HI,

Upon setup a new OBSD server, I found that following PF rules does not
allow me to result internet Domain name:

ext_if="tun0"
int_if="fxp0"

int_net="192.168.4.0/24"
set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
nat on $ext_if from $int_net to any -> ($ext_if)
block in log all

pass quick on lo0 all
pass quick on {$ext_if,$int_if} all keep state
block in log quick on {$ext_if} proto udp from any to 255.255.255.255

pass out on {$ext_if,$int_if} proto tcp all flags S/SA keep state
pass out on {$ext_if,$int_if} proto udp all keep state


Can anyone tell me what is wrong with these rules?

Thanks
Sam.

sam <sam.wun@authtec.com> writes:

> Upon setup a new OBSD server, I found that following PF rules does not
> allow me to result internet Domain name:
>
> ext_if="tun0"
> int_if="fxp0"

sounds reasonable so far if you're on dialup or PPPoE.

> int_net="192.168.4.0/24"
> set timeout { udp.first 60, udp.single 30, udp.multiple 60 }

Any particular reason why you've set the timeouts? I've never needed
those myself. Try commenting out this and see if it makes a difference.

> nat on $ext_if from $int_net to any -> ($ext_if)
> block in log all

If you're actually receiving traffic, this could generate extreme
amounts of data. But you probably knew that already.

> pass quick on lo0 all

Reasonable enough

> pass quick on {$ext_if,$int_if} all keep state

here you're letting everything through. Why?

> block in log quick on {$ext_if} proto udp from any to 255.255.255.255

but you're blocking udp broadcasts from entering your network from the
outside. That is, if this rule gets evaluated at all, since any udp
packet would match the previous quick rule.

> pass out on {$ext_if,$int_if} proto tcp all flags S/SA keep state
> pass out on {$ext_if,$int_if} proto udp all keep state

it's doubtful these will ever come into play given the quick rules.

I get the impression these rules are the result of quite a bit of trial
and error, and it's possible you're seeing the effects of rules which
are no longer in your pf.conf but haven't been flushed either.

Try reducing your rule set to the bare essentials, ie

ext_if="tun0"
int_if="fxp0"

int_net="192.168.4.0/24"
nat on $ext_if from $int_net to any -> ($ext_if)
block all

pass quick on lo0 all
pass from $int_net to any keep state

followed by pfctl -F rules (or for that matter pfctl -F all) before
loading the new rule set.

I would suggest trying something like the block all plus let a list of
ports through, something like the examples in the pf user guide.

--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"

Peter N. M. Hansteen wrote:

> sam <sam.wun@authtec.com> writes:
>
>
>>Upon setup a new OBSD server, I found that following PF rules does not
>>allow me to result internet Domain name:
>>
>>ext_if="tun0"
>>int_if="fxp0"
>
>
> sounds reasonable so far if you're on dialup or PPPoE.
>
>
>>int_net="192.168.4.0/24"
>>set timeout { udp.first 60, udp.single 30, udp.multiple 60 }
>
>
> Any particular reason why you've set the timeouts? I've never needed
> those myself. Try commenting out this and see if it makes a difference.
>
>
>>nat on $ext_if from $int_net to any -> ($ext_if)
>>block in log all
>
>
> If you're actually receiving traffic, this could generate extreme
> amounts of data. But you probably knew that already.
>
>
>>pass quick on lo0 all
>
>
> Reasonable enough
>
>
>>pass quick on {$ext_if,$int_if} all keep state
>
sorry, this is the new rule I have made change.
It was written as:
pass quick on {$int_if} all keep state

Since I keep getting block on ... [+domain]... messages in the pf log,
so I inserted tun0 as $ext_if in the rule.


>
> here you're letting everything through. Why?
>
>
>>block in log quick on {$ext_if} proto udp from any to 255.255.255.255
>
>
> but you're blocking udp broadcasts from entering your network from the
> outside. That is, if this rule gets evaluated at all, since any udp
> packet would match the previous quick rule.
>
>
>>pass out on {$ext_if,$int_if} proto tcp all flags S/SA keep state
>>pass out on {$ext_if,$int_if} proto udp all keep state
>
>
> it's doubtful these will ever come into play given the quick rules.
>
> I get the impression these rules are the result of quite a bit of trial
> and error, and it's possible you're seeing the effects of rules which
> are no longer in your pf.conf but haven't been flushed either.
>
> Try reducing your rule set to the bare essentials, ie
>
> ext_if="tun0"
> int_if="fxp0"
>
> int_net="192.168.4.0/24"
> nat on $ext_if from $int_net to any -> ($ext_if)
> block all
>
> pass quick on lo0 all
> pass from $int_net to any keep state
>
> followed by pfctl -F rules (or for that matter pfctl -F all) before
> loading the new rule set.
>
> I would suggest trying something like the block all plus let a list of
> ports through, something like the examples in the pf user guide.
>