Hi, kolipe-SAN. on Sun, 04 Aug 2024 18:28:09 -0300 Crystal Kolipe <kolip...@exoticsilicon.com> wrote:
> On Mon, Aug 05, 2024 at 12:36:18AM +0900, WATANABE Takeo wrote: >> Dear Sirs, >> >> Would you be willing to discuss how to write pf.conf? >> >> I'm using OpenBSD 7.5 AMD. >> I want to limit the packets going in and out as follows >> >> 1. reject in principle : block all >> 2. when rejecting packets, do not log them. >> 3. there is only one interface (vio0) that goes in and out of the host. >> Take necessary logs on this interface. 3. >> 4. do nothing on the local loopback (lo0) interface. >> 5. reject anti-spoofing packets on vio0. >> 6. Allow the following protocols to pass. >> TCP ( http, https, domain, smtp, smtps, msa, imaps, 1522 ) >> * Port 1522 is SSH. >> >> UDP ( domain, ntp ) >> >> I've written these rules (pf.conf) in my own way >> I am having trouble because all packets are blocked. > > Are you using IPv6? > > If so, you will need to pass icmp6 so that NDP works correctly. IPv6 is being used. As you say, we configured icmp6 to pass both input and output in pf.conf, and most of the packets (TCP, UDP) that were blocked are now allowed to pass. I am still verifying this, but I am now closer to what I wanted to do. Thank you very much for your help. Sincerely your, --- WATANABE, Takeo t...@kasaneiro.jp
