfm0: 192.168.0.13.40254 > 192.168.0.1.53: 399+[|domain] () 21:11:07.892000 rule 42/(match) pass in on bwfm0: 192.168.0.13.53515 > 192.168.0.1.53: 11195+[|domain]) 21:11:07.892755 rule 42/(match) pass in on bwfm0: 192.168.0.13.33806 > 192.168.0.1.53: 8540+[|domain] ) 21:11:07.893983 rule 42/(match) pass in on bwfm0: 192.168.0.13.42802 > 192.168.0.1.53: 48084+[|domain]) 21:11:07.894273 rule 42/(match) pass in on bwfm0: 192.168.0.13.37008 > 192.168.0.1.53: 4047+[|domain] ) 21:11:07.895229 rule 42/(match) pass in on bwfm0: 192.168.0.13.40482 > 192.168.0.1.53: 25317+[|domain] |
|
||||
The rule being matched (42) is showing traffic from source IP 192.168.0.13, destination IP 192.168.0.1. The source port numbers are high and ephemeral, the destination port number is consistently 53, for domain services.
This tells me that -- in this latest PF configuration you are using -- PF is passing domain traffic from the client system at 192.168.0.13 to a DNS server residing at 192.168.0.1. |
|
|||
Quote:
Code:
router# cat /etc/resolv.conf nameserver 62.109.121.1 # resolvd: pppoe0 nameserver 62.109.121.2 # resolvd: pppoe0 # Generated by dhcpcd # /etc/resolv.conf.head can replace this line # /etc/resolv.conf.tail can replace this line |
|
|||
I turned off the option domain-name-server in /etc/dhcpd.conf, which might have caused the error.
Code:
tcpdump -ni bwfm0 22:34:38.479481 fe80::21c8:b7b0:947d:e31c > ff02::16: HBH multicast listener report v2, 2 group record] 22:34:38.873759 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp] 22:34:38.909427 192.168.0.13.5353 > 224.0.0.251.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp._tcp.loca) 22:34:39.830812 arp who-has 192.168.0.13 tell 192.168.0.13 22:34:40.155618 192.168.0.13.5353 > 224.0.0.251.5353: 0*- [0q] 4/0/0[|domain] (DF) 22:34:40.155626 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0*- [0q] 2/0/0[|domain] [flowlabel 0x6] 22:34:41.598489 fe80::21c8:b7b0:947d:e31c > ff02::2: icmp6: router solicitation [flowlabel 0x35d12] 22:34:42.896167 fe80::21c8:b7b0:947d:e31c.5353 > ff02::fb.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp] 22:34:42.933212 192.168.0.13.5353 > 224.0.0.251.5353: 0 [7q] PTR? _nfs._tcp.local. PTR? _ftp._tcp.loca) Code:
router# tcpdump -eni pflog0 tcpdump: WARNING: snaplen raised from 116 to 160 tcpdump: listening on pflog0, link-type PFLOG 22:35:57.575921 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11 22:36:01.815419 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11 22:36:02.059790 rule 6/(match) block in on pppoe0: 54.162.222.133.443 > 93.131.122.147.41227: FP 55920) 22:36:02.251407 rule 75/(match) pass in on pppoe0: 193.107.20.100.43934 > 93.131.122.147.53: 17767+ [1) 22:36:06.055025 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11 22:36:10.294749 rule 6/(match) block out on pppoe0: 10.10.10.2.1026 > 9.0.252.0.1025: udp 11 22:36:11.693417 rule 11/(match) pass in on pppoe0: 54.93.216.155 > 93.131.122.147: icmp: echo request ) Code:
router# cat /etc/pf.conf ### Interfaces if_wan = "pppoe0" ip_wan = "169.254.2.2" # em0 static-ip if_lo = "lo0" if_lan = "em1" if_wifi = "bwfm0" if_dmz = "em2" if_internal = "{" $if_lan $if_wifi "}" dns_nameserver = "1.1.1.1" tcp_services = "{ ssh, smtp, domain, www, pop3, auth, https, pop3s }" udp_services = "{ domain ntp }" table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 \ ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \ 2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 } set block-policy drop set loginterface $if_wan set skip on $if_lo match in all scrub (no-df random-id max-mss 1440) match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan) block in from no-route block in quick from urpf-failed block in quick on $if_wan from <martians> to any block return out quick on $if_wan from any to <martians> block log all pass in log on $if_wan inet proto icmp all icmp-type { echoreq } pass in log on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \ routeradv neighbrsol neighbradv } pass in log on { $if_wan $if_lan $if_wifi } proto tcp to port { 22 } \ keep state (max-src-conn 15, max-src-conn-rate 3/1, \ overload <bruteforce> flush global) pass out log proto { tcp udp } to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 } pass out log quick proto { tcp udp } to any port { 53 853 } pass proto tcp from $if_internal to port $tcp_services pass quick log proto { tcp udp } to port $udp_services pass in log quick from { $if_lan:network $if_wifi:network } to any pass out log on $if_wan inet from $if_internal to any nat-to ($if_wan) pass in log quick proto { tcp udp } from $if_internal to ($if_wan) port 53 pass in log on $if_wan proto { tcp udp } from any to $if_wan port { 53 80 443 } pass in quick log on $if_wan inet proto { tcp udp } from any to ($if_wan) port 53 |
|
||||
From what I can tell by reading this thread, your WiFi network is connected via your Broadcom NIC at 192.168.0.1/24. We don't have your PPPoE configuration well described, but that should be provisioned to use a completely separate subnet, and you should have provisioned IP packet forwarding in your sysctl.conf(5) configuration file.
Provisioning of nameservers for the system at 192.168.0.13 would either be statically provisioned on that system, or be dynamically provided by a DHCP server supporting that subnet. If your OpenBSD system happens to be providing DHCP services -- from, for example, a dhcpd(8) daemon -- then configuration of one or more nameservers would be provisioned via the daemon's dhcpd.conf(5) configuration file, by provisioning "option domain-name-servers ip-address [, ip address ... ]" as described in the dhcp-options(5) man page. |
|
|||
Quote:
Code:
router# cat /etc/hostname.pppoe0 inet 0.0.0.0 255.255.255.255 NONE mtu 1500 \ pppoedev vlan7 authproto pap \ authname 'XXXX' authkey 'XXXX' up dest 0.0.0.1 #inet6 eui64 inet6 autoconf -soii -temporary !/sbin/route add default -ifp pppoe0 0.0.0.1 !/sbin/route add -inet6 default -ifp pppoe0 fe80::%pppoe0 -priority 8 Code:
router# cat /etc/hostname.vlan7 vlan 7 vlandev em0 up Code:
router# cat /etc/dhcpd.conf allow booting; allow bootp; authoritative; server-name "router"; option domain-name "somedomain"; #option domain-name-servers 1.1.1.1, 62.109.121.1, 62.109.121.2; subnet 10.10.10.0 netmask 255.255.255.0 { option routers 10.10.10.1; option domain-name-servers 10.10.10.1; option broadcast-address 10.10.10.255; next-server 10.10.10.1; server-identifier 10.10.10.1; option ntp-servers 10.10.10.1; range 10.10.10.10 10.10.10.254; [...] } subnet 192.168.0.0 netmask 255.255.255.0 { option routers 192.168.0.1; #option domain-name-servers 192.168.0.1; option broadcast-address 192.168.0.255; next-server 192.168.0.1; server-identifier 192.168.0.1; option ntp-servers 192.168.0.1; range 192.168.0.12 192.168.0.254; [...] } subnet 172.16.0.0 netmask 255.255.255.0 { option routers 172.16.0.1; option domain-name-servers 172.16.0.1; option broadcast-address 172.16.0.255; next-server 172.16.0.1; server-identifier 172.16.0.1; range 172.16.0.10 172.16.0.254; [...] } |
|
||||
Your dhcpd.conf configuration for the 192.168.0.0/24 subnet has -- as you've just posted -- a commented out domain-name-server provision, pointing to the address that was logged in packets by PF.
Domain names are provisioned multiple ways. They can be provisioned statically, as I mentioned above, and dynamically, through a variety of services (DHCP, SLAAC, and others). |
|
|||
Organizing my pf.conf according to @J65nko's advice helped understanding the individual rules for out-/inbound traffic. The config is working now.
@ jiggimi: Thanks for pointing my nose to the output of the tcpdump regarding the dns server. Commenting out the option domain-name-servers made the difference. For the sake of completeness, the now working pf.conf, which probably has plenty of room for improvement. Code:
### Interfaces if_wan = "pppoe0" ip_wan = "169.254.2.2" # em0 static-ip if_lo = "lo0" if_lan = "em1" if_wifi = "bwfm0" if_dmz = "em2" if_internal = "{" $if_lan $if_wifi "}" ### Nameservers dns_nameserver = "1.1.1.1" ### Cidr-Ranges prv_nets = "10.10.10.0/24, 192.168.0.0/24" dmz_net = "172.16.0.0/24" ### Tables table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24 \ ::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 2001:10::/28 \ 2001:2::/48 2001:db8::/32 3ffe::/16 fec0::/10 fc00::/7 } ### Security Rules set block-policy drop set loginterface $if_wan set skip on $if_lo match in all scrub (no-df random-id max-mss 1440) block in from no-route block in quick from urpf-failed block in quick on $if_wan from <martians> to any block return out quick on $if_wan from any to <martians> ##### Outgoing - Egress Rules ### $if_wan - pppoe0 block log all match out on $if_wan inet from !($if_wan:network) to any nat-to ($if_wan) pass out quick on $if_wan # TCP pass out log proto tcp to port { 22 53 80 123 443 853 993 5222:5223 5228 3389 } # UDP pass out log quick proto { tcp udp } to any port { 53 853 } # ICMP ### Interfaces pass out quick inet6 from { (self) (bwfm0:network) } pass out quick inet6 from { (self) (em0:network) } pass out quick inet6 from { (self) (em1:network) } pass out quick inet6 from { (self) (em2:network) } ### $if_lan - em1 / $if_wifi - bwfm0 = $if_internal #pass proto tcp from $if_internal to port $tcp_services #pass quick log proto { tcp udp } to port $udp_services ### $if_dmz - em2 ##### Incoming - Outbound Rules pass in log quick from { $if_lan:network $if_wifi:network } to any # TCP pass in log on $if_wan proto { tcp udp } from any to $if_wan port { 53 80 443 } pass in quick log on $if_wan inet proto { tcp udp } from any to ($if_wan) port 53 # UDP # ICMP pass in log on $if_wan inet proto icmp all icmp-type { echoreq } pass in log on $if_wan inet6 proto icmp6 all icmp6-type { echoreq \ routeradv neighbrsol neighbradv } |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
HELP: pf.conf setting CANNOT do the port-redirection from Internal Network | sw.mok | OpenBSD Security | 11 | 7th January 2019 05:46 AM |
pf.conf help? | ucharfli | OpenBSD Security | 28 | 29th January 2018 04:11 PM |
Where should I put my config? "rc.conf" or "rc.conf.local"? | fender0107401 | OpenBSD General | 2 | 2nd April 2012 02:53 AM |
pf.conf | lumiwa | FreeBSD Security | 11 | 20th September 2008 01:01 AM |
difference between rc.conf and loader.conf | disappearedng | FreeBSD General | 5 | 3rd September 2008 05:54 AM |