Re: pf.conf something is VERY wrong here, need advice.
all of them, inc no route to host. Wel, i was it a bit tirred, i simply reinstalled bsd (glad it was still empty) ,entered STATIC ip's, and i was still able to ping after seting up pf.conf. now the weard thing.. still no dns on background machines, bcouse transfering my named config was to long, i temporary installed maradns (bcouse these configs where small) ,and guess ,now it works. well, still need to figure out what the real isue is, i guess its my modem that couses the problem, doesnt mather, for now it works, now i can setup ftp for transfering my named stuff and test with that. Tony. On 20-4-2015 15:00, Dale Lindskog wrote: > On Mon, 20 Apr 2015, Ton Muller wrote: > >> Dale. >> I did both. >> as on openbsd, as on my local machines behind it. >> i only noticed on litle thingie last night (yes it was very late for me) >> when i do sh /etc/netstart ,changes i made to my IP config it didnt >> aplied, i kep the the old stuff, so a reboot was needed, oh wel, its on >> the todo list for finding it out all again, didnt work for 2 years with >> openbsd :( > > What kind of ping(1) error do you get? Is it like this: > > $ ping www.yorku.ca > PING optera.ccs.yorku.ca (130.63.236.137): 56 data bytes > --- optera.ccs.yorku.ca ping statistics --- > 3 packets transmitted, 0 packets received, 100.0% packet loss > > Or like this: > > $ ping www.yorku.ca > ping: unknown host: www.yorku.ca > > If it is like the second one, then perhaps you are not running a DNS > server on your firewall. Your /etc/resolv.conf file sets your DNS server > to the IP address of the external interface on your firewall. Is one > listening on that interface? -- Dale
Re: pf.conf something is VERY wrong here, need advice.
Hello, and good morning.
Yes i know, but assay'd , i used my default config to test becouse this
one normaly alway's worked here.
Well, DID work, i can try with not the egress, but need to find out how
thatworked again.
for the dns inbound, as say's, was for test only, after i know all was
working i could work on a perm solution.
as for DNS, i am gonna use named here, that is, if my working zone
configs keep working, and i downloaded fresh zone files.)
Tony.
On 20-4-2015 3:07, System Administrator wrote:
> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>
>> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>>
>> SK0 is the internal interface.
>> RE0 is the WAN interface
>>
>> i kept my pf.conf as simple posible to get it start
>> START CONFIG ##
>> #
>> int_if = "sk0"
>> ext_if = "re0"
>>
>> tcp_services="{ 22,53,113 }"
>> icmp_types="echoreq"
>>
>> # options
>> # increase default state limit from 10'000 states on busy systems
>> #set limit states 10
>>
>> set block-policy return
>> set loginterface egress
>> set skip on lo
>>
>> # match rules
>> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>> #
>> # filter rules
>> block in log
>> pass out quick
>> antispoof quick for { lo $int_if }
>>
>> pass in on egress inet proto tcp from any to (egress) port $tcp_services
>> #
>> pass in inet proto icmp all icmp-type $icmp_types
>> pass in on $int_if
>>
>> # end config ##
>>
>> this is my resolv.conf
>> # Generated by re0 dhclient
>> search xs4non.nl
>> nameserver 192.168.1.240
>> lookup file bind
>>
>> RE0 ip 192.168.1.240
>> SK0 ip 192.168.0.240
>>
>> mygate 192.168.1.240
>>
>> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
>> from the DHCP server from modem, that works (192.168.1.1) and mygate
>> would not be used.
>>
>> here comes the isue.
>> what ever combination i do, forced or not.
>> i can ping a host, and i get NO result back.
>> ping i its IP adres, i get a result back.
>> so my question is, what am i doing wrong here.
>>
>> i never changed my basic configs so i knowed that i would work.
>> but for some reasen this time i get a masive headache from it.
>>
>> anyone ideas?
>>
>> Tony.
>>
>>
>
> Here are some ideas that may (or may not) resolve your issues.
> Hopefully, they will at least get you started in the right direction:
>
> 1) Since you are using the 'egress' interface group name rather than
> the explicitly defined $ext_if macro variable, make sure that it is
> defined and for the correct interface. I know it works well when
> /etc/mygate is correctly defined, but never had the need to test with
> dhclient controlled interfaces.
>
> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
> aware that most DNS communication is over UDP? TCP DNS is used mostly,
> if not only, for zone transfers.
>
> 3) Similarly, for ICMP (used by ping) you are allowing in only the
> query subtype and not the reply (icmp-type echorep).
>
> Good luck!
Re: pf.conf something is VERY wrong here, need advice.
You need to show: ifconfig -A, netstat -rnf inet. I'm fairly certain there is a configuration problem. On 2015 Apr 20 (Mon) at 00:11:56 +0200 (+0200), Ton Muller wrote: :i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD. : :SK0 is the internal interface. :RE0 is the WAN interface : ... : :RE0 ip 192.168.1.240 :SK0 ip 192.168.0.240 : :mygate 192.168.1.240 : -- Don't be humble ... you're not that great. -- Golda Meir
Re: pf.conf something is VERY wrong here, need advice.
On 20-4-2015 5:15, Dale Lindskog wrote: > On Mon, 20 Apr 2015, Ton Muller wrote: > >> i can ping a host, and i get NO result back. >> ping i its IP adres, i get a result back. > > You are saying here, I think, that if you ping a hostname, e.g. > www.example.com, then you get no reply, but if you ping its IP address, > you get a reply. > > Where are you pinging from? From the firewall itself, or from a host > behind the firewall? Try both. > Dale. I did both. as on openbsd, as on my local machines behind it. i only noticed on litle thingie last night (yes it was very late for me) when i do sh /etc/netstart ,changes i made to my IP config it didnt aplied, i kep the the old stuff, so a reboot was needed, oh wel, its on the todo list for finding it out all again, didnt work for 2 years with openbsd :( Tony.
Re: pf.conf something is VERY wrong here, need advice.
On 20-4-2015 2:08, Kevin Gerrard wrote: > Version 5.6 here and this pf.conf is working fine, hope this helps. > You cannot have one of your interfaces also have the same ip as your gateway. > The 1.240 gateway has to be the next hop IP > uh, define next ip hop ? <-- snip --> Tony.
Re: pf.conf something is VERY wrong here, need advice.
On 20-4-2015 7:43, dan mclaughlin wrote:
> On Sun, 19 Apr 2015 21:07:31 -0400 "System Administrator"
> wrote:
>> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>>
>>> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>>>
>>> SK0 is the internal interface.
>>> RE0 is the WAN interface
>>>
>>> i kept my pf.conf as simple posible to get it start
>>> START CONFIG ##
>>> #
>>> int_if = "sk0"
>>> ext_if = "re0"
>>>
>>> tcp_services="{ 22,53,113 }"
>>> icmp_types="echoreq"
>>>
>>> # options
>>> # increase default state limit from 10'000 states on busy systems
>>> #set limit states 10
>>>
>>> set block-policy return
>>> set loginterface egress
>>> set skip on lo
>>>
>>> # match rules
>>> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>>> #
>>> # filter rules
>>> block in log
>>> pass out quick
>>> antispoof quick for { lo $int_if }
>>>
>>> pass in on egress inet proto tcp from any to (egress) port $tcp_services
>>> #
>>> pass in inet proto icmp all icmp-type $icmp_types
>>> pass in on $int_if
>>>
>>> # end config ##
>>>
>>> this is my resolv.conf
>>> # Generated by re0 dhclient
>>> search xs4non.nl
>>> nameserver 192.168.1.240
>>> lookup file bind
>>>
>>> RE0 ip 192.168.1.240
>>> SK0 ip 192.168.0.240
>>>
>>> mygate 192.168.1.240
>>>
>>> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
>>> from the DHCP server from modem, that works (192.168.1.1) and mygate
>>> would not be used.
>>>
>>> here comes the isue.
>>> what ever combination i do, forced or not.
>>> i can ping a host, and i get NO result back.
>>> ping i its IP adres, i get a result back.
>>> so my question is, what am i doing wrong here.
>>>
>>> i never changed my basic configs so i knowed that i would work.
>>> but for some reasen this time i get a masive headache from it.
>>>
>>> anyone ideas?
>>>
>>> Tony.
>>>
>>>
>>
>> Here are some ideas that may (or may not) resolve your issues.
>> Hopefully, they will at least get you started in the right direction:
>>
>> 1) Since you are using the 'egress' interface group name rather than
>> the explicitly defined $ext_if macro variable, make sure that it is
>> defined and for the correct interface. I know it works well when
>> /etc/mygate is correctly defined, but never had the need to test with
>> dhclient controlled interfaces.
>
> i use the explicit interface myself, rather than egress, which works fine
> for dhcp. for a simple setup like this it's probably best to go with the
> interface.
>
> some relevant pf.conf lines from my gateway (which uses dhcp):
>
> block in log on $intif
> #allow connections to my internal dns
> pass in log quick on $intif proto udp from $intif:network to ($intif) port 53
> #allow packets in destined for other places
> pass in log quick on $intif inet from $intif:network to !$intif:network
>
> pass out log quick on $extif inet from $intif:network to any nat-to ($extif)
>
>>
>> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
>> aware that most DNS communication is over UDP? TCP DNS is used mostly,
>> if not only, for zone transfers.
>
> i think his 'pass out' rule should handle that. pf does treat udp protocols
> as having state, so it should recognize the return packet.
>
>>
>> 3) Similarly, for ICMP (used by ping) you are allowing in only the
>> query subtype and not the reply (icmp-type echorep).
>>
>> Good luck!
>>
>
> a few more points to help. first you want to see if traffic is passing, so
> in one window do:
>
> # tcpdump -np -i re0
>
> (you especially need the -n option above if your dns is not working).
>
> then try dns lookup
>
> $ host www.openbsd.org
> www.openbsd.org has address 129.128.5.194
>
> you should see something like the following in tcpdump:
>
> tcpdump: listening on lo0, link-type LOOP
> 01:29:29.147252 127.0.0.1.10553 > 127.0.0.1.53: 48987+ A? www.openbsd.org.
> (33)
> 01:29:29.147557 127.0.0.1.53 > 127.0.0.1.10553: 48987 1/9/2 A 129.128.5.194
> (275)
> 01:29:29.149874 127.0.0.1.29232 > 127.0.0.1.53: 59987+ ? www.openbsd.org.
> (33)
> 01:29:29.150050 127.0.0.1.53 > 127.0.0.1.29232: 59987 0/1/0 (79)
> 01:29:29.150495 127.0.0.1.29234 > 127.0.0.1.53: 57835+ MX? www.openbsd.org.
> (33)
> 01:29:29.150609 127.0.0.1.53 > 127.0.0.1.29234: 57835 0/1/0 (79)
>
> except you should see your nameserver (192.168.1.240) and host (192.168.0.240)
> instead of 127.0.0.1.
>
> if that works, try ping again, first with the IP, then with the hostname and
> watch the tcpdump output.
>
> hopefully that will get you some useful information.
>
>
Hmm, lets give it a try.
as say'd, 53 was defaultworking testfile. tweaking is for when i know it
all was working well.
Tony.
Re: pf.conf something is VERY wrong here, need advice.
your pf.conf is veriy similar to me .
perhaps it comes from small office
different
> > # increase default state limit from 10'000 states on busy systems
> > #set limit states 10
mine
ext_if="urtwn0"
int_if="bge0"
tcp_services="{ 22, 80 }"
icmp_types="echoreq"
set block-policy return
set loginterface $ext_if
set skip on lo
match out on $ext_if inet from !($ext_if:network) to any nat-to ($ext_if:0)
set reassemble yes no-df
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on $ext_if inet proto tcp from any to ( $ext_if:0 ) port
$tcp_services
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
---
regards
Re: pf.conf something is VERY wrong here, need advice.
On Sun, 19 Apr 2015 21:07:31 -0400 "System Administrator"
wrote:
> On 20 Apr 2015 at 0:11, Ton Muller wrote:
>
> > i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
> >
> > SK0 is the internal interface.
> > RE0 is the WAN interface
> >
> > i kept my pf.conf as simple posible to get it start
> > START CONFIG ##
> > #
> > int_if = "sk0"
> > ext_if = "re0"
> >
> > tcp_services="{ 22,53,113 }"
> > icmp_types="echoreq"
> >
> > # options
> > # increase default state limit from 10'000 states on busy systems
> > #set limit states 10
> >
> > set block-policy return
> > set loginterface egress
> > set skip on lo
> >
> > # match rules
> > match out on egress inet from !(egress:network) to any nat-to (egress:0)
> > #
> > # filter rules
> > block in log
> > pass out quick
> > antispoof quick for { lo $int_if }
> >
> > pass in on egress inet proto tcp from any to (egress) port $tcp_services
> > #
> > pass in inet proto icmp all icmp-type $icmp_types
> > pass in on $int_if
> >
> > # end config ##
> >
> > this is my resolv.conf
> > # Generated by re0 dhclient
> > search xs4non.nl
> > nameserver 192.168.1.240
> > lookup file bind
> >
> > RE0 ip 192.168.1.240
> > SK0 ip 192.168.0.240
> >
> > mygate 192.168.1.240
> >
> > Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
> > from the DHCP server from modem, that works (192.168.1.1) and mygate
> > would not be used.
> >
> > here comes the isue.
> > what ever combination i do, forced or not.
> > i can ping a host, and i get NO result back.
> > ping i its IP adres, i get a result back.
> > so my question is, what am i doing wrong here.
> >
> > i never changed my basic configs so i knowed that i would work.
> > but for some reasen this time i get a masive headache from it.
> >
> > anyone ideas?
> >
> > Tony.
> >
> >
>
> Here are some ideas that may (or may not) resolve your issues.
> Hopefully, they will at least get you started in the right direction:
>
> 1) Since you are using the 'egress' interface group name rather than
> the explicitly defined $ext_if macro variable, make sure that it is
> defined and for the correct interface. I know it works well when
> /etc/mygate is correctly defined, but never had the need to test with
> dhclient controlled interfaces.
i use the explicit interface myself, rather than egress, which works fine
for dhcp. for a simple setup like this it's probably best to go with the
interface.
some relevant pf.conf lines from my gateway (which uses dhcp):
block in log on $intif
#allow connections to my internal dns
pass in log quick on $intif proto udp from $intif:network to ($intif) port 53
#allow packets in destined for other places
pass in log quick on $intif inet from $intif:network to !$intif:network
pass out log quick on $extif inet from $intif:network to any nat-to ($extif)
>
> 2) You seem to want to allow DNS (port 53) traffic inbound, but are you
> aware that most DNS communication is over UDP? TCP DNS is used mostly,
> if not only, for zone transfers.
i think his 'pass out' rule should handle that. pf does treat udp protocols
as having state, so it should recognize the return packet.
>
> 3) Similarly, for ICMP (used by ping) you are allowing in only the
> query subtype and not the reply (icmp-type echorep).
>
> Good luck!
>
a few more points to help. first you want to see if traffic is passing, so
in one window do:
# tcpdump -np -i re0
(you especially need the -n option above if your dns is not working).
then try dns lookup
$ host www.openbsd.org
www.openbsd.org has address 129.128.5.194
you should see something like the following in tcpdump:
tcpdump: listening on lo0, link-type LOOP
01:29:29.147252 127.0.0.1.10553 > 127.0.0.1.53: 48987+ A? www.openbsd.org. (33)
01:29:29.147557 127.0.0.1.53 > 127.0.0.1.10553: 48987 1/9/2 A 129.128.5.194
(275)
01:29:29.149874 127.0.0.1.29232 > 127.0.0.1.53: 59987+ ? www.openbsd.org.
(33)
01:29:29.150050 127.0.0.1.53 > 127.0.0.1.29232: 59987 0/1/0 (79)
01:29:29.150495 127.0.0.1.29234 > 127.0.0.1.53: 57835+ MX? www.openbsd.org. (33)
01:29:29.150609 127.0.0.1.53 > 127.0.0.1.29234: 57835 0/1/0 (79)
except you should see your nameserver (192.168.1.240) and host (192.168.0.240)
instead of 127.0.0.1.
if that works, try ping again, first with the IP, then with the hostname and
watch the tcpdump output.
hopefully that will get you some useful information.
Re: pf.conf something is VERY wrong here, need advice.
On 20 Apr 2015 at 0:11, Ton Muller wrote:
> i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
>
> SK0 is the internal interface.
> RE0 is the WAN interface
>
> i kept my pf.conf as simple posible to get it start
> START CONFIG ##
> #
> int_if = "sk0"
> ext_if = "re0"
>
> tcp_services="{ 22,53,113 }"
> icmp_types="echoreq"
>
> # options
> # increase default state limit from 10'000 states on busy systems
> #set limit states 10
>
> set block-policy return
> set loginterface egress
> set skip on lo
>
> # match rules
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
> #
> # filter rules
> block in log
> pass out quick
> antispoof quick for { lo $int_if }
>
> pass in on egress inet proto tcp from any to (egress) port $tcp_services
> #
> pass in inet proto icmp all icmp-type $icmp_types
> pass in on $int_if
>
> # end config ##
>
> this is my resolv.conf
> # Generated by re0 dhclient
> search xs4non.nl
> nameserver 192.168.1.240
> lookup file bind
>
> RE0 ip 192.168.1.240
> SK0 ip 192.168.0.240
>
> mygate 192.168.1.240
>
> Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
> from the DHCP server from modem, that works (192.168.1.1) and mygate
> would not be used.
>
> here comes the isue.
> what ever combination i do, forced or not.
> i can ping a host, and i get NO result back.
> ping i its IP adres, i get a result back.
> so my question is, what am i doing wrong here.
>
> i never changed my basic configs so i knowed that i would work.
> but for some reasen this time i get a masive headache from it.
>
> anyone ideas?
>
> Tony.
>
>
Here are some ideas that may (or may not) resolve your issues.
Hopefully, they will at least get you started in the right direction:
1) Since you are using the 'egress' interface group name rather than
the explicitly defined $ext_if macro variable, make sure that it is
defined and for the correct interface. I know it works well when
/etc/mygate is correctly defined, but never had the need to test with
dhclient controlled interfaces.
2) You seem to want to allow DNS (port 53) traffic inbound, but are you
aware that most DNS communication is over UDP? TCP DNS is used mostly,
if not only, for zone transfers.
3) Similarly, for ICMP (used by ping) you are allowing in only the
query subtype and not the reply (icmp-type echorep).
Good luck!
pf.conf something is VERY wrong here, need advice.
i have last week setup my old asus laptop, model A6000 ,1GB ram, 80GB HDD.
SK0 is the internal interface.
RE0 is the WAN interface
i kept my pf.conf as simple posible to get it start
START CONFIG ##
#
int_if = "sk0"
ext_if = "re0"
tcp_services="{ 22,53,113 }"
icmp_types="echoreq"
# options
# increase default state limit from 10'000 states on busy systems
#set limit states 10
set block-policy return
set loginterface egress
set skip on lo
# match rules
match out on egress inet from !(egress:network) to any nat-to (egress:0)
#
# filter rules
block in log
pass out quick
antispoof quick for { lo $int_if }
pass in on egress inet proto tcp from any to (egress) port $tcp_services
#
pass in inet proto icmp all icmp-type $icmp_types
pass in on $int_if
# end config ##
this is my resolv.conf
# Generated by re0 dhclient
search xs4non.nl
nameserver 192.168.1.240
lookup file bind
RE0 ip 192.168.1.240
SK0 ip 192.168.0.240
mygate 192.168.1.240
Well, as far i can remember ,if i set RE0 to dhcp ,it would get its ip
from the DHCP server from modem, that works (192.168.1.1) and mygate
would not be used.
here comes the isue.
what ever combination i do, forced or not.
i can ping a host, and i get NO result back.
ping i its IP adres, i get a result back.
so my question is, what am i doing wrong here.
i never changed my basic configs so i knowed that i would work.
but for some reasen this time i get a masive headache from it.
anyone ideas?
Tony.
