On 8/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
For some reason, I'm not "getting it" when it comes to pf... Two
things I can't figure out: (1) filtered vs blocked for some TCP
ports and (2) rules for tun0, my vpn interface.
First, my /etc/pf.conf:
int_if = "vr1"
ext_if = "vr0"
vpn_if = "tun0"
tcp_services = "{ 22 }"
udp_services = "{ 1194 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
set block-policy return
set block-policy drop
This will cause the default behaviour of your block statements to
'drop' the packet silently (aside from internal logging) rather than
'return' which quite literally returns an ICMP unreachable, which NMAP
interprets as a 'filtered' port.
Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly
default setup (i.e. followed the openvpn HOWTO almost verbatim). I
can establish the VPN tunnel, but cannot ping the obsd box.
So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping
the obsd box from the vpn client, I see this:
Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \
192.168.2.6 > 192.168.2.1: icmp: echo request (DF)
How can I tell which rule is "rule 4"?
Try using the 'label' keyword, re:
block log all label "$nr - default deny"
(I added the numbers and line breaks.) So it looks to me like line
6 is responsible for blocking the ping... but where does that rule
come from in my pf.conf file?
It comes from your antispoof quick rule:
antispoof quick log for { lo0 $int_if $vpn_if }
Good luck!
