Hi. on Mon, 5 Aug 2024 12:34:18 +0200 Marko Cupać <marko.cu...@mimar.rs> wrote:
> Having only one network interface, I assume this firewall protects > machine it resides on (a server), not network behind it (a router / > firewall), which rules out the need for net.inet.ip.forwarding sysctl. I see. A lot of the material out there includes talk of nat/napt and I don't think there was any mention of how to protect one host. I will take into account what you taught me in the email you sent me and try to re-configure it. > My general rule of the thumb is to log all blocked packets, at least > until I get functionality I want. I have busy firewalls which block and > log ~300 packets per second, pf handles it really well. > > Try something like: > > (temporarily remove `antispoof quick` until rest works, keep it above) > block log all > pass in on vio0 (what you want to pass to the server) > pass out on vio0 (what you want the server to be able to reach) > > Check with `pfctl -(vv)sr` if loaded ruleset corresponds to what you > intend. > > Check `tcpdump -neqtttr /var/log/pflog` for history of blocked packets > and `tcpdump -neqttti pflog0` for real-time log. We will reply to you with the results, together with replies to other users. Thank you very much. Best regards, --- WATANABE, Takeo t...@kasaneiro.jp
