> # tcpdump -e -ttt -ni pflog0 action block > > You will be able to see what exactly is being blocked :) > That's my problem, nothing seems blocked , tcpdump returns nothing about my requests to reach the outside web. I'm stuck.
Please find below my full pf.conf in case I missed something : ext_if = "re0" # interface tun_if = "tun0" # vpn ssh_port = "2222" # port ssh http_ports = "{ www https }" # ports http(s) mail_ports = "{ submission imaps }" # ports mails tcp_pass = "{ gopher ipp 8000 }" # ports tcp ouverts udp_pass = "{ 1194 }" # ports udp ouverts set block-policy drop # bloque silencieusement set skip on lo # Pas de filtre en local set limit table-entries 400000 ## tables pour les vilains bruteforceurs table <ssh_abuse> persist table <http_abuse> persist table <mail_abuse> persist # antispam avec greylisting table <spamd-white> persist table <nospamd> persist file "/etc/mail/nospamd" table <bgp-spamd-bypass> persist ## Traitement des paquets ## match in all scrub (no-df) # Paquets partiels block in quick from urpf-failed ## Les règles du parefeu ## # on bloque tout par défaut block log all # on bloque les ip blacklistées block in log quick proto tcp from <http_abuse> to any port $http_ports block in log quick proto tcp from <ssh_abuse> to any port $ssh_port # antispam pass in on $ext_if proto tcp from any to any port smtp \ divert-to 127.0.0.1 port spamd pass in on $ext_if proto tcp from <nospamd> to any port smtp pass in on $ext_if proto tcp from <spamd-white> to any port smtp pass in quick on $ext_if proto tcp from <bgp-spamd-bypass> to any port smtp # Si + de 3 connections toutes les 60 secondes sur le port ssh # on rajoute l'ip pour la bloquer. pass in on $ext_if proto tcp to any port $ssh_port flags S/SA keep state \ (max-src-conn-rate 5/60, overload <ssh_abuse> flush global) # Si + de 50 connections toutes les 5 secondes sur les ports http(s) # ou si elle essaie de se connecter + de 100 fois # on rajoute l'ip pour la bloquer. pass in on $ext_if proto tcp to any port $http_ports flags S/SA keep state \ (max-src-conn-rate 50/5, overload <http_abuse> flush) # Protection bruteforce pour les mails pass in on $ext_if proto tcp to any port $mail_ports flags S/SA keep state \ (max-src-conn-rate 10/60, overload <mail_abuse> flush global) # on autorise le ping pass quick inet6 proto ipv6-icmp all icmp6-type { echoreq, unreach } pass quick inet proto icmp all icmp-type { echoreq, unreach } # on ouvre les autres ports pass in quick on $ext_if proto tcp to any port $tcp_pass keep state pass in quick on $ext_if proto udp to any port $udp_pass keep state # vpn pass in quick on $tun_if keep state pass out on $ext_if from 10.8.0.0/24 to any nat-to ($ext_if) # tout ouvert en sortie pass out on $ext_if proto { tcp udp icmp } all modulate state Regards -- /Thuban/ [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]