For some reason, I'm not "getting it" when it comes to pf... Two things I can't figure out: (1) filtered vs blocked for some TCP ports and (2) rules for tun0, my vpn interface.
First, my /etc/pf.conf: int_if = "vr1" ext_if = "vr0" vpn_if = "tun0" tcp_services = "{ 22 }" udp_services = "{ 1194 }" priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }" set block-policy return set loginterface $ext_if scrub in all scrub out on $ext_if all max-mss 1452 nat on $ext_if from $int_if:network to any -> ($ext_if) #nat on $ext_if from $vpn_if:network to any -> ($ext_if) block log all pass quick log on lo0 all #pass quick on { lo, $int_if, $vpn_if } antispoof quick log for { lo0 $int_if $vpn_if } block drop in quick log on $ext_if from $priv_nets to any block drop out quick log on $ext_if from any to $priv_nets pass in log on $ext_if inet proto tcp from any to ($ext_if) \ port $tcp_services flags S/SA keep state pass in log on $ext_if inet proto udp from any to ($ext_if) \ port $udp_services keep state pass in log on $ext_if inet proto tcp from port 20 to ($ext_if) \ user proxy flags S/SA keep state pass in log on $int_if from $int_if:network to any keep state pass out log on $int_if from any to $int_if:network keep state pass in log on $vpn_if from any to any keep state pass out log on $vpn_if from any to any keep state pass out log on $ext_if proto tcp all modulate state flags S/SA pass out log on $ext_if proto { udp, icmp } all keep state Now, regarding issue (1), if I do a "nmap -v -A <my obsd box>" from another computer, I get this: ... Interesting ports on <my obsd box>: (The 1663 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 4.1 (protocol 1.99) 25/tcp filtered smtp 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 593/tcp filtered http-rpc-epmap 1080/tcp filtered socks ... Why are all those ports (except 22) "filtered" instead of closed? Does one of my pf rules above implicitly allow those ports to be filtered? I don't use or run any of those services on this box, so I'd prefer those ports just be closed. Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly default setup (i.e. followed the openvpn HOWTO almost verbatim). I can establish the VPN tunnel, but cannot ping the obsd box. So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping the obsd box from the vpn client, I see this: Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \ 192.168.2.6 > 192.168.2.1: icmp: echo request (DF) How can I tell which rule is "rule 4"? pfctl -s rules: 0 scrub in all fragment reassemble 1 scrub out on vr0 all max-mss 1452 fragment reassemble 2 block return log all 3 pass log quick on lo0 all 4 block drop in log quick on ! lo0 inet6 from ::1 to any 5 block drop in log quick on ! lo0 inet from 127.0.0.0/8 to any 6 block drop in log quick on ! vr1 inet from 192.168.0.0/16 to any 7 block drop in log quick on vr1 inet6 from fe80::240:63ff:fed9:3f9f \ 8 to any 9 block drop in log quick inet from 192.168.1.1 to any block drop in log quick on ! tun0 inet from 192.168.2.1 to any block drop in log quick inet from 192.168.2.1 to any block drop in log quick on vr0 inet from 127.0.0.0/8 to any block drop in log quick on vr0 inet from 192.168.0.0/16 to any block drop in log quick on vr0 inet from 172.16.0.0/12 to any block drop in log quick on vr0 inet from 10.0.0.0/8 to any block drop out log quick on vr0 inet from any to 127.0.0.0/8 block drop out log quick on vr0 inet from any to 192.168.0.0/16 block drop out log quick on vr0 inet from any to 172.16.0.0/12 block drop out log quick on vr0 inet from any to 10.0.0.0/8 pass in log on vr0 inet proto tcp from any to (vr0) port = ssh flags \ S/SA keep state pass in log on vr0 inet proto udp from any to (vr0) port = 1194 keep \ state pass in log on vr0 inet proto tcp from any port = ftp-data to (vr0) user = 71 flags S/SA keep state pass in log on vr1 inet from 192.168.0.0/16 to any keep state pass out log on vr1 inet from any to 192.168.0.0/16 keep state pass in log on tun0 all keep state pass out log on tun0 all keep state pass out log on vr0 proto tcp all flags S/SA modulate state pass out log on vr0 proto udp all keep state pass out log on vr0 proto icmp all keep state (I added the numbers and line breaks.) So it looks to me like line 6 is responsible for blocking the ping... but where does that rule come from in my pf.conf file? Thanks in advance for any assistance! Matt