On Sun, 19 Apr 2015 21:07:31 -0400 "System Administrator" <ad...@bitwise.net>
wrote:
> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>
> > i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
> >
> > SK0 is the internal interface.
> > RE0 is the WAN interface
> >
> > i kept my pf.conf as simple posible to get it start
> > ######## START CONFIG ##########
> > #
> > int_if = "sk0"
> > ext_if = "re0"
> >
> > tcp_services="{ 22,53,113 }"
> > icmp_types="echoreq"
> >
> > # options
> > # increase default state limit from 10'000 states on busy systems
> > #set limit states 100000
> >
> > set block-policy return
> > set loginterface egress
> > set skip on lo
> >
> > # match rules
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > #
> > # filter rules
> > block in log
> > pass out quick
> > antispoof quick for { lo $int_if }
> >
> > pass in on egress inet proto tcp from any to (egress) port $tcp_services
> > #
> > pass in inet proto icmp all icmp-type $icmp_types
> > pass in on $int_if
> >
> > ######### end config ##########
> >
> > this is my resolv.conf
> > # Generated by re0 dhclient
> > search xs4non.nl
> > nameserver 192.168.1.240
> > lookup file bind
> >
> > RE0 ip 192.168.1.240
> > SK0 ip 192.168.0.240
> >
> > mygate 192.168.1.240
> >
> > Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
> > from the DHCP server from modem, that works (192.168.1.1) and mygate
> > would not be used.
> >
> > here comes the isue.
> > what ever combination i do, forced or not.
> > i can ping a host, and i get NO result back.
> > ping i its IP adres, i get a result back.
> > so my question is, what am i doing wrong here.
> >
> > i never changed my basic configs so i knowed that i would work.
> > but for some reasen this time i get a masive headache from it.
> >
> > anyone ideas?
> >
> > Tony.
> >
> >
>
> Here are some ideas that may (or may not) resolve your issues.
> Hopefully, they will at least get you started in the right direction:
>
> 1) Since you are using the 'egress' interface group name rather than
> the explicitly defined $ext_if macro variable, make sure that it is
> defined and for the correct interface. I know it works well when
> /etc/mygate is correctly defined, but never had the need to test with
> dhclient controlled interfaces.
i use the explicit interface myself, rather than egress, which works fine
for dhcp. for a simple setup like this it's probably best to go with the
interface.
some relevant pf.conf lines from my gateway (which uses dhcp):
block in log on $intif
#allow connections to my internal dns
pass in log quick on $intif proto udp from $intif:network to ($intif) port 53
#allow packets in destined for other places
pass in log quick on $intif inet from $intif:network to !$intif:network
pass out log quick on $extif inet from $intif:network to any nat-to ($extif)
>
> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
> aware that most DNS communication is over UDP? TCP DNS is used mostly,
> if not only, for zone transfers.
i think his 'pass out' rule should handle that. pf does treat udp protocols
as having state, so it should recognize the return packet.
>
> 3) Similarly, for ICMP (used by ping) you are allowing in only the
> query subtype and not the reply (icmp-type echorep).
>
> Good luck!
>
a few more points to help. first you want to see if traffic is passing, so
in one window do:
# tcpdump -np -i re0
(you especially need the -n option above if your dns is not working).
then try dns lookup
$ host www.openbsd.org
www.openbsd.org has address 129.128.5.194
you should see something like the following in tcpdump:
tcpdump: listening on lo0, link-type LOOP
01:29:29.147252 127.0.0.1.10553 > 127.0.0.1.53: 48987+ A? www.openbsd.org. (33)
01:29:29.147557 127.0.0.1.53 > 127.0.0.1.10553: 48987 1/9/2 A 129.128.5.194
(275)
01:29:29.149874 127.0.0.1.29232 > 127.0.0.1.53: 59987+ AAAA? www.openbsd.org.
(33)
01:29:29.150050 127.0.0.1.53 > 127.0.0.1.29232: 59987 0/1/0 (79)
01:29:29.150495 127.0.0.1.29234 > 127.0.0.1.53: 57835+ MX? www.openbsd.org. (33)
01:29:29.150609 127.0.0.1.53 > 127.0.0.1.29234: 57835 0/1/0 (79)
except you should see your nameserver (192.168.1.240) and host (192.168.0.240)
instead of 127.0.0.1.
if that works, try ping again, first with the IP, then with the hostname and
watch the tcpdump output.
hopefully that will get you some useful information.
