On 20-4-2015 7:43, dan mclaughlin wrote:
> On Sun, 19 Apr 2015 21:07:31 -0400 "System Administrator" <ad...@bitwise.net>
> wrote:
>> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>>
>>> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>>>
>>> SK0 is the internal interface.
>>> RE0 is the WAN interface
>>>
>>> i kept my pf.conf as simple posible to get it start
>>> ######## START CONFIG ##########
>>> #
>>> int_if = "sk0"
>>> ext_if = "re0"
>>>
>>> tcp_services="{ 22,53,113 }"
>>> icmp_types="echoreq"
>>>
>>> # options
>>> # increase default state limit from 10'000 states on busy systems
>>> #set limit states 100000
>>>
>>> set block-policy return
>>> set loginterface egress
>>> set skip on lo
>>>
>>> # match rules
>>> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>>> #
>>> # filter rules
>>> block in log
>>> pass out quick
>>> antispoof quick for { lo $int_if }
>>>
>>> pass in on egress inet proto tcp from any to (egress) port $tcp_services
>>> #
>>> pass in inet proto icmp all icmp-type $icmp_types
>>> pass in on $int_if
>>>
>>> ######### end config ##########
>>>
>>> this is my resolv.conf
>>> # Generated by re0 dhclient
>>> search xs4non.nl
>>> nameserver 192.168.1.240
>>> lookup file bind
>>>
>>> RE0 ip 192.168.1.240
>>> SK0 ip 192.168.0.240
>>>
>>> mygate 192.168.1.240
>>>
>>> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
>>> from the DHCP server from modem, that works (192.168.1.1) and mygate
>>> would not be used.
>>>
>>> here comes the isue.
>>> what ever combination i do, forced or not.
>>> i can ping a host, and i get NO result back.
>>> ping i its IP adres, i get a result back.
>>> so my question is, what am i doing wrong here.
>>>
>>> i never changed my basic configs so i knowed that i would work.
>>> but for some reasen this time i get a masive headache from it.
>>>
>>> anyone ideas?
>>>
>>> Tony.
>>>
>>>
>>
>> Here are some ideas that may (or may not) resolve your issues.
>> Hopefully, they will at least get you started in the right direction:
>>
>> 1) Since you are using the 'egress' interface group name rather than
>> the explicitly defined $ext_if macro variable, make sure that it is
>> defined and for the correct interface. I know it works well when
>> /etc/mygate is correctly defined, but never had the need to test with
>> dhclient controlled interfaces.
>
> i use the explicit interface myself, rather than egress, which works fine
> for dhcp. for a simple setup like this it's probably best to go with the
> interface.
>
> some relevant pf.conf lines from my gateway (which uses dhcp):
>
> block in log on $intif
> #allow connections to my internal dns
> pass in log quick on $intif proto udp from $intif:network to ($intif) port 53
> #allow packets in destined for other places
> pass in log quick on $intif inet from $intif:network to !$intif:network
>
> pass out log quick on $extif inet from $intif:network to any nat-to ($extif)
>
>>
>> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
>> aware that most DNS communication is over UDP? TCP DNS is used mostly,
>> if not only, for zone transfers.
>
> i think his 'pass out' rule should handle that. pf does treat udp protocols
> as having state, so it should recognize the return packet.
>
>>
>> 3) Similarly, for ICMP (used by ping) you are allowing in only the
>> query subtype and not the reply (icmp-type echorep).
>>
>> Good luck!
>>
>
> a few more points to help. first you want to see if traffic is passing, so
> in one window do:
>
> # tcpdump -np -i re0
>
> (you especially need the -n option above if your dns is not working).
>
> then try dns lookup
>
> $ host www.openbsd.org
> www.openbsd.org has address 129.128.5.194
>
> you should see something like the following in tcpdump:
>
> tcpdump: listening on lo0, link-type LOOP
> 01:29:29.147252 127.0.0.1.10553 > 127.0.0.1.53: 48987+ A? www.openbsd.org.
> (33)
> 01:29:29.147557 127.0.0.1.53 > 127.0.0.1.10553: 48987 1/9/2 A 129.128.5.194
> (275)
> 01:29:29.149874 127.0.0.1.29232 > 127.0.0.1.53: 59987+ AAAA? www.openbsd.org.
> (33)
> 01:29:29.150050 127.0.0.1.53 > 127.0.0.1.29232: 59987 0/1/0 (79)
> 01:29:29.150495 127.0.0.1.29234 > 127.0.0.1.53: 57835+ MX? www.openbsd.org.
> (33)
> 01:29:29.150609 127.0.0.1.53 > 127.0.0.1.29234: 57835 0/1/0 (79)
>
> except you should see your nameserver (192.168.1.240) and host (192.168.0.240)
> instead of 127.0.0.1.
>
> if that works, try ping again, first with the IP, then with the hostname and
> watch the tcpdump output.
>
> hopefully that will get you some useful information.
>
>
Hmm, lets give it a try.
as say'd, 53 was defaultworking testfile. tweaking is for when i know it
all was working well.
Tony.
