On Sat, Mar 04, 2017 at 07:18:18PM -0500, tec...@protonmail.com wrote:
> Hi,
>
> Apologies - missed the important bits!
>
>
> ################################
> # ifconfig -a
It is unwise to run this command as root if you intend to paste its
output in a public forum. As root the output includes your network's
WPA key, which you should now change.
I am receiving multi-line pastes from you as a single line for some reason.
This makes your report hard to read.
> > $ cat /etc/pf.conf
> > int_if="{ vether0 em1 athn0 }" table <martians> { 0.0.0.0/8 10.0.0.0/8
> > 127.0.0.0/8 169.254.0.0/16 \ 172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
> > 224.0.0.0/3 \ 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24
> > } set block-policy drop set loginterface egress set skip on lo0 match in
> > all scrub (no-df random-id max-mss 1440) match out on egress inet from
> > !(egress:network) to any nat-to (egress:0) block in quick on egress from
> > <martians> to any block return out quick on egress from any to <martians>
> > block all pass out quick inet pass in on $int_if inet pass in on egress
> > inet proto tcp from any to (egress) port 22
After breaking this back up into multiple lines, it reads like this:
int_if="{ vether0 em1 athn0 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
block in quick on egress from <martians> to any block
return out quick on egress from any to <martians>
block all
pass out quick inet
pass in on $int_if inet pass in on egress inet proto tcp from any to (egress)
port 22
Your problem looks like a misconfigured firewall to me.
Your ruleset is not defining any explicit rules for bridge0.
As far as I can see packets entering bridge0 will match the 'block all' rule.
Things might start working if you add a rule such as: set skip on bridge0
See the bridge(4) man page:
NOTES
Bridged packets pass through pf(4) filters once as input on the receiving
interface and once as output on all interfaces on which they are
forwarded. In order to pass through the bridge packets must pass any in
rules on the input and any out rules on the output interface. Packets
may be blocked either entering or leaving the bridge.
I recommend you look into tools such as 'pfctl -sr -v' and tcpdump(8)
to learn how to debug your own firewall setup.
