Re: Still can't use ADSL, PF problem
From: Ben O'Brien (ftoomch_at_hotmail.com)
Date: 08/27/04
- Previous message: -no-copies-please: "Re: SMTP AUTH"
- In reply to: Johnathan Doe: "Still can't use ADSL, PF problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Fri, 27 Aug 2004 15:57:44 +1000
Johnathan Doe wrote:
> Well, it's all gobbledeygook to me. I can't understand any of it. I've
> tried the FAQ examples, but they don't work for me. I don't want a network
> or anything like that, and I'm not running SSH or sendmail.
>
> I'd like a pf.conf that blocks all incoming connections but lets me connect
> to the internet, presumably that's outgoing while keeping state.
>
> This:
>
> pass out all keep state
> block in all
>
> doesn't work. PPP just keeps trying to reconnect. If I do this:
You need to run pfctl AFTER you are PPP connected. This can be done by putting something like this into
/etc/ppp/ppp.linkup :
adsl:
! sh -c "/sbin/ifconfig pflog0 up"
! sh -c "/sbin/pfctl -e -F all -f /etc/pf.conf"
You must also not have pf=NO set in your /etc/rc.conf as ppp connections are usually brought up waaaaaaay after boot.
Also, as one of the other replies said you must pass everything on the loopback interface, lo0. A good way to do this is
with the rule:
pass quick on lo0 all
If you trust your local network (I'm guessing that you are doing this for your home network from the fact that you are
using ppp) you need only block incoming traffic on the public interface. Your two rules above would also block all
traffic coming from your local network interface before your obsd box even gets a chance to keep the state. You can
block the public interface with:
$ext_if = <your public interface here. most likely "tun0" for a ppp connection>
block drop in on $ext_if all
pass out on $ext_if inet proto tcp all flags S/SA modulate state
This has the added advantage of passing grc.com's ShieldsUp! test by keeping ports on your IP address stealthed. You may
want to pass udp too depending on your DNS requirements.
If you're using nat, you'll no doubt need a rule like this:
$int_net = <your private net address here. mine's "10.0.0.0/8" >
nat on $ext_if from $int_net to any -> ($ext_if)
By the way, one of your posts mentioned that you had to reboot to get pfctl to work properly. In case you don't know
already 'pfctl -d' and 'pfctl -e' stop and start pf respectively. I usually use 'pfctl -F rules -f /etc/pf.conf' to
reload rules and 'pfctl -F nat -f /etc/pf.conf' to reload the redirections.
> pass out all
> pass in all
>
> it works! So what's wrong? I've tried tcpdump, but it didn't produce any
> output.
>
> Thanks.
>
Cheers, Ben.
- Previous message: -no-copies-please: "Re: SMTP AUTH"
- In reply to: Johnathan Doe: "Still can't use ADSL, PF problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
