Re: a pf question maybe asked a 1000 times

Fri, 20 Oct 2017 05:35:08 -0700 

Hi Michael,

as far as pfctl -sr goes a block return expands to block return all
but since I got it working now here is the ruleset that does what it suppose to do :) 

ext_if="hvn0"

set skip on lo

block return    # block stateless traffic
block inet6

pass on $ext_if inet proto {tcp udp} to port domain

pass on $ext_if inet proto icmp icmp-type echoreq

pass in on $ext_if inet proto tcp from any to ($ext_if) port ssh
pass in on $ext_if inet proto tcp from any to ($ext_if) port 443

pass out on $ext_if inet proto tcp from ($ext_if) port { https, submission }

$ doas pfctl -sr
block return all
block drop inet6 all
pass in on hvn0 inet proto tcp from any to (hvn0) port = 22 flags S/SA
pass in on hvn0 inet proto tcp from any to (hvn0) port = 443 flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 443 to any flags S/SA
pass out on hvn0 inet proto tcp from (hvn0) port = 587 to any flags S/SA
pass on hvn0 inet proto tcp from any to any port = 53 flags S/SA
pass on hvn0 inet proto udp from any to any port = 53
pass on hvn0 inet proto icmp all icmp-type echoreq
as you may notice I added the ping and the dns to the ruleset since this was blocked in the original set of rules. 

regards

Am 20.10.2017 um 14:27 schrieb Michael Hekeler:

On Fri, Oct 20, 2017 at 12:59:51PM +0200, Markus Rosjat wrote:

...
block return    # block stateless traffic



Hi Markus, here´s another hint:

no matter if you want to drop silently or send a return for the dropped
packet, you have to tell **on which packet the block action should react**

   block drop all
   -or-
   block return all
   -or-
   block all

If you have this in your pf.conf and load this ruleset then 'pfctl -sr'
will give you a line like:

   block drop all
   (or whatever you have in pf.conf)




--
Markus Rosjat    fon: +49 351 8107223    mail: ros...@ghweb.de

G+H Webservice GbR Gorzolla, Herrmann
Königsbrücker Str. 70, 01099 Dresden

http://www.ghweb.de
fon: +49 351 8107220   fax: +49 351 8107227
Bitte prüfen Sie, ob diese Mail wirklich ausgedruckt werden muss! Before you print it, think about your responsibility and commitment to the ENVIRONMENT

Reply via email to