Hi peter,
I've done a bit of homework. The machine is connected to a public static IP
via LTE modem on bridge mode.
To inform pf a bit more, I updated the pf.conf file with the following
lines:
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23.0/24
This solves the problem but I insist on clamping down the machine to bare
minimum passes based on specific services required. Nothing more.
I am still looking for an alternative solution that does not involve adding
passes.
Thanks.
File Update: Pf.conf
# External interface
ext_if = "em0"
# Skip filtering on loopback interface
set skip on lo
# Scrub incoming packets for normalization
match in all scrub (no-df)
# Block all incoming connections by default
block all
# Activate spoofing protection for all interfaces
block in quick from urpf-failed
pass in on em0 from 41.90.23.0/24 to 41.90.23.240
pass out on em0 from 41.90.23.240 to 41.90.23.0/24
# Redirect HTTP traffic (servers only)
pass in on $ext_if inet proto tcp \
to port 80 divert-to 127.0.0.1 port 8080
# Redirect HTTPS traffic (servers only)
pass in on $ext_if inet proto tcp \
to port 443 divert-to 127.0.0.1 port 8443
# Allow SSH traffic from the development desktop
pass in on $ext_if proto tcp \
from 41.90.23.240 to $ext_if port ssh modulate state
On Thu, 20 Mar 2025, 12:55 Kihaguru Gathura, <pqscr...@gmail.com> wrote:
> Hi peter,
>
> I've done a bit of homework. The machine is connected to a public static
> IP via LTE modem on bridge mode.
>
> To inform pf a bit more, I updated the pf.conf file with the following
> lines:
>
> pass in on em0 from 41.90.23.0/24 to 41.90.23.240
> pass out on em0 from 41.90.23.240 to 41.90.23.0/24
>
> This solves the problem but I insist on clamping down the machine to bare
> minimum passes based on specific services required. Nothing more.
>
> I am still looking for an alternative solution that does not involve
> adding passes.
>
>
> Thanks.
>
> File Update: Pf.conf
>
> # External interface
> ext_if = "em0"
>
> # Skip filtering on loopback interface
> set skip on lo
>
> # Scrub incoming packets for normalization
> match in all scrub (no-df)
>
> # Block all incoming connections by default
> block all
>
> # Activate spoofing protection for all interfaces
> block in quick from urpf-failed
>
> pass in on em0 from 41.90.23.0/24 to 41.90.23.240
> pass out on em0 from 41.90.23.240 to 41.90.23.0/24
>
> # Redirect HTTP traffic (servers only)
> pass in on $ext_if inet proto tcp \
> to port 80 divert-to 127.0.0.1 port 8080
>
> # Redirect HTTPS traffic (servers only)
> pass in on $ext_if inet proto tcp \
> to port 443 divert-to 127.0.0.1 port 8443
>
> # Allow SSH traffic from the development desktop
> pass in on $ext_if proto tcp \
> from 41.90.23.240 to $ext_if port ssh modulate state
>
>
> On Thu, 20 Mar 2025, 11:30 Peter N. M. Hansteen, <pe...@bsdly.net> wrote:
>
>> On Thu, Mar 20, 2025 at 10:23:12AM +0300, Kihaguru Gathura wrote:
>>
>> > Openbsd 7.6 upon restart, pf rules fail to load with error (no IP
>> address
>> > found for em0 /etc/pf.conf:26: could not parse host specification).
>> > However, performing "pfctl -nf /etc/pf.conf && pfctl -vf /etc/pf.conf"
>> > manually after logging in gets the rules loaded successfully. Also
>> > commenting out lines 25 and 26 gets the file loaded successfully on
>> restart
>> > confirming the error
>> >
>> > What are the potential scenario causing the line 26 (from 41.90.23.240
>> to
>> > $ext_if port ssh modulate state) to present itself as syntax error
>> during
>> > restart?
>>
>> The message you get indicates that the interface is not fully configured,
>> that
>> it does not (yet) have an IP address assigned.
>>
>> I would look in the direction of whatever it is that does the IP address
>> assignment. Is there a problem with slow response from that network's
>> DHCP service, for example?
>>
>> - Peter
>>
>> --
>> Peter N. M. Hansteen, member of the first RFC 1149 implementation team
>> https://bsdly.blogspot.com/ https://www.bsdly.net/ https://www.nuug.no/
>> "Remember to set the evil bit on all malicious network traffic"
>> delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
>>
>>
