On Sat, Aug 26, 2006 at 11:29:54PM -0400, NetNeanderthal wrote:
> On 8/26/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
> >For some reason, I'm not "getting it" when it comes to pf... Two
> >things I can't figure out: (1) filtered vs blocked for some TCP
> >ports and (2) rules for tun0, my vpn interface.
> >
> >First, my /etc/pf.conf:
> >
> > int_if = "vr1"
> > ext_if = "vr0"
> > vpn_if = "tun0"
> > tcp_services = "{ 22 }"
> > udp_services = "{ 1194 }"
> > priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8
> > }"
> > set block-policy return
> set block-policy drop
>
> This will cause the default behaviour of your block statements to
> 'drop' the packet silently (aside from internal logging) rather than
> 'return' which quite literally returns an ICMP unreachable, which NMAP
> interprets as a 'filtered' port.
Actually, you got it the wrong way round - nmap assumes a port is
filtered when it gets no response.
> >Now, regarding (2), I'm trying to set up OpenVPN. I've got a mostly
> >default setup (i.e. followed the openvpn HOWTO almost verbatim). I
> >can establish the VPN tunnel, but cannot ping the obsd box.
> >
> >So, if I do a "tcpdump -n -e -ttt -i pflog0" while trying to ping
> >the obsd box from the vpn client, I see this:
> >
> > Aug 26 21:08:49.371324 rule 4/(match) block in on tun0: \
> > 192.168.2.6 > 192.168.2.1: icmp: echo request (DF)
> >
> >How can I tell which rule is "rule 4"?
> Try using the 'label' keyword, re:
> block log all label "$nr - default deny"
Or pfctl -s.
Joachim
