On Mon Aug 5, 2024 at 8:24 PM BST, Mike Fischer wrote:
> Am 05.08.2024 um 20:22 schrieb WATANABE Takeo <t...@kasaneiro.jp>:> > Hi,Souji-SAN. > > Thank you so much for your advice.> We will reply to you in due course.> > > on Sun, 04 Aug 2024 19:56:38 +0100 > "Souji Thenria" <m...@souji-thenria.net> wrote: > >> On Sun Aug 4, 2024 at 4:36 PM BST, WATANABE Takeo wrote:>>> I am having trouble because all packets are blocked. >>> Please see below for a description of the problem. >>> I would appreciate it if you could point out any problems.>> >> The config looks ok so far; I don't see any problems. >> >> Can you run 'pfctl -s rules' and send the command output?>> You can also run 'tcpdump' on the interface. Can you see in-coming or >> out-coming packages for your specified ports?> > We are sending you the results of the "pfctl -s rules" run,> the results of the "pfctl -vnf /etc/pf.conf" run > and the original "pf.conf" as attachments, just in case.> > The results of "pfctl -s rules" were difficult for me to understand,> I am ashamed to say. As an example of what I understood, > I also send you the result of "pfctl -vnf /etc/pf.conf".> > I found the result of "tcpdump -n -e -ttt -r /var/log/pflogd" to be> Most of them were DNS packets (IN/OUT). > # This host is an authoritative DNS server, so I think it is natural.> > Is it possible to understand the situation with these results?> We look forward to your reply.> > Best regards, > > ---> WATANABE, Takeo > t...@kasaneiro.jp Your config, the result of `pfctl -vnf /etc/pf.conf` and the result of `pfctl -sr` do not match. Did you actually load your config (`pfctl -f /etc/pf.conf`, i.e. without -n)? -n only checks the config without loading it.
+1 that you probably forgot to reload your config, and I agree with everything else Mike mentioned below. I mostly wanted to add that I tried to load the pf.conf file you sent; it looks like it works. (I did a quick test to see if the HTTP- and SMTP-server are reachable.)
The loaded rules as returned by `pfctl -sr` would not allow much of your desired traffic. However they do allow NDP traffic. Your vio0 interface seem to have IPv6 and IPv4 addresses. So you probably need to to allow NDP traffic and your probably want to allow ICMPv6 echo as well. One more debugging tip: Temporarily turn off pf to see if your issues are caused by your pf rules. `pfctl -d`. Then test and turn it back when done testing (`pfctl -e`). Note (mainly for other readers): This tip works in your case, but not if NAT or forwarding rules are used. PS. Do you have console access to the host? If not there is a good chance that you might shoot yourself in the foot with incorrect rules and loose access to the machine. PPS. Your loaded rules allow SSH on port 22. Your desired rules would allow SSH on port 1522. Is your sshd actually listening on these ports? Oh and if you want to access other hosts from your machine that use port 22 using SSH then your new rules are missing an outgoing rule for that. One reason for mostly allowing all outgoing traffic and only deal with incoming packets in the rules. HTH Mike
Regards, Souji -- Souji Thenria Website: www.souji-thenria.net
signature.asc
Description: PGP signature
