I'm a long time network engineer/firewall admin/make things work on our network
when it is broken.
First, ICMP Echo Request ( "ping" ) works, you proved that when you sent an
Echo Request to a host using it's IP address. The fact that DNS host
resolution fails has nothing to do with ICMP Echo Request. You WILL want to
get DNS name resolution working in order to use hostnames, unless you want to
keep everything in a static host file.
In order to create a functioning firewall you need a good understanding of ip
tcp/ip ports and protocols. To see what I'm talking about do an Internet
search for 5 tuple firewall.
You will need this knowledge for any system using statefull firewall, not just
PF.
Others are trying to help you write a functioning PF conf, however I think you
need to learn how to fish before embarking on a deep sea fishing excursion.
73
diana
On April 14, 2024 9:09:01 AM MDT, Karel Lucas <cahlu...@planet.nl> wrote:
>Hi all,
>
>Everything about PF is all very confusing to me at the moment, so any help is
>appreciated. So let's start simple and then proceed step by step. I want to
>continue with ping so that I can test the connection to the internet. This
>works: ping -c 10 195.121.1.34. But this doesn't work: ping -c 10
>www.apple.com. As others have stated, I have a problem with using DNS servers
>on the internet. The PF ruleset needs to be adjusted for this, but it is still
>not clear to me how to do that. What else do I need to get ping to work
>correctly? To get started simply, I created a new pf.conf file, see below.
>
>
>/etc/pf.conf:
>
>ext_if = igc0 # The interface to the outside world
>int_if = "{ igc1, igc2 }" # The interfaces to the private hosts
>localnet = "192.168.2.0/24" # Hosts on the screened LAN
>
>tcp_services = "{ smtp, domain, www, auth, http, https, pop3, pop3s }"
>udp_services = "{ domain, ntp }"
>email = "{ smtp, imap, imaps, imap3, pop3, pop3s }"
>icmp_types = "{ echoreq, unreach }"
>icmp6_types = "{ echoreq, unreach }"
>nameservers = "{ 195.121.1.34, 195.121.1.66 }"
>client_out = "{ ssh, domain, pop3, auth, nportntp, http, https, \
> 446, cvspserver, 2628, 5999, 8000, 8080 }"
>martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \
> 10.0.0.0/8, 169.254, 0.0/16, 192.0.2.0/24, \
> 0.0.0.0/8, 240.0.0.0/4 }"
>
># Options:
>set block-policy return
>
>set skip on lo
>
>block log all # block stateless traffic
>
># Normalize packets:
>match in all scrub ( no-df max-mss 1440 )
>
>block in quick on $ext_if from $martians to any
>block out quick on $ext_if from any to $martians
>
># Letting ping through:
>pass log on inet proto icmp icmp-type $icmp_types
>pass log on inet6 proto icmp6 icmp6-type $icmp6_types
>
>pass out all
>
>
