Hi All,
I just noticed that "simple-scan" no longer discovers my scanner.
While trying to debug the issue, it occurred to me that it could be a
network / pf problem. This doesn't seem to be the issue though, even
after I disable pf (pfctl -d), the scanner is still not seen.
However, running "tcpdump -n -e -ttt -i pflog0" I noticed these block
messages being logged when I click "discover/refresh" in simple-scan:
...
Jul 04 11:23:44.601042 rule 2/(match) block in on em0: 192.168.178.11.8612 >
192.168.178.255.8612: udp 16
Jul 04 11:23:44.601051 rule 2/(match) block in on em0: 192.168.178.11.8612 >
192.168.178.255.8610: udp 16
Jul 04 11:23:44.615516 rule 2/(match) block in on em0: 192.168.178.11.8612 >
192.168.178.255.8612: udp 16
Jul 04 11:23:44.615523 rule 2/(match) block in on em0: 192.168.178.11.8612 >
192.168.178.255.8610: udp 16
Jul 04 11:23:45.147239 rule 2/(match) block in on em0: 192.168.178.11.9609 >
255.255.255.255.3289: udp 15 [ttl 1]
Jul 04 11:23:46.155868 rule 2/(match) block in on em0: 192.168.178.11.39413 >
255.255.255.255.1124: udp 37 [ttl 1]
...
192.168.178.11 is my OpenBSD desktop.
I don't understand what I'm seeing here ...
why am I seeing traffic coming _in_ from my own address? Is that not
slightly weird? Is it because it is _to_ the .255 broadcast address?
And why is it being blocked? Do I have explicitly allow broadcast traffic
e.g. with rules to handle broadcast addresses? I don't think I ever
considered doing that before ...
Grateful for any advice!
Yours,
Puzzled in PF-Land
FYI:
This is with a 7.3 snapshot: 7.3 GENERIC.MP#1268 amd64
Output of ifconfig:
4.07 11:23:51 # ifconfig em0
em0:
flags=a48843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6,AUTOCONF4>
mtu 1492
lladdr 94:c6:91:aa:16:67
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet6 fe80::96c6:91ff:feaa:1667%em0 prefixlen 64 scopeid 0x1
inet 192.168.178.11 netmask 0xffffff00 broadcast 192.168.178.255
inet6 2003:ee:1718:b100:39e3:3c67:bd3c:44f4 prefixlen 64 deprecated
autoconf pltime 0 vltime 5213
inet6 2003:ee:1718:b100:3470:4349:f8d0:e1d2 prefixlen 64 deprecated
autoconf temporary pltime 0 vltime 5213
Not sure what that "deprecated" means here.
Rule @2 is the "classic" block all rule ...
The contents of pf.conf:
# $OpenBSD: pf.conf,v 1.55 2017/12/03 20:40:04 sthen Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
set skip on lo
set block-policy return
set debug warning
# By default, do not permit remote connections to X11
#block return in log on ! lo0 proto tcp to port 6000:6010
block log on ! lo0 all # Begin by blocking everything
# Port build user does not need network
block return out log proto {tcp udp} user _pbuild
# Allow all outbound
pass out quick modulate state
# Local subnet ...
local_subnet_v4="{ 192.168.178.0/24 }"
local_subnet_v6="{ fe80::/10 }"
# TODO: Correct ???
# Local systems that I might trust ...
trusted_clients_v4="{ 192.168.178.10, 192.168.178.12, 192.168.178.13,
192.168.178.14 }"
# Allow ssh in
pass in log inet proto tcp from $trusted_clients_v4 to (egress) port ssh
modulate state
# Scanner discovery? Allow traffic from Canon pixma TR8550
#scanner_ports="{ 8610, 8612 }"
#pass log inet proto udp from 192.168.178.85 port $scanner_ports
pass in log inet proto udp from 192.168.178.85 port 8610
pass in log inet proto udp from 192.168.178.85 port 8612
#
# Allow avahi? See: /usr/local/share/doc/pkg-readmes/avahi
pass in log inet proto udp from any to 224.0.0.251 port mdns allow-opts
pass in log inet6 proto udp from any to ff02::fb port mdns allow-opts
# and for SSDP:
pass in log inet proto udp from any to 239.255.255.250 port ssdp allow-opts
pass in log inet6 proto udp from any to { ff02::c, ff05::c, ff08::c } port ssdp
allow-opts
#
# OK, then try allowing multicast in general ...
pass log inet proto igmp from any allow-opts
# NFS: Allow access to local NFS server
nfs_ports="{ sunrpc, nfsd, 881 }"
#
# But is UDP really still necessary?
#pass in proto udp from $trusted_clients to (egress) port $nfs_ports keep state
#pass out proto udp from (egress) to $trusted_clients port $nfs_ports keep state
#
pass in proto tcp from $trusted_clients_v4 to (egress) port $nfs_ports modulate
state
pass in proto tcp from (egress) to $trusted_clients_v4 port $nfs_ports modulate
state
# ICMP: Limit ICMP to allowed types: echorep, unreach, squench, echoreq, timex:
icmp_types = "{ echoreq, echorep, unreach, squench, timex }"
# See also: "man 4 icmp"
pass in log inet proto icmp to (egress) icmp-type $icmp_types label "rule $nr:
pass: $proto: $icmp_type"
# HTTP: Running http-file-server:
# PORT=8888 bin/http-file-server -u ~/Public/
# 2020/07/13 16:11:35 serving local path "/space/home/robb/Public" on "/Public/"
# 2020/07/13 16:11:35 redirecting to "/Public/" from "/"
# 2020/07/13 16:11:35 http-file-server listening on ":8888"
fs_port="{ 8888 }"
pass in proto tcp from $trusted_clients_v4 to (egress) port $fs_port modulate
state
# NTOP: Similarly for ntopng
ntopng_port="{ 8888 }"
pass in proto tcp from $trusted_clients_v4 to (egress) port $ntopng_port
modulate state
# ZIM: Similarly allow access to the Zim (notebook) application (builtin http
server) ...
zim_port="{ 9090 }"
pass in proto tcp from $trusted_clients_v4 to (egress) port $zim_port modulate
state
# SYSLOG: Log messages from Ethernet switch
pass in proto udp from 192.168.178.250 to port 514
# NETFLOW Accept records from Ethernet switch
#pass in proto udp from 192.168.178.250 to port 6343
#TODO - Doesn't seem to work :-/
