Re: struggling with pf
This is a discussion on Re: struggling with pf within the lucky.openbsd.misc forums, part of the OpenBSD category; --> On Sat, Aug 26, 2006 at 11:29:54PM -0400, NetNeanderthal wrote: > On 8/26/06, matthew.garman@gmail.com <matthew.garman@gmail.com> wrote: > >For some ...
| |||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-18-2008, 06:26 AM
| ||||
| ||||
 Re: struggling with pf On Sat, Aug 26, 2006 at 11:29:54PM -0400, NetNeanderthal wrote: > On 8/26/06, matthew.garman@gmail.com <matthew.garman@gmail.com> wrote: > >For some reason, I'm not "getting it" when it comes to pf... Two > >things I can't figure out: (1) filtered vs blocked for some TCP > >ports and (2) rules for tun0, my vpn interface. > > > >First, my /etc/pf.conf: > > > > int_if = "vr1" > > ext_if = "vr0" > > vpn_if = "tun0" > > tcp_services = "{ 22 }" > > udp_services = "{ 1194 }" > > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 > > }" > > set block-policy return > set block-policy drop > > This will cause the default behaviour of your block statements to > 'drop' the packet silently (aside from internal logging) rather than > 'return' which quite literally returns an ICMP unreachable, which NMAP > interprets as a 'filtered' port. Actually, you got it the wrong way round - nmap assumes a port is filtered when it gets no response. > >Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly > >default setup (i.e. followed the openvpn HOWTO almost verbatim). I > >can establish the VPN tunnel, but cannot ping the obsd box. > > > >So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping > >the obsd box from the vpn client, I see this: > > > > Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \ > > 192.168.2.6 > 192.168.2.1: icmp: echo request (DF) > > > >How can I tell which rule is "rule 4"? > Try using the 'label' keyword, re: > block log all label "$nr - default deny" Or pfctl -s. Joachim      |
Linear Mode
