Not a pf magician, but think I found a typo below that could be the problem.
On Aug 19, 2018 6:51 PM, Jay Hart <jh...@kevla.org> wrote:
>
> Hello all,
>
> I finally got my "new" server online, still have to disable inteldrm to get
> it to boot though.
>
> Ran into two issues upon initial bootup:
>
> 1. DHCPD failed to start, trying to troubleshoot that one.
>
> 2. I have a fully working pf.conf file on my current server, copied it over
> to my new server and
> made a few corrections since the interfaces are different, but thats about
> it. The problem is
> this: the new router boots up and dhclient goes and gets a lease, and I have
> an ip address. I can
> ping external to the box and also can do a wget and download a file, so I
> know the box is online.
> My internal network though, can't see a thing past the external interface,
> can't ping, or resolve
> anything. The resolv.conf files look ok (they match the old box files). My
> thinking is that for
> some reason, pf doesn't like my current config file. Both boxes are fully
> patched 6.3 versions.
> One is 32-bit, the other is 64-bit.
>
> On the new router, re0 is the external interface, re1 is internal interface.
> Assuming with DHCPD
> enabled, it would monitor the internal interface for dhcp requests from my
> internal machines. If
> the internal interface was having a problem initializing, would that prevent
> dhcpd from starting
> up. I'm wondering if both interfaces can be enabled at the same time. They
> SHOULD be able to, but
> with this motherboard, who knows...
>
> I'm posting my pf.conf file, other suggestions that could help me narrow the
> scope of the problem
> are appreciated.
>
> # $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
> #
> # See pf.conf(5) and /etc/examples/pf.conf
>
> int_if = "re0"
Should that be "re1"
> www_ad = "192.168.1.99"
> icmp_types="echoreq"
> NoRouteIPs = "{127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}"
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> #Protection
> antispoof quick for { lo $int_if }
Don't remember what antispoof does but if you do it on your egress if re0 it
will probably do bad stuff.
> block in quick on egress from $NoRouteIPs to any
> block out quick on egress from any to $NoRouteIPs
>
> #filter rules and anchor for ftp-proxy
> anchor "ftp-proxy/*"
>
> #rule needed to redirect ftp connection for ftp-proxy
> pass in quick inet proto tcp to port ftp divert-to 127.0.0.1 port 8021
>
> #match rules
> match out on egress inet from !(egress) to any nat-to (egress:0)
>
> block in log
> pass out quick
>
> #next rule passes http-https traffic to the web/email server
> pass in on egress inet proto tcp from any to (egress) port {80 443} rdr-to
> $www_ad synproxy state
>
> #traceroute rule (for IPv4)
> pass out on egress inet proto udp to port 33433:33626
>
> #next rule redirects smtp traffic to the email server
> pass in on egress inet proto tcp from any to (egress) port 25 rdr-to $www_ad
>
> #pass in certain types of ICMP traffic
> pass in inet proto icmp all icmp-type $icmp_types
>
>
