On Thu, Apr 8, 2010 at 00:54, James Shupe <professio...@jamesshupe.com>
wrote:
> Use "log (all)" and tcpdump to figure out exactly what is being blocked.
>
> On 4/7/10 10:40 PM, Hugo Osvaldo Barrera wrote:
>> I'm using OpenBSD 4.6 at home as an access point, firewall and home
>> server (with pf).
>> I've recently had some issues trying to use pidgin's [XMPP] video
>> support on one of my client computers, yet, if I connect it directly
>> to the internet it works fine; hence the problem is the firewall
>> configuration (as one of the pidgin devs pointed out it might have
>> been).
>> I THINK UDP packets are being dropped, but I must really say, this
>> problem is a bit above my level of understanding.
>>
>> I need to know how to make sure UDP packets don't get dropped on the
>> way to my PC, but i'm not really sure how.
>>
>> I think a simple "pass in proto udp" is a bit extremist (though it would
work).
>> Any better suggestions?
>>
>> My current pf.conf file is:
>>
>> -----
>> # $OpenBSD: pf.conf,v 1.44 2009/06/10 15:29:34 sobrado Exp $
>> #
>> # See pf.conf(5) for syntax and examples; this sample ruleset uses
>> # require-order to permit mixing of NAT/RDR and filter rules.
>> # Remember to set net.inet.ip.forwarding=1 and/or
net.inet6.ip6.forwarding=1
>> # in /etc/sysctl.conf if packets are to be forwarded between interfaces.
>>
>> # Skip lo
>> set skip on lo
>>
>> #############
>> # Variables #
>> #############
>> extif = "re0"
>> intif = "ral0"
>> chaos = "172.16.1.7"
>> mamaquina = "172.16.1.12"
>>
>> tcp_services="{ 22, 113, 80, 443 }"
>>
>> icmp_types = "echoreq"
>> allproto = "{ tcp, udp, ipv6, icmp, esp, ipencap }"
>> privnets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
>>
>> table <intnet> { 172.16.0.1/16 }
>>
>> # Options
>> set loginterface $extif
>> match in all scrub (no-df)
>>
>> #######
>> # NAT #
>> #######
>> nat on $extif from $intif:network -> ($extif)
>> # TODO Maybe move this down to service ports? Check first.
>> rdr pass log on $extif proto tcp from any to any port 1022 -> $chaos port
22
>>
>> block in
>> pass out keep state
>>
>> antispoof quick for { lo $intif }
>>
>> block drop in on $extif from $privnets to any
>> block drop in on $extif from any to $privnets
>>
>> #################
>> # SERVICE PORTS #
>> #################
>>
>> # Open ports for local servicesAbro puerto de servicios locales
>> pass in on $extif inet proto tcp from any to ($extif) port
>> $tcp_services flags S/SA keep state
>>
>> ### OTHER PORTS AND OPENINGS
>> pass in on $extif from any to 172.16.1.7
>> pass in on $extif from any to 172.16.2.4
>>
>> pass in on $extif proto {tcp, udp} from any to any port 53
>>
>> # ICMP Traffic
>> pass in inet proto icmp all icmp-type $icmp_types keep state
>>
>> # LAN - everything is allow in/out
>> pass in quick on $intif
>> pass out quick on $intif
>>
>>
>> ### Block remote connections to the X Server
>> block in on ! lo0 proto tcp to port 6000:6010
>> -----
>>
>> Thanks for your time guys!
>>
>> --
>> Hugo Osvaldo Barrera
>>
>>
>>
>
>
>
As I had supposed; pf is blocking the UDP packages:
Apr 08 01:31:58.241781 rule 1/(match) block in on re0:
<the-other-IP>.59789 > <my-ip>.50688: udp 56
Apr 08 01:31:58.363252 rule 1/(match) block in on re0:
<the-other-IP>.59792 > <my-ip>.52166: udp 56
Apr 08 01:31:58.363991 rule 1/(match) block in on re0:
<the-other-IP>.59793 > <my-ip>.50688: udp 56
There are several more dozen lines like this one.
However, each one uses a different port, so how can I solve the
problem? I don't even see a predicting which ports I'd need to open
(they ARE random).
