pf filter settings
James B. Byrne
byrnejb at harte-lyne.ca
Wed Feb 6 14:48:40 UTC 2019
I have these rules in a pf.conf in this order:
### Define interfaces
### External
ext_if="em1"
### Internal
int_if="em0"
. . .
### Allow our networks to operate
# Pass packets sent to me on local interface
pass log quick on $int_if \
from { self $int_if:network } \
to { self $int_if:network }
. . .
### set default action to block everything
block return out log all
block drop in log all
. . .
ifconfig em0 shows this:
. . .
inet 216.185.71.1 netmask 0xffffff80 broadcast 216.185.71.127
inet 192.168.216.1 netmask 0xffffff00 broadcast 192.168.216.255
. . .
When I connect to 192.168.216.31 from 216.185.71.44 I see this in pflog:
00:00:00.061438 rule 241/0(match): pass in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [S], seq 3972256681,
win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 670920488
ecr 0], length 0
00:00:00.000028 rule 241/0(match): pass out on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [S], seq 3972256681,
win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 670920488
ecr 0], length 0
00:00:00.023502 rule 499/0(match): block in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [P.], seq 108:144,
ack 1, win 1030, options [nop,nop,TS val 670996382 ecr 2400903835],
length 36
00:00:00.099675 rule 499/0(match): block in on em0:
216.185.71.44.17457 > 192.168.216.31.22: Flags [P.], seq 0:144, ack 1,
win 1030, options [nop,nop,TS val 671001431 ecr 2400903835],
length 144
What is going on? Why is the rule 'block drop in log all' have
effect and the rule
pass log quick on $int_if \
from { self $int_if:network } \
to { self $int_if:network }
does not, despite the quick option and the fact that it occurs first.
I then tried these rules:
pass log quick on $int_if \
from $net_internal \
to any
pass log quick on $int_if \
from any \
to $net_internal
where $net_internal resolves to all of the networks used on the lan.
This does not work either. SSH connections hang after a brief period
because the 'block in all' rule gets triggered.
What I want to accomplish is to simply pass all internal traffic along
int_if without filtering it but still filter lan traffic passing
through the gateway. What rule accomplishes this n PF?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
More information about the freebsd-questions
mailing list