Hello,
I had previously run pf with no problem. Then I switched to comcast,
and clients can no longer access the internet.
I can access the internet from the server (via ssh BTW) running pf
(which, among other things, should indicate that I power cycled the
modem to release IP). Clients can still mount nfs drives.
I've tried re-writing a new rule-set several times, using pf-faq and
book-of-pf for examples to see if I'd missed something in my original
rule set. I've even tried using a match/nat-to rule followed by pass
all out of desperation, all to no avail.
I had a static IP with my previous provider; but comcast is dynamic.
However, I don't think that's an issue (see rule set below).
After having a good laugh at my ISP selection, I would appreciate if
one of you were to help me get back up and running. Below is all the
info I think may be necessary; please let me know if there's anything
more I can provide.
Thank you all.
-Scott
Here is a schematic of my setup:
-------internet---|cable
modem|---|nfe0---SERVER---re0|---|switch|---|client1/2/3/etc|
# sysctl net.inet.ip.forwarding
net.inet.ip.forwarding=1
# ifconfig -a
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33152
priority: 0
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:22:6b:bf:4a:40
priority: 0
media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
inet6 fe80::222:6bff:febf:4a40%re0 prefixlen 64 scopeid 0x1
nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr xx:xx:xx:xx:xx:xx
priority: 0
groups: egress
media: Ethernet autoselect (none)
status: no carrier # I unplugged the cable to write this
email, but it stated "active" before that
inet6 fe80::2e0:81ff:fe5c:3ae3%nfe0 prefixlen 64 scopeid 0x2
inet xx.xxx.xxx.xxx netmask 0xfffffc00 broadcast xx.xxx.xxx.xxx
enc0: flags=0<>
priority: 0
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33152
priority: 0
groups: pflog
Here is the last working rule set I used before switching ISPs:
###############################################################
# MACROS/TABLES
ext_if = "nfe0" # On-board NIC
int_if = "re0" # Realtek gigabit card
table <trusted> { 68.xxx.xxx.xxx, 24.xxx.xxx.xxx }
table <forbidden> { 10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16 }
tcp_services = "{ ssh }"
# OPTIONS
set block-policy return
set skip on lo
# MATCH
match out on egress inet from !(egress:network) to any nat-to (egress:0)
# FILTER
block in log
pass in
pass out quick
antispoof quick for { lo $int_if }
# allow my boxes ( no-df and random-id set for linux nfs client)
pass in on $int_if scrub (no-df random-id reassemble tcp)
pass in on $int_if
# allow myself to ssh into server
pass in on $ext_if inet proto tcp from <trusted> to $ext_if port ssh
scrub (reassemble tcp)
# these addresses don't belong on the internet
block in on $ext_if from <forbidden>
###############################################################
And finally, because too many times I've wrongly assumed that dmesg
didn't apply to my question:
OpenBSD 5.0 (GENERIC) #53: Wed Aug 17 10:07:52 MDT 2011
dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC
real mem = 2145255424 (2045MB)
avail mem = 2074124288 (1978MB)
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.3 @ 0xf0000 (41 entries)
bios0: vendor Sun Microsystems version "2.2.4" date 08/16/2006
bios0: Sun Microsystems Sun Ultra 20 Workstation
acpi0 at bios0: rev 0
acpi0: sleep states S0 S1 S3 S4 S5
acpi0: tables DSDT FACP SSDT SRAT MCFG APIC
acpi0: wakeup devices HUB0(S5) XVR0(S5) XVR1(S5) XVR2(S5) XVR3(S5)
USB0(S3) USB2(S3) MMAC(S5) MMCI(S5) UAR1(S5)
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimcfg0 at acpi0 addr 0xe0000000, bus 0-255
acpimadt0 at acpi0 addr 0xfee00000: PC-AT compat
cpu0 at mainbus0: apid 0 (boot processor)
cpu0: AMD Opteron(tm) Processor 152, 2613.70 MHz
cpu0:
FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,MMX,FXSR,SSE,SSE2,SSE3,NXE,MMXX,FFXSR,LONG,3DNOW2,3DNOW
cpu0: 64KB 64b/line 2-way I-cache, 64KB 64b/line 2-way D-cache, 1MB
64b/line 16-way L2 cache
cpu0: ITLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: DTLB 32 4KB entries fully associative, 8 4MB entries fully associative
cpu0: AMD erratum 89 present, BIOS upgrade may be required
cpu0: apic clock running at 201MHz
ioapic0 at mainbus0: apid 2 pa 0xfec00000, version 11, 24 pins
acpiprt0 at acpi0: bus 0 (PCI0)
acpiprt1 at acpi0: bus 1 (HUB0)
acpicpu0 at acpi0: PSS
acpibtn0 at acpi0: PWRB
cpu0: Cool'n'Quiet K8 2613 MHz: speeds: 2600 2400 2200 2000 1800 1000 MHz
pci0 at mainbus0 bus 0
"NVIDIA nForce4 DDR" rev 0xa3 at pci0 dev 0 function 0 not configured
pcib0 at pci0 dev 1 function 0 "NVIDIA nForce4 ISA" rev 0xa3
nviic0 at pci0 dev 1 function 1 "NVIDIA nForce4 SMBus" rev 0xa2
iic0 at nviic0
adt0 at iic0 addr 0x2e: sch5017 rev 0x89
spdmem0 at iic0 addr 0x50: 1GB DDR SDRAM ECC PC3200CL3.0
spdmem1 at iic0 addr 0x51: 1GB DDR SDRAM ECC PC3200CL3.0
iic1 at nviic0
adt1 at iic1 addr 0x2e: sch5017 rev 0x89
spdmem2 at iic1 addr 0x50: 1GB DDR SDRAM ECC PC3200CL3.0
spdmem3 at iic1 addr 0x51: 1GB DDR SDRAM ECC PC3200CL3.0
ohci0 at pci0 dev 2 function 0 "NVIDIA nForce4 USB" rev 0xa2: apic 2
int 20, version 1.0, legacy support
ehci0 at pci0 dev 2 function 1 "NVIDIA nForce4 USB" rev 0xa3: apic 2 int 20
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "NVIDIA EHCI root hub" rev 2.00/1.00 addr 1
auich0 at pci0 dev 4 function 0 "NVIDIA nForce4 AC97" rev 0xa2: apic 2
int 20, nForce4 AC97
ac97: codec id 0x414c4760 (Avance Logic ALC655 rev 0)
audio0 at auich0
pciide0 at pci0 dev 6 function 0 "NVIDIA nForce4 IDE" rev 0xf2: DMA,
channel 0 configured to compatibility, channel 1 configured to
compatibility
atapiscsi0 at pciide0 channel 0 drive 0
scsibus0 at atapiscsi0: 2 targets
cd0 at scsibus0 targ 0 lun 0: <SONY, DVD RW DRU-810A, 1.0d> ATAPI
5/cdrom removable
cd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 2
pciide0: channel 1 disabled (no drives)
pciide1 at pci0 dev 7 function 0 "NVIDIA nForce4 SATA" rev 0xf3: DMA
pciide1: using apic 2 int 20 for native-PCI interrupt
wd0 at pciide1 channel 0 drive 0: <ST3250823AS>
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide1:0:0): using PIO mode 4, Ultra-DMA mode 6
wd1 at pciide1 channel 1 drive 0: <ST31000528AS>
wd1: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors
wd1(pciide1:1:0): using PIO mode 4, Ultra-DMA mode 6
pciide2 at pci0 dev 8 function 0 "NVIDIA nForce4 SATA" rev 0xf3: DMA
pciide2: using apic 2 int 20 for native-PCI interrupt
wd2 at pciide2 channel 1 drive 0: <ST31000528AS>
wd2: 16-sector PIO, LBA48, 953869MB, 1953525168 sectors
wd2(pciide2:1:0): using PIO mode 4, Ultra-DMA mode 6
ppb0 at pci0 dev 9 function 0 "NVIDIA nForce4 PCI-PCI" rev 0xa2
pci1 at ppb0 bus 1
vga1 at pci1 dev 5 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
"VIA VT6306 FireWire" rev 0x80 at pci1 dev 6 function 0 not configured
re0 at pci1 dev 7 function 0 "Linksys EG1032" rev 0x10: RTL8110S
(0x0400), apic 2 int 5, address 00:22:6b:bf:4a:40
rgephy0 at re0 phy 7: RTL8169S/8110S PHY, rev. 0
nfe0 at pci0 dev 10 function 0 "NVIDIA CK804 LAN" rev 0xa3: apic 2 int
20, address xx:xx:xx:xx:xx:xx
eephy0 at nfe0 phy 1: 88E1111 Gigabit PHY, rev. 2
ppb1 at pci0 dev 11 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci2 at ppb1 bus 2
ppb2 at pci0 dev 12 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci3 at ppb2 bus 3
ppb3 at pci0 dev 13 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci4 at ppb3 bus 4
ppb4 at pci0 dev 14 function 0 "NVIDIA nForce4 PCIE" rev 0xa3
pci5 at ppb4 bus 5
pchb0 at pci0 dev 24 function 0 "AMD AMD64 0Fh HyperTransport" rev 0x00
pchb1 at pci0 dev 24 function 1 "AMD AMD64 0Fh Address Map" rev 0x00
pchb2 at pci0 dev 24 function 2 "AMD AMD64 0Fh DRAM Cfg" rev 0x00
kate0 at pci0 dev 24 function 3 "AMD AMD64 0Fh Misc Cfg" rev 0x00
isa0 at pcib0
isadma0 at isa0
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
spkr0 at pcppi0
usb1 at ohci0: USB revision 1.0
uhub1 at usb1 "NVIDIA OHCI root hub" rev 1.00/1.00 addr 1
mtrr: Pentium Pro MTRR support
ugen0 at uhub1 port 1 "APC Back-UPS ES 650 FW:842.J3 .D USB FW:J3" rev
1.10/1.06 addr 2
uhub2 at uhub1 port 2 "Dell Dell USB Keyboard Hub" rev 1.10/1.00 addr 3
uhidev0 at uhub2 port 1 configuration 1 interface 0 "Dell Dell USB
Keyboard Hub" rev 1.10/1.00 addr 4
uhidev0: iclass 3/1
ukbd0 at uhidev0: 8 modifier keys, 6 key codes
wskbd1 at ukbd0 mux 1
wskbd1: connecting to wsdisplay0
uhidev1 at uhub2 port 1 configuration 1 interface 1 "Dell Dell USB
Keyboard Hub" rev 1.10/1.00 addr 4
uhidev1: iclass 3/0, 3 report ids
uhid0 at uhidev1 reportid 1: input=1, output=0, feature=0
uhid1 at uhidev1 reportid 2: input=1, output=0, feature=0
uhid2 at uhidev1 reportid 3: input=3, output=0, feature=0
vscsi0 at root
scsibus1 at vscsi0: 256 targets
softraid0 at root
scsibus2 at softraid0: 256 targets
root on wd0a (27c7275e18f5e688.a) swap on wd0b dump on wd0b
