Dear Josh:
Apologies for being vague.
I mean that I have yours now:
$ cat /etc/pf.conf
block
pass from self to any
#a. Rule 1 blocks all traffic.
#b. Rule 2 passes all traffic originating on the laptop, going anywhere.
If I enable them with
$ pfctl -e
I can ping anything, but no browser will open anything
If I run
$ pfctl -d
pf disabled
Then of course everything works just fine.
Pau
2016-06-25 18:35 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
> On Sat, Jun 25, 2016 at 06:18:18PM +0200, Pau Amaro-Seoane wrote:
>> thanks, Josh!
>>
>> Although with these rules I seem not to be able to send e-mails....
>
> Which rules? Mine or yours? Please remember I only have what you
> state in your Emails for a problem description.
>
> All I know is that you have a laptop running OpenBSD, and that
> when you use your "six rule" ruleset, all traffic would be blocked.
> If you use your "five rule" ruleset, no traffic would be blocked.
> If you use Stephen's recommended additional line, and build a
> "seven rule" ruleset that ends with his pass out rule, or, end
> with my pass from self to any rule, or you use my simple two
> rule exampe, with either the pass out or the pass from self to any
> rule, you should have a working ruleset for the use case you
> described.
>
>> ... For
>> instance, gmail complains about not being able to do so, and it also
>> says that I seem to have a very old browser, and should load a
>> simplistic html version of gmail. When I disable pf with pfctl -d, the
>> email is sent and gmail does not complain about anything. Maybe the
>> block is also blocking sites from delivering cookies?
>
> I can only guess that your normalization ("scrub") directive is the
> cause of this symptom.
>
>> 2016-06-25 15:39 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
>> > On Sat, Jun 25, 2016 at 09:28:16AM +0200, Pau Amaro-Seoane wrote:
>> >> pf is disabled, yes...
>> >>
>> >> So, then I would have to remove the last line. I need to download and
>> >> upload things, but do not want to allow any remote connection to the
>> >> laptop. I guess this configuration fulfills my needs?
>> >
>> > No. If you remove the rule that blocks all traffic, what will PF do?
>> >
>> > 1) Ignore lo0 traffic
>> > 2) Scrub all other traffic
>> >
>> > Nothing else.
>> >
>> > Let's look at your six-line rule set in detail:
>> >
>> > a. Rules 1 and 2 set the macros $wifi and $wired, which are never used.
>> > b. Rule 3 sets the option to respond to blocked TCP traffic with RST
>> > and respond with ICMP UNREACHABLE to other blocked traffic.
>> > c. Rule 4 instructs PF to ignore traffic on the loopback interface.
>> > d. Rule 5 requests packet normalization
>> > e. Rule 6 blocks all traffic, except on the ignored loopback interface,
>> > and logs them through your pflog(4) interface.
>> >
>> > Keep in mind, I can only answer questions based upon the information
>> > you provide. Based solely on your laptop use-case description, here is
>> > a very simple ruleset:
>> >
>> > block
>> > pass from self to any
>> >
>> > a. Rule 1 blocks all traffic.
>> > b. Rule 2 passes all traffic originating on the laptop, going anywhere.
>> >
>> > How does PF manage inbound traffic with this?
>> >
>> > Because passed traffic keeps state by default, response packets
>> > will be passed. For stateless protocols like UDP or ICMP, state is
>> > maintained via timers.
>> >
>> > In my previous reply to you, I'd reminded you that in PF, the last
>> > matching rule wins. When an inbound packet is part of an existing
>> > state (TCP session, or within a response timeout window), the rule
>> > set will not be tested and the packet will flow. When an inbound
>> > packet is not part of any existing state, PF will test it against
>> > the rule set and the first rule (block) will be the last one
>> > which matches.
>> >
>> >>
>> >> Thanks!
>> >>
>> >> 2016-06-23 19:20 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>:
>> >> > On 2016-06-23 10:29, Pau Amaro-Seoane wrote:
>> >> >>
>> >> >> Hi... with these pf rules
>> >> >>
>> >> >> wifi=iwn0
>> >> >> wired=em0
>> >> >> set block-policy return
>> >> >> set skip on lo0
>> >> >> match in all scrub
>> >> >> block log all
>> >> >>
>> >> >> I can ping www.google.com without loss
>> >> >> but no browser opens any URL... do you know what's going on?
>> >> >>
>> >> >> Thanks!
>> >> >>
>> >> >> Pau
>> >> >> _______________________________________________
>> >> >> Openbsd-newbies mailing list
>> >> >> Openbsd-newbies@sfobug.theapt.org
>> >> >> http://mailman.theapt.org/listinfo/openbsd-newbies
>> >> >
>> >> >
>> >> > Hi, Pau. Last matching rule wins, and your last rule blocks all
>> >> > traffic.
>> >> >
>> >> > The only packets that will pass through PF are those that use the
>> >> > loopback
>> >> > interface lo0. So either that is not your entire rule set, or PF is
>> >> > disabled.
>> >> >
>> >> > Ping requires the passing of ICMP protocol ECHO packates, while address
>> >> > resolution of www.google.com requires the passing of DNS protocol
>> >> > packets via UDP port 53.
_______________________________________________
Openbsd-newbies mailing list
Openbsd-newbies@sfobug.theapt.org
http://mailman.theapt.org/listinfo/openbsd-newbies
