I have OpenBSD 3.8 as a router. This is my pf.conf
ext_if=dc0
int_if=xl0
tcp_services = {22, 113}
icmp_types = echoreq
priv_nets = {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
#options
set block-policy return
#set loginterface $ext_if
#scrub
scrub in all
#nat/redirect
nat on $ext_if from $int_if:network to any -$ext_if
rdr on $int_if proto tcp from any to any port 21 - 127.0.0.1 port 8021
#filter RULES
block all
pass quick on lo0 all
block drop in quick on $ext_if from $priv_nets to any
block drop out quick on $ext_if from any to $priv_nets
pass in on $ext_if inet proto tcp from any to $ext_if port $tcp_services \
flags S/SA keep state
pass in on $ext_if inet proto tcp from port 20 to $ext_if user proxy \
flags S/SA keep state
pass in inet proto icmp all icmp-type $icmp_types keep state
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto {udp, icmp} all keep state
Everything goes fine, until any connection is lost and the ping command returns:
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
ping: sendto: No route to host
ping: wrote x.x.x.x 64 chars, ret=-1
64 bytes from x.x.x.x: icmp_seq=7 ttl=255 time=0.684 ms
64 bytes from x.x.x.x icmp_seq=8 ttl=255 time=0.306 ms
It doesn't matter if I ping the internal network, or the ISP gateway,
the result is the same: first no route to host, after a few seconds
i get a reply..
If I comment everything in RULES an I put pass all, it's working
with no problems, so I exclude a hardware problem.
