Hello, and good morning.
Yes i know, but assay'd , i used my default config to test becouse this
one normaly alway's worked here.
Well, DID work, i can try with not the egress, but need to find out how
thatworked again.
for the dns inbound, as say's, was for test only, after i know all was
working i could work on a perm solution.
as for DNS, i am gonna use named here, that is, if my working zone
configs keep working, and i downloaded fresh zone files.)
Tony.
On 20-4-2015 3:07, System Administrator wrote:
> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>
>> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>>
>> SK0 is the internal interface.
>> RE0 is the WAN interface
>>
>> i kept my pf.conf as simple posible to get it start
>> ######## START CONFIG ##########
>> #
>> int_if = "sk0"
>> ext_if = "re0"
>>
>> tcp_services="{ 22,53,113 }"
>> icmp_types="echoreq"
>>
>> # options
>> # increase default state limit from 10'000 states on busy systems
>> #set limit states 100000
>>
>> set block-policy return
>> set loginterface egress
>> set skip on lo
>>
>> # match rules
>> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>> #
>> # filter rules
>> block in log
>> pass out quick
>> antispoof quick for { lo $int_if }
>>
>> pass in on egress inet proto tcp from any to (egress) port $tcp_services
>> #
>> pass in inet proto icmp all icmp-type $icmp_types
>> pass in on $int_if
>>
>> ######### end config ##########
>>
>> this is my resolv.conf
>> # Generated by re0 dhclient
>> search xs4non.nl
>> nameserver 192.168.1.240
>> lookup file bind
>>
>> RE0 ip 192.168.1.240
>> SK0 ip 192.168.0.240
>>
>> mygate 192.168.1.240
>>
>> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
>> from the DHCP server from modem, that works (192.168.1.1) and mygate
>> would not be used.
>>
>> here comes the isue.
>> what ever combination i do, forced or not.
>> i can ping a host, and i get NO result back.
>> ping i its IP adres, i get a result back.
>> so my question is, what am i doing wrong here.
>>
>> i never changed my basic configs so i knowed that i would work.
>> but for some reasen this time i get a masive headache from it.
>>
>> anyone ideas?
>>
>> Tony.
>>
>>
>
> Here are some ideas that may (or may not) resolve your issues.
> Hopefully, they will at least get you started in the right direction:
>
> 1) Since you are using the 'egress' interface group name rather than
> the explicitly defined $ext_if macro variable, make sure that it is
> defined and for the correct interface. I know it works well when
> /etc/mygate is correctly defined, but never had the need to test with
> dhclient controlled interfaces.
>
> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
> aware that most DNS communication is over UDP? TCP DNS is used mostly,
> if not only, for zone transfers.
>
> 3) Similarly, for ICMP (used by ping) you are allowing in only the
> query subtype and not the reply (icmp-type echorep).
>
> Good luck!
