Hi, yes, scratch my original message. Shouldn't reply while on the move.
-- Ville On Jun 26, 2017 9:14 PM, "Steve Williams" <st...@williamsitconsulting.com> wrote: Hi, Packets from vether are going out NAT'd no problem. I have 100% Internet access on 192.168.123.0/24. >From my understanding, the "pass out quick inet all flags S/SA" allow packets out and should create state for the connection for any ipv4 packets on any interface. Subsequent packets (these seem to have the "P"ush flag set) should match the state and not get blocked. Hum... perhaps the states are expiring too fast? How do I find out if the state existed at the time that the packet was blocked? Thanks, Steve W. On 26/06/2017 12:09 PM, Ville Valkonen wrote: Hello, a quick glance and it seems you aren't allowing vether traffic to pass. -- Regards, Ville On Jun 26, 2017 8:19 PM, "Steve Williams" <st...@williamsitconsulting.com> wrote: > Hi, > > New install of OpenBSD 6.1 on apu2. Love the little box. > > I have em0 as the connection to the Internet and I bridged em1 and em2 > together on 192.168.123.0. > > I've been using OpenBSD since the 2.7 days, but have never run NAT so this > is my first foray into that world. I have followed the FAQ on "building a > router" almost vebatim. It's working fine, but I am seeing some packets > blocked with no effect on browsing behind the OpenBSD box. > > My ruleset: > > # pfctl -sr > match in all scrub (no-df random-id) > match out on egress inet from ! (egress:network) to any nat-to (egress:0) > round-robin > block drop log quick from <blocklist> to any > block drop log quick from <bad_hosts> to any > block drop log all > pass out quick inet all flags S/SA > pass in on vether0 inet all flags S/SA > pass in on em1 inet all flags S/SA > pass in on em2 inet all flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 22 flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 993 flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 80 flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 443 flags S/SA > > # tcpdump -n -e -ttt -i pflog0 # from man pflog man page > Jun 26 09:45:54.241145 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:45:54.701283 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:45:55.623757 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:45:57.460985 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:46:01.150933 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:46:08.522599 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win 1805 (DF) > Jun 26 09:46:47.479083 rule 4/(match) block in on vether0: > 192.168.123.2.46549 > 172.217.3.206.443: P 4042174712:4042174735(23) ack > 2564095917 win 1593 (DF) > Jun 26 09:46:47.896295 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: P 4003838125:4003838156(31) ack > 2044539346 win 65535 (DF) > Jun 26 09:46:47.896662 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535 (DF) > Jun 26 09:46:47.896674 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: P 113176577:113176608(31) ack > 2619790719 win 1403 (DF) > Jun 26 09:46:47.896685 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win 1403 (DF) > Jun 26 09:46:47.896711 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31) ack > 2615144509 win 1545 (DF) > Jun 26 09:46:47.896735 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF) > > # pfctl -R 4 -sr > block drop log all > > It is not all https traffice that is being blocked as I can hit my banking > site, etc. Does anyone have an idea why are these packets being blocked? > > Thanks, > Steve Williams > > > >
