Dear Josh: Apologies for being vague.
I mean that I have yours now: $ cat /etc/pf.conf block pass from self to any #a. Rule 1 blocks all traffic. #b. Rule 2 passes all traffic originating on the laptop, going anywhere. If I enable them with $ pfctl -e I can ping anything, but no browser will open anything If I run $ pfctl -d pf disabled Then of course everything works just fine. Pau 2016-06-25 18:35 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>: > On Sat, Jun 25, 2016 at 06:18:18PM +0200, Pau Amaro-Seoane wrote: >> thanks, Josh! >> >> Although with these rules I seem not to be able to send e-mails.... > > Which rules? Mine or yours? Please remember I only have what you > state in your Emails for a problem description. > > All I know is that you have a laptop running OpenBSD, and that > when you use your "six rule" ruleset, all traffic would be blocked. > If you use your "five rule" ruleset, no traffic would be blocked. > If you use Stephen's recommended additional line, and build a > "seven rule" ruleset that ends with his pass out rule, or, end > with my pass from self to any rule, or you use my simple two > rule exampe, with either the pass out or the pass from self to any > rule, you should have a working ruleset for the use case you > described. > >> ... For >> instance, gmail complains about not being able to do so, and it also >> says that I seem to have a very old browser, and should load a >> simplistic html version of gmail. When I disable pf with pfctl -d, the >> email is sent and gmail does not complain about anything. Maybe the >> block is also blocking sites from delivering cookies? > > I can only guess that your normalization ("scrub") directive is the > cause of this symptom. > >> 2016-06-25 15:39 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>: >> > On Sat, Jun 25, 2016 at 09:28:16AM +0200, Pau Amaro-Seoane wrote: >> >> pf is disabled, yes... >> >> >> >> So, then I would have to remove the last line. I need to download and >> >> upload things, but do not want to allow any remote connection to the >> >> laptop. I guess this configuration fulfills my needs? >> > >> > No. If you remove the rule that blocks all traffic, what will PF do? >> > >> > 1) Ignore lo0 traffic >> > 2) Scrub all other traffic >> > >> > Nothing else. >> > >> > Let's look at your six-line rule set in detail: >> > >> > a. Rules 1 and 2 set the macros $wifi and $wired, which are never used. >> > b. Rule 3 sets the option to respond to blocked TCP traffic with RST >> > and respond with ICMP UNREACHABLE to other blocked traffic. >> > c. Rule 4 instructs PF to ignore traffic on the loopback interface. >> > d. Rule 5 requests packet normalization >> > e. Rule 6 blocks all traffic, except on the ignored loopback interface, >> > and logs them through your pflog(4) interface. >> > >> > Keep in mind, I can only answer questions based upon the information >> > you provide. Based solely on your laptop use-case description, here is >> > a very simple ruleset: >> > >> > block >> > pass from self to any >> > >> > a. Rule 1 blocks all traffic. >> > b. Rule 2 passes all traffic originating on the laptop, going anywhere. >> > >> > How does PF manage inbound traffic with this? >> > >> > Because passed traffic keeps state by default, response packets >> > will be passed. For stateless protocols like UDP or ICMP, state is >> > maintained via timers. >> > >> > In my previous reply to you, I'd reminded you that in PF, the last >> > matching rule wins. When an inbound packet is part of an existing >> > state (TCP session, or within a response timeout window), the rule >> > set will not be tested and the packet will flow. When an inbound >> > packet is not part of any existing state, PF will test it against >> > the rule set and the first rule (block) will be the last one >> > which matches. >> > >> >> >> >> Thanks! >> >> >> >> 2016-06-23 19:20 GMT+02:00 Josh Grosse <j...@jggimi.homeip.net>: >> >> > On 2016-06-23 10:29, Pau Amaro-Seoane wrote: >> >> >> >> >> >> Hi... with these pf rules >> >> >> >> >> >> wifi=iwn0 >> >> >> wired=em0 >> >> >> set block-policy return >> >> >> set skip on lo0 >> >> >> match in all scrub >> >> >> block log all >> >> >> >> >> >> I can ping www.google.com without loss >> >> >> but no browser opens any URL... do you know what's going on? >> >> >> >> >> >> Thanks! >> >> >> >> >> >> Pau >> >> >> _______________________________________________ >> >> >> Openbsd-newbies mailing list >> >> >> Openbsd-newbies@sfobug.theapt.org >> >> >> http://mailman.theapt.org/listinfo/openbsd-newbies >> >> > >> >> > >> >> > Hi, Pau. Last matching rule wins, and your last rule blocks all >> >> > traffic. >> >> > >> >> > The only packets that will pass through PF are those that use the >> >> > loopback >> >> > interface lo0. So either that is not your entire rule set, or PF is >> >> > disabled. >> >> > >> >> > Ping requires the passing of ICMP protocol ECHO packates, while address >> >> > resolution of www.google.com requires the passing of DNS protocol >> >> > packets via UDP port 53. _______________________________________________ Openbsd-newbies mailing list Openbsd-newbies@sfobug.theapt.org http://mailman.theapt.org/listinfo/openbsd-newbies