Hmm, have you enabled net.inet.ip.forwarding? Timo
Steve Williams <st...@williamsitconsulting.com> writes: > Hi, > > Packets from vether are going out NAT'd no problem. I have 100% > Internet access on 192.168.123.0/24. > > From my understanding, the "pass out quick inet all flags S/SA" allow > packets out and should create state for the connection for any ipv4 > packets on any interface. > > Subsequent packets (these seem to have the "P"ush flag set) should > match the state and not get blocked. > > Hum... perhaps the states are expiring too fast? > > How do I find out if the state existed at the time that the packet was > blocked? > > Thanks, > Steve W. > > > On 26/06/2017 12:09 PM, Ville Valkonen wrote: >> Hello, >> >> a quick glance and it seems you aren't allowing vether traffic to pass. >> >> -- >> Regards, >> Ville >> >> On Jun 26, 2017 8:19 PM, "Steve Williams" >> <st...@williamsitconsulting.com >> <mailto:st...@williamsitconsulting.com>> wrote: >> >> Hi, >> >> New install of OpenBSD 6.1 on apu2. Love the little box. >> >> I have em0 as the connection to the Internet and I bridged em1 and >> em2 together on 192.168.123.0. >> >> I've been using OpenBSD since the 2.7 days, but have never run NAT >> so this is my first foray into that world. I have followed the >> FAQ on "building a router" almost vebatim. It's working fine, but >> I am seeing some packets blocked with no effect on browsing behind >> the OpenBSD box. >> >> My ruleset: >> >> # pfctl -sr >> match in all scrub (no-df random-id) >> match out on egress inet from ! (egress:network) to any nat-to >> (egress:0) round-robin >> block drop log quick from <blocklist> to any >> block drop log quick from <bad_hosts> to any >> block drop log all >> pass out quick inet all flags S/SA >> pass in on vether0 inet all flags S/SA >> pass in on em1 inet all flags S/SA >> pass in on em2 inet all flags S/SA >> pass in on egress inet proto tcp from any to (egress) port = 22 >> flags S/SA >> pass in on egress inet proto tcp from any to (egress) port = 993 >> flags S/SA >> pass in on egress inet proto tcp from any to (egress) port = 80 >> flags S/SA >> pass in on egress inet proto tcp from any to (egress) port = 443 >> flags S/SA >> >> # tcpdump -n -e -ttt -i pflog0 # from man pflog man page >> Jun 26 09:45:54.241145 rule 4/(match) block in on vether0: >> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win >> 1805 (DF) >> Jun 26 09:45:54.701283 rule 4/(match) block in on vether0: >> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win >> 1805 (DF) >> Jun 26 09:45:55.623757 rule 4/(match) block in on vether0: >> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win >> 1805 (DF) >> Jun 26 09:45:57.460985 rule 4/(match) block in on vether0: >> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win >> 1805 (DF) >> Jun 26 09:46:01.150933 rule 4/(match) block in on vether0: >> 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win >> 1805 (DF) >> Jun 26 09:46:08.522599 <tel:08.522599> rule 4/(match) block in on >> vether0: 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) >> ack 1 win 1805 (DF) >> Jun 26 09:46:47.479083 rule 4/(match) block in on vether0: >> 192.168.123.2.46549 > 172.217.3.206.443: P >> 4042174712:4042174735(23) ack 2564095917 win 1593 (DF) >> Jun 26 09:46:47.896295 rule 4/(match) block in on vether0: >> 192.168.123.2.53452 > 23.23.126.54.443: P >> 4003838125:4003838156(31) ack 2044539346 win 65535 (DF) >> Jun 26 09:46:47.896662 rule 4/(match) block in on vether0: >> 192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535 >> (DF) >> Jun 26 09:46:47.896674 rule 4/(match) block in on vether0: >> 192.168.123.2.59762 > 216.58.216.163.443: P >> 113176577:113176608(31) ack 2619790719 win 1403 (DF) >> Jun 26 09:46:47.896685 rule 4/(match) block in on vether0: >> 192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win >> 1403 (DF) >> Jun 26 09:46:47.896711 rule 4/(match) block in on vether0: >> 192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31) >> ack 2615144509 win 1545 (DF) >> Jun 26 09:46:47.896735 rule 4/(match) block in on vether0: >> 192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF) >> >> # pfctl -R 4 -sr >> block drop log all >> >> It is not all https traffice that is being blocked as I can hit my >> banking site, etc. Does anyone have an idea why are these packets >> being blocked? >> >> Thanks, >> Steve Williams >> >> >>
