PF blocking even if set to pass all
Erik Norgaard
norgaard at locolomo.org
Thu Dec 13 12:17:11 PST 2007
Ghirai wrote:
> On Thu, 13 Dec 2007 09:19:03 -0200
> "Alaor Barroso de Carvalho Neto" <alaorneto at gmail.com> wrote:
>
>> Hi guyz, like I've said in other topic, I'm building a BSD box that'll act
>> as a gateway between three private networks and the internet. I want that
>> each private network can ping to each other, and I can do that till I
>> activate my pf firewall. When I do pfctl -e it stop working.
>>
>> The output of pfctl -sr is:
>> pass in all
>> pass out all
>>
>> So I guess it would pass anything, why it isn't happening?
>>
>> Hugs,
>> Alaor
>> _______________________________________________
>
> You need to specify from/to what interface it should pass (if you have more
> than one NIC, which i assume you do, since the box is acting as a router).
You do not need to specify interface, if no interface is specified the
rule is applied to all interfaces. In fact you could have just
pass all
but you may prefer
pass quick all keep state
I think it is possible to set a default rule, which for security should
be block, which means that any packet that falls through your rule set
will be blocked. Therefore, you should have "pass quick".
The official guide is really good:
http://www.openbsd.org/faq/pf/index.html
Try using snort or tcpdump on each interface to see where the packet
goes missing. Say you ping from a host on the network attached to em0 to
a host on the network attached to em1, sniff on each interface and see
if the packet comes through.
Cheers, Erik
--
Erik Nørgaard
Ph: +34.666334818 http://www.locolomo.org
More information about the freebsd-questions
mailing list