On Mon, 26 Jun 2017 10:02:00 -0600 Steve Williams <st...@williamsitconsulting.com> wrote:
> Hi, > > New install of OpenBSD 6.1 on apu2. Love the little box. > > I have em0 as the connection to the Internet and I bridged em1 and > em2 together on 192.168.123.0. > > I've been using OpenBSD since the 2.7 days, but have never run NAT so > this is my first foray into that world. I have followed the FAQ on > "building a router" almost vebatim. It's working fine, but I am > seeing some packets blocked with no effect on browsing behind the > OpenBSD box. > > My ruleset: > > # pfctl -sr > match in all scrub (no-df random-id) > match out on egress inet from ! (egress:network) to any nat-to > (egress:0) round-robin > block drop log quick from <blocklist> to any > block drop log quick from <bad_hosts> to any > block drop log all > pass out quick inet all flags S/SA > pass in on vether0 inet all flags S/SA > pass in on em1 inet all flags S/SA > pass in on em2 inet all flags S/SA > pass in on egress inet proto tcp from any to (egress) port = 22 flags > S/SA pass in on egress inet proto tcp from any to (egress) port = 993 > flags S/SA pass in on egress inet proto tcp from any to (egress) port > = 80 flags S/SA pass in on egress inet proto tcp from any to (egress) > port = 443 flags S/SA > > # tcpdump -n -e -ttt -i pflog0 # from man pflog man page > Jun 26 09:45:54.241145 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:54.701283 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:55.623757 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:45:57.460985 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:01.150933 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:08.522599 rule 4/(match) block in on vether0: > 192.168.123.2.38022 > 216.58.216.165.443: P 0:1375(1375) ack 1 win > 1805 (DF) Jun 26 09:46:47.479083 rule 4/(match) block in on vether0: > 192.168.123.2.46549 > 172.217.3.206.443: P 4042174712:4042174735(23) > ack 2564095917 win 1593 (DF) > Jun 26 09:46:47.896295 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: P 4003838125:4003838156(31) > ack 2044539346 win 65535 (DF) > Jun 26 09:46:47.896662 rule 4/(match) block in on vether0: > 192.168.123.2.53452 > 23.23.126.54.443: R 31:31(0) ack 1 win 65535 > (DF) Jun 26 09:46:47.896674 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: P 113176577:113176608(31) > ack 2619790719 win 1403 (DF) > Jun 26 09:46:47.896685 rule 4/(match) block in on vether0: > 192.168.123.2.59762 > 216.58.216.163.443: F 31:31(0) ack 1 win 1403 > (DF) Jun 26 09:46:47.896711 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: P 4254697166:4254697197(31) ack > 2615144509 win 1545 (DF) > Jun 26 09:46:47.896735 rule 4/(match) block in on vether0: > 192.168.123.2.39279 > 31.13.77.6.443: R 31:31(0) ack 1 win 1545 (DF) > > # pfctl -R 4 -sr > block drop log all > > It is not all https traffice that is being blocked as I can hit my > banking site, etc. Does anyone have an idea why are these packets > being blocked? What happens when you remove 'quick' keyword from 'pass out' rule? Does setting skip on lo make any difference? Does reducing max-mss in nat rule make any difference (mine is 1440)? -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
