Hi all,
Everything about PF is all very confusing to me at the moment, so any
help is appreciated. So let's start simple and then proceed step by
step. I want to continue with ping so that I can test the connection to
the internet. This works: ping -c 10 195.121.1.34. But this doesn't
work: ping -c 10 www.apple.com. As others have stated, I have a problem
with using DNS servers on the internet. The PF ruleset needs to be
adjusted for this, but it is still not clear to me how to do that. What
else do I need to get ping to work correctly? To get started simply, I
created a new pf.conf file, see below.
/etc/pf.conf:
ext_if = igc0 # The interface to the
outside world
int_if = "{ igc1, igc2 }" # The interfaces to the private
hosts
localnet = "192.168.2.0/24" # Hosts on the screened LAN
tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
udp_services = "{ domain, ntp }"
email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
icmp_types = "{ echoreq, unreach }"
icmp6_types = "{ echoreq, unreach }"
nameservers = "{ 195.121.1.34, 195.121.1.66 }"
client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
446, cvspserver, 2628, 5999, 8000, 8080 }"
martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
0.0.0.0/8, 240.0.0.0/4 }"
# Options:
set block-policy return
set skip on lo
block log all # block stateless traffic
# Normalize packets:
match in all scrub ( no-df max-mss 1440 )
block in quick on $ext_if from $martians to any
block out quick on $ext_if from any to $martians
# Letting ping through:
pass log on inet proto icmp icmp-type $icmp_types
pass log on inet6 proto icmp6 icmp6-type $icmp6_types
pass out all
