Stuart Henderson wrote:
>
> I didn't give you rules to try, I was pointing out that you had
> a problem because you had conflicting scrub rules.
>
> Since you didn't include pf.conf I can't make any suggestions
> exactly what is conflicting, but if you look through it you'll find
> some other scrub rules which you need to remove or re-order.
>
>
>
>
Aha...probably i have conflicting rules. See my pf.conf below.
fxp0 has 192.168.1.1/24
and rl0 10.10.10.1/24
My laptop receive IP via dhcp from OpenBSD server. I don't use switch to
connect my laptop via 192.168.1.0/24...
So I need to work via 10.10.10.0/24 network. Everything works fine until my
ISP set ttl to 0.
OK there is my pf.conf
#macros
ext_if="fxp0"
int_if="rl0"
tcp_services="{ 13, 21, 22, 37, 53, 80, 113, 139, 443, 445, 30000:30005 }"
#tcp_services="{ 13, 21, 22, 37, 80, 113, 139, 443, 445 }"
icmp_types="echoreq"
# options
set block-policy return
set loginterface $ext_if
set skip on lo
# scrub
scrub in
scrub in all fragment reassemble
scrub in on $ext_if all min-ttl 15 max-mss 1400 fragment reassemble
scrub out on $ext_if all min-ttl 15 max-mss 1400 fragment reassemble
scrub in on $ext_if all no-df fragment reassemble
scrub on $ext_if all reassemble tcp fragment reassemble
# nat/rdr
#nat on $ext_if from !($ext_if) -> ($ext_if:0)
nat on fxp0 from rl0:network to any -> fxp0
#nat-anchor "ftp-proxy/*"
#
#rdr-anchor "ftp-proxy/*"
#rdr pass on $int_if proto tcp to port ftp -> 127.0.0.1 port 8021
#rdr on $ext_if proto tcp from any to any port 80 -> $comp3
# filter rules
block in
pass out keep state
#block drop in on $ext_if proto tcp from 192.168.1.100 \
# to $ext_if port 21
1,8 Top
block in log quick on $ext_if proto tcp from 192.168.1.254 to any port {
113, 139, 445 }
pass in on $ext_if proto tcp from 192.168.1.254 to any port { 21,
30000:30005 }
#pass in on $ext_if proto {tcp, udp} from 192.168.1.100 to any port { 111,
2049 }
pass in on $ext_if proto { tcp, udp } from 192.168.1.0/24 to any port { 137,
138, 139, 445 }
pass in on $ext_if proto { tcp, udp } from any to any port { 53 }
block in log quick on $ext_if proto tcp from 77.232.66.61 to any port { 21,
30000:30005 }
#block in log quick on $ext_if proto {tcp, udp} from 192.168.1.100 to any
port ftp
#block out on $ext_if proto tcp from 192.168.1.100 \ to $ext_if port 80
#block in quick on fxp0 proto tcp from any to 192.168.1.100 port ftp
#anchor "ftp-proxy/*"
#set block-policy return
block in log quick proto tcp flags FUP/WEUAPRSF
block in log quick proto tcp flags WEUAPRSF/WEUAPRSF
block in log quick proto tcp flags SRAFU/WEUAPRSF
block in log quick proto tcp flags /WEUAPRSF
block in log quick proto tcp flags SR/SR
block in log quick proto tcp flags SF/SF
#
block in quick proto tcp all flags SF/SFRA
block in quick proto tcp all flags FPU/SFRAUP
block in quick proto tcp all flags /SFRA
block in quick proto tcp all flags F/SFRA
block in quick proto tcp all flags U/SFRAU
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ($ext_if) \
port $tcp_services flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass quick on $int_if
Thank you
--
View this message in context:
http://www.nabble.com/OpenBSD-4.1----NAT-%2B-ttl%3D0-trouble-tp14463336p14468697.html
Sent from the openbsd user - misc mailing list archive at Nabble.com.
