> 10. jul. 2021 kl. 05:11 skrev Allan Streib <astr...@fastmail.fm>: > > Hi, > > I have a KVM host running OpenBSD 6.9 for a few days. It crashed today for > some reason, and when I logged in and realized the uptime had changed, I > checked the pf rules out of curiosity since I have been experimenting with > pf. These rules are very different from what is in /etc/pf.conf. > > # pfctl -s rules > block drop all > pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol > pass out inet6 proto ipv6-icmp all icmp6-type routersol > pass out inet6 proto udp from any port = 546 to any port = 547 > pass out inet proto icmp all icmp-type echoreq > pass out inet proto udp from any port = 68 to any port = 67 > pass out proto tcp from any to any port = 53 flags S/SA > pass out proto udp from any to any port = 53 > pass in inet6 proto ipv6-icmp all icmp6-type neighbradv > pass in inet6 proto ipv6-icmp all icmp6-type routeradv > pass in inet6 proto udp from any port = 547 to any port = 546 > pass in proto tcp from any to any port = 22 flags S/SA > pass in inet proto udp from any port = 67 to any port = 68 > pass on lo0 all flags S/SA > pass in proto carp all keep state (no-sync) > pass out proto carp all !received-on any keep state (no-sync) >
This matches the default rule set in /etc/rc. For whatever reason your pf.conf did not parse to a valid config, so rc’s own default rules were kept in place. > # cat /etc/pf.conf > # $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $ > # > # See pf.conf(5) and /etc/examples/pf.conf > table <abusers> persist > set skip on lo > block in quick from <abusers> > block return # block stateless traffic > pass out quick inet > pass in quick on egress proto tcp from any to any port { www, https } > pass in on egress proto tcp to vio0 port ssh keep state \ > (max-src-conn-rate 3/10, overload <abusers> flush) > > I reloaded my rules (pfctl -f /etc/pf.conf) which worked, and then rebooted > and checked (pfctl -s rules) which now matched the rules in /etc/pf.conf. > > What could explain this? With a config that simple it is hard to say what could possibly go wrong. I’d investigate /var/log/messages for anything unusual around the time of the event. — Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
signature.asc
Description: Message signed with OpenPGP