On Sun, Apr 14, 2024 at 05:09:01PM +0200, Karel Lucas wrote:
> Hi all,
>
> Everything about PF is all very confusing to me at the moment, so any help
> is appreciated. So let's start simple and then proceed step by step. I want
> to continue with ping so that I can test the connection to the internet.
> This works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
> www.apple.com. As others have stated, I have a problem with using DNS
> servers on the internet. The PF ruleset needs to be adjusted for this, but
> it is still not clear to me how to do that. What else do I need to get ping
> to work correctly?
You are blocking everything by default, with the "block log all" on top
of your ruleset. This means that _everything_ needs to be explicitely
allowed in and out of your firewall.
If you want to resolve hostnames, you need to allow DNS requests (i.e.
traffic _to_ UDP port 53) to enter and leave the firewall. So if a
machine on your LAN needs to make a DNS request, you need something like
pass in on $int_if proto udp to port 53
You have a $nameservers macro, which suggests you want to allow traffic
to only those two, so you could rewrite the above rule as
pass in on $int_if proto udp to $nameservers port 53
But then you need to make sure every machine on your LAN uses those IPs
as resolvers, otherwise they'll try to query other DNS servers and fail.
As I said on a reply to your other thread, you will probably need to use
NAT on your egress traffic.
I personally prefer to keep the most general rules at the top, and then
to the specifics, so I would move "pass out all" next to "block log
all", but it's a matter of taste.
> To get started simply, I created a new pf.conf file, see
> below.
>
>
> /etc/pf.conf:
>
> ext_if = igc0 # The interface to the outside
> world
> int_if = "{ igc1, igc2 }" # The interfaces to the private
> hosts
> localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
> tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
> udp_services = "{ domain, ntp }"
> email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
> icmp_types = "{ echoreq, unreach }"
> icmp6_types = "{ echoreq, unreach }"
> nameservers = "{ 195.121.1.34, 195.121.1.66 }"
> client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
> martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
> # Options:
> set block-policy return
>
> set skip on lo
>
> block log all # block stateless traffic
>
> # Normalize packets:
> match in all scrub ( no-df max-mss 1440 )
>
> block in quick on $ext_if from $martians to any
> block out quick on $ext_if from any to $martians
>
> # Letting ping through:
> pass log on inet proto icmp icmp-type $icmp_types
> pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
> pass out all
>
>
--
