On Mon, 05 Aug 2024 00:36:18 +0900 (JST) WATANABE Takeo <t...@kasaneiro.jp> wrote:
> Dear Sirs, > > Would you be willing to discuss how to write pf.conf? Having only one network interface, I assume this firewall protects machine it resides on (a server), not network behind it (a router / firewall), which rules out the need for net.inet.ip.forwarding sysctl. My general rule of the thumb is to log all blocked packets, at least until I get functionality I want. I have busy firewalls which block and log ~300 packets per second, pf handles it really well. Try something like: (temporarily remove `antispoof quick` until rest works, keep it above) block log all pass in on vio0 (what you want to pass to the server) pass out on vio0 (what you want the server to be able to reach) Check with `pfctl -(vv)sr` if loaded ruleset corresponds to what you intend. Check `tcpdump -neqtttr /var/log/pflog` for history of blocked packets and `tcpdump -neqttti pflog0` for real-time log. Make sure to read complete PF FAQ: https://www.openbsd.org/faq/pf/ There's even more in Peter N. M. Hansteen's "Book of PF". HTH, -- Before enlightenment - chop wood, draw water. After enlightenment - chop wood, draw water. Marko Cupać https://www.mimar.rs/
