|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
PF firewall
Currently, I cannot surf the web from my firewall. I don know why because i thought i already pass in the port www. Please help
Here are my sample of rules Code:
# Macros int_if="vic0" #scrub scrub in all # Filtering rules pass in on $int_if proto tcp from any to $int_if port www pass out on $int_if proto tcp from $int_if to any port www block in log quick on $int_if proto tcp from any to any port ssh flags S/SA #Antispoof antispoof log for $int_if inet #Unicast reverse path forwarding block in log quick from urpf-failed label uRPF #Passive operating system fingerprinting pass in log on $int_if from any os OpenBSD keep state block in log on $int_if from any os "Windows 2000" block in log on $int_if from any os "Windows XP" block in log on $int_if from any os "Windows XP SP1" block in log on $int_if from any os "Windows XP SP2" block in log on $int_if from any os "Windows xP SP3" block in log on $int_if from any os "Windows 98" block in log on $int_if from any os "Windows NT" block in log on $int_if from any os "Linux 2.4 ts" block in log on $int_if from any os unknown # return block return #Block ICMP redirect packets block in log quick on $int_if inet proto icmp from any to $int_if block in log quick on $int_if inet proto icmp from any to $int_if icmp-type redir #Block SMTP(simple mail transfer protocol) block in log quick on $int_if inet proto tcp from any to $int_if port smtp #pass out UDP and ICMP pass out on $int_if inet proto udp all keep state pass out on $int_if inet proto icmp from $int_if to any keep state #Block everything block return-rst in log quick on $int_if inet proto tcp from any to $int_if block return-icmp in log quick on $int_if inet proto udp from any to $int_if block in quick on $int_if all |
|
||||
As I stated in http://www.daemonforums.org/showthre...2948#post21892, unless quick is used, the last matching rule applies.
I notice you have "block return" in the middle of your ruleset. This will match all packets. Your prior "pass" rule does not apply. |
|
||||
in /etc/sysctl.conf | net.inet.ip.forwarding=1
-check your /etc/resovl.conf #resolv.conf lookup file bind nameserver 127.0.0.1 more: http://www.openbsd.org/faq/pf/ Last edited by alekid; 28th April 2009 at 12:06 AM. |
|
|||
Quote:
Code:
pass in quick on $int_if from any to $int_if port www Code:
BLOCK IN LOG ALL |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Which are the best firewall software? | aleunix | Other BSD and UNIX/UNIX-like | 21 | 31st December 2008 07:37 AM |
Simple Firewall with PF | jones | FreeBSD General | 3 | 7th November 2008 02:02 AM |
Firewall routing | Magoo | FreeBSD General | 9 | 4th November 2008 04:39 PM |
firewall for 2 adsl | milo974 | OpenBSD General | 2 | 13th October 2008 05:03 PM |
Web GUI for firewall ? | giga | FreeBSD General | 6 | 8th May 2008 05:10 AM |