Hi,Souji-SAN.
Thank you so much for your advice.
We will reply to you in due course.
on Sun, 04 Aug 2024 19:56:38 +0100
"Souji Thenria" <m...@souji-thenria.net> wrote:
> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:
>> I am having trouble because all packets are blocked.
>> Please see below for a description of the problem.
>> I would appreciate it if you could point out any problems.
>
> The config looks ok so far; I don't see any problems.
>
> Can you run 'pfctl -s rules' and send the command output?
> You can also run 'tcpdump' on the interface. Can you see in-coming or
> out-coming packages for your specified ports?
We are sending you the results of the "pfctl -s rules" run,
the results of the "pfctl -vnf /etc/pf.conf" run
and the original "pf.conf" as attachments, just in case.
The results of "pfctl -s rules" were difficult for me to understand,
I am ashamed to say. As an example of what I understood,
I also send you the result of "pfctl -vnf /etc/pf.conf".
I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be
Most of them were DNS packets (IN/OUT).
# This host is an authoritative DNS server, so I think it is natural.
Is it possible to understand the situation with these results?
We look forward to your reply.
Best regards,
---
WATANABE, Takeo
t...@kasaneiro.jp
tcp_services="{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services="{ domain, ntp }"
set block-policy drop
set loginterface vio0
# don't filter on loopback interface
set skip on lo0
# set up a default deny policy
block all
# Blocking Spoofed Packets
antispoof quick for vio0
# Allow packets
pass log quick on vio0 proto tcp to any port $tcp_services keep state
pass log quick on vio0 proto udp to any port $udp_services keep state
# Allow ICMP Packets
pass quick on vio0 proto icmp to any keep state
moegi# pfctl -vnf /etc/pf.conf
tcp_services = "{ http, https, domain, smtp, smtps, msa, imaps, 1522 }"
udp_services = "{ domain, ntp }"
set block-policy drop
set loginterface vio0
set skip on { lo0 }
block drop all
block drop in quick on ! vio0 inet6 from 2001:e42:102:1808::/64 to any
block drop in quick on vio0 inet6 from fe80::9ea3:baff:fe02:a73 to any
block drop in quick inet6 from 2001:e42:102:1808:160:16:212:251 to any
block drop in quick on ! vio0 inet from 160.16.212.0/23 to any
block drop in quick inet from 160.16.212.251 to any
pass log quick on vio0 proto tcp from any to any port = 80 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 443 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 53 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 25 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 465 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 587 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 993 flags S/SA
pass log quick on vio0 proto tcp from any to any port = 1522 flags S/SA
pass log quick on vio0 proto udp from any to any port = 53
pass log quick on vio0 proto udp from any to any port = 123
pass quick on vio0 proto icmp all
moegi#moegi# pfctl -s rules
block drop all
pass out inet proto icmp all icmp-type echoreq
pass out inet proto udp from any port = 68 to any port = 67
pass out proto tcp from any to any port = 53 flags S/SA
pass out proto udp from any to any port = 53
pass out inet6 proto ipv6-icmp all icmp6-type neighbrsol
pass in proto tcp from any to any port = 22 flags S/SA
pass in inet proto udp from any port = 67 to any port = 68
pass on lo0 all flags S/SA
pass inet6 proto ipv6-icmp all icmp6-type neighbradv no state
pass out inet6 proto ipv6-icmp all icmp6-type routersol
pass out inet6 proto udp from any port = 546 to any port = 547
pass in inet6 proto ipv6-icmp all icmp6-type routeradv
pass in inet6 proto udp from any port = 547 to any port = 546
pass in proto carp all keep state (no-sync)
pass out proto carp all !received-on any keep state (no-sync)
moegi#
