phusion2k
November 7th, 2004, 15:28
Hi, I have been using OpenBSD pf for my firewall for a while. I'm been having a problem since I installed OpenBSD 3.6 this weekend. My ruleset (pf.conf) worked perfectly in OpenBSD 3.5, and now doesn't seem to work right under 3.6. I can ping and get replies, but when I try to connect to an external website, it tries and then fails. Then I run sudo pfctl -s info on the firewall itself, and see that there are packets that were blocked. I'm not sure what is wrong here. It must be one of my block rules, but I'm not sure which one. It's weird but this ruleset worked perfectly in 3.5. My kernel includes only INET, so I'm not dealing with IPv6 here. Here is my ruleset.

########################################
# PF Firewall Ruleset
# sis0 - internal to private network
# fxp0 - external to cable modem
########################################

######################
# Macros
######################
ext_if = "fxp0"
unfiltered = "{ lo0, sis0 }"
network = "10.10.0.0/16"
nat_protocols = "{ icmp, tcp, udp }"
icmp_options = "keep state"
tcp_options = "flags S/SA synproxy state"
udp_options = "keep state"
icmp_types = "{ 8, 10, 13, 15, 17 }"
tcp_services = "{ 22 }"

######################
# Tables
######################
table <unroutable> { 0.0.0.0/8, 10.0.0.0/8, 127.0.0.0/8, \
169.254.0.0/16, 172.16.0.0/12, 192.168.0.0/16, \
255.255.255.255 }

######################
# Options
######################
set loginterface $ext_if
set limit { frags 500, states 10000 }
set optimization aggressive
set block-policy drop

######################
# Packet Normalization
######################
scrub in on $ext_if all
scrub out on $ext_if all random-id

######################
# Packet Queueing
######################

######################
# Packet Redirection
######################

# Rules for internal interfaces
######################
no nat on $unfiltered inet proto $nat_protocols from any to any
no rdr on $unfiltered inet proto $nat_protocols from any to any

# Rules for external interface
# nat private network to single routable address
nat on $ext_if inet proto $nat_protocols from $network to any -> ($ext_if)

# ftp-proxy redirection
rdr on $ext_if inet proto tcp from any to any port 21 -> 127.0.0.1 port 8021

######################
# Packet Filtering
######################

# Rules for internal interfaces
######################
# pass on unfiltered interfaces
pass quick on $unfiltered

# silently drop TCP non-SYN packets, the remaining ruleset only deals with
# TCP SYNs, which always create state when passed. the ruleset basically
# deals with 'connections', not packets, beyond this point.
block return-rst quick inet proto tcp all flags /S
block return-rst quick inet proto tcp all flags A/A

# block everything by default
block
block return-rst inet proto tcp
block return-icmp inet proto udp

# Rules for external interface
######################
# silently drop broadcasts
block in quick on $ext_if inet from any to { 255.255.255.255 }

# block incoming packets from reserved address space and invalid
# addresses, they are either spoofed or misconfigured, we can't reply to
# them anyway (hence, no return-rst).
block in quick on $ext_if inet from <unroutable> to any

# block outgoing packets that don't have my address as source, they are
# either spoofed or something is misconfigured (NAT disabled, for instance),
# we want to be nice and not send out garbage.
block out quick on $ext_if inet from !$ext_if to any

# ICMP
# internal hosts can send icmp queries and accept echo replies to external hosts
pass out on $ext_if inet proto icmp from $ext_if to any \
icmp-type $icmp_types $icmp_options

# UDP
pass out on $ext_if inet proto udp from any to any \
$udp_options

# TCP
# log external connections to ssh
pass in log on $ext_if inet proto tcp from any to $ext_if \
port $tcp_services $tcp_options
pass out on $ext_if inet proto tcp from $ext_if to any \
$tcp_options

Let me know what you think it is. Thanks.

bsdjunkie
November 7th, 2004, 17:39
tcp_services = "{ 22 }"

pass out on $ext_if inet proto tcp from $ext_if to any \
$tcp_options

Your only allowing outgoing tcp traffic on the $ext_if over port 22.