Hey Scott,
I'm no PF guru, been having some of my own problems, thought I'd give
yours a look for a change of pace...
On Mon, Feb 27, 2012 at 6:00 PM, Scott <amorphous.yet....@gmail.com> wrote:
> Hello,
> I had previously run pf with no problem. Then I switched to comcast,
> and clients can no longer access the internet.
>
> I can access the internet from the server (via ssh BTW) running pf
> (which, among other things, should indicate that I power cycled the
> modem to release IP). Clients can still mount nfs drives.
>
> I've tried re-writing a new rule-set several times, using pf-faq and
> book-of-pf for examples to see if I'd missed something in my original
> rule set. I've even tried using a match/nat-to rule followed by pass
> all out of desperation, all to no avail.
>
> I had a static IP with my previous provider; but comcast is dynamic.
> However, I don't think that's an issue (see rule set below).
Is it a non-routable IP?
>
> After having a good laugh at my ISP selection, I would appreciate if
> one of you were to help me get back up and running. Below is all the
> info I think may be necessary; please let me know if there's anything
> more I can provide.
>
> Thank you all.
> -Scott
>
>
> Here is a schematic of my setup:
> -------internet---|cable
> modem|---|nfe0---SERVER---re0|---|switch|---|client1/2/3/etc|
>
> # sysctl net.inet.ip.forwarding
> net.inet.ip.forwarding=1
>
> # ifconfig -a
> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33152
> priority: 0
> groups: lo
> inet6 ::1 prefixlen 128
> inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
> inet 127.0.0.1 netmask 0xff000000
> re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr 00:22:6b:bf:4a:40
> priority: 0
> media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
> status: active
> inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
> inet6 fe80::222:6bff:febf:4a40%re0 prefixlen 64 scopeid 0x1
> nfe0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
> lladdr xx:xx:xx:xx:xx:xx
> priority: 0
> groups: egress
> media: Ethernet autoselect (none)
> status: no carrier # I unplugged the cable to write this
> email, but it stated "active" before that
> inet6 fe80::2e0:81ff:fe5c:3ae3%nfe0 prefixlen 64 scopeid 0x2
> inet xx.xxx.xxx.xxx netmask 0xfffffc00 broadcast xx.xxx.xxx.xxx
> enc0: flags=0<>
> priority: 0
> groups: enc
> status: active
> pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33152
> priority: 0
> groups: pflog
>
> Here is the last working rule set I used before switching ISPs:
> ###############################################################
> # MACROS/TABLES
> ext_if = "nfe0" # On-board NIC
> int_if = "re0" # Realtek gigabit card
> table <trusted> { 68.xxx.xxx.xxx, 24.xxx.xxx.xxx }
> table <forbidden> { 10.0.0.0/8, 176.16.0.0/12, 192.168.0.0/16 }
Does nfe0 have an IP in one of these ranges?
> tcp_services = "{ ssh }"
>
> # OPTIONS
> set block-policy return
> set skip on lo
>
> # MATCH
> match out on egress inet from !(egress:network) to any nat-to (egress:0)
>
> # FILTER
> block in log
> pass in
I don't think this is right, do you really want to do this?
> pass out quick
> antispoof quick for { lo $int_if }
>
> # allow my boxes ( no-df and random-id set for linux nfs client)
> pass in on $int_if scrub (no-df random-id reassemble tcp)
> pass in on $int_if
>
> # allow myself to ssh into server
> pass in on $ext_if inet proto tcp from <trusted> to $ext_if port ssh
> scrub (reassemble tcp)
>
> # these addresses don't belong on the internet
> block in on $ext_if from <forbidden>
I wonder if this is causing your problem with a non-routable IP on nfe0.
-Barry
